Cybersecurity is not a quick fix or a one-off remedy. To be effective, it needs to be built right into the application development, testing and release pipeline.
As enterprises adopt DevOps practices for rapid application release, security is becoming one of the key outcomes that their developers must ensure. That’s because the faster you release code, the faster your code’s vulnerabilities are being released.
This imperative calls for a range of practices that is increasingly known as “DevSecOps,” which refers to approaches for delivering “security as code” in the continuous integration/continuous deployment or CI/CD workflow. To be effective, DevSecOps must be adopted in common across application development, information technology operations and security teams.
This week at the RSA Conference in San Francisco, more than 40,000 members of the security community attended to deepen their skills, learn about innovative approaches and stay abreast of DevSecOps and other cybersecurity best practices. Now in its 28th year, the event has increasingly shifted toward focusing on artificial intelligence and machine learning as tools for integrating robust IT security into hybrid and multicloud operations.
As can be seen in the many announcements at RSA Conference, AI and machine learning are now essential components of DevSecOps. Without AI-powered DevSecOps, it will become fearsomely difficult for cloud professionals to deploy and manage microservices, containers and serverless apps securely in the cloud.
These data-driven algorithms are essential components for automating the prevention, detection and remediation of security issues throughout the application lifecycle. These controls are the foundation for API-consumable security, 24×7 proactive security monitoring, continuous exploit testing, closed-loop network self-healing, shared threat intelligence and compliance operations.
From expert interviews on theCUBE at RSA Security Conference 2019, here are some of the most interesting comments on DevSecOps requirements in the age of the multicloud:
Comprehensive threat modeling and risk mitigation
Cybersecurity threats now take place in hybrid and other multicloud environments where the “perimeter” has moved all the way to the data in edge devices and apps.
For cybersecurity professionals, implementing DevSecOps requires that they conduct ongoing threat modeling and risk mitigation in a “zero-trust security” paradigm. As I discussed in this recent SiliconANGLE article, this approach, also known as “post-perimeter security,” treats every access attempt as if it were coming from a remote, untrusted party.
Implementing zero-trust security comprehensively across multiclouds requires investment in trust, identity, permission, endpoint, device and mobility management infrastructures. It also requires AI that enables all of these infrastructures to adaptively adjust authentication techniques, access privileges and other controls in real time across all managed devices and content no matter where they roam.
Scott Stevens, senior vice president of worldwide systems engineering at Palo Alto Networks Inc., had this to say on zero-trust security:
“[Zero trust] has become kind of buzzword bingo along the way. The way I think the fundamental way you look at zero trust is it’s an architectural approach to how do you secure your network focused on what’s most important. And so you focus on the data that’s most that’s key to your business, and you build your security framework from the data out. What it allows us to do is to create the right segmentation strategies, starting in the data center of the cloud and moving back toward those accessing the data. And how do you segment and control that traffic is fundamental. What we’re dealing with in security is two basic problems that we have too many problems with two big problems. First is credential-based attacks, and so do we have somebody was stolen credentials in the network, stealing our data or do we have an insider who has credentials, but they’re malicious? They’re actually stealing content from the company. The second big problem is software-based attacks, malware, exploits scripts. And so how do we segment the network where we can enforce user behavior? And we can watch for malicious software so we can prevent both of those occurrences through one architectural framework. Zero trust gives us that template building block … on how we build out those networks.”
Continuous security automation
Automation is an important tool to address the personnel shortage in cybersecurity. Ensuring robust security in the face of staff and skills shortages demands AI-driven automation of all cybersecurity processes. At the very least, you should be embedding dynamic application security testing into the software development lifecycle. This should include use of machine learning to power routine testing of nightly code builds. It should also include scanning committed code changes for known security vulnerabilities such as those in the Open Web Application Security Project’s list of the most common flaws.
Rohit Ghai, president of RSA Security LLC, had this to say on the cybersecurity automation imperative:
“[Mitigating cybersecurity risks] feels overwhelming, and what I say is, any time you feel overwhelmed you to do three things to reduce the amount of work. You do that by designing security in resilient infrastructure. Second is you have automate work, which is basically using technology like artificial intelligence and machine learning. But as you know, the bad guys have all the AI and ML that we do. So that third recipe for success is business-driven security, which means you have to apply business context to your security posture. So you focus us on the right problems. The right cyber incidents right here, right now. And that’s a unique advantage. The only advantage we the good guys have is our understanding of our business contract. We call that business-driven security.”
Cybersecurity enforcement demands increasingly proactive detection, pre-emption and neutralization of vulnerabilities and issues that may occur in distributed applications.
In a DevSecOps workflow, this requires that developers have tools to help them identify and prioritize vulnerabilities as they are writing code. Automated tools must predict the likely behaviors of code in the target, production environments, rather than simply scan builds for the signatures of known issues seen in the past. Tooling must identify and remediate potential vulnerabilities through embedding of security rules into their normal CI/CD workflow.
Here’s what Michael DeCesare, president and chief executive officer of Forescout Technologies Inc., had to say on the need for rapid and predictive issue detection and remediation by automated cybersecurity systems:
“What’s amazing about cybersecurity in 2019 is the fact that the pace of innovation is exploding at an unprecedented rate. We’re bringing more devices online every quarter now than the first ten years of the Internet combined. So the pace of adoption of new technologies is really what is driving the need for machine learning and AI. Historically, in the cybersecurity world, most corporations’ approach was ‘I’m going to have a whole bunch of different cyber products.’ They all have their own dashboards and build this thing called a cyber Operations Center or SOC. But a human being is going to be involved in a lot of the research and prioritization of attacks. And I think just the volume and sophistication of the breaches these days and attacks is making those same companies turn toward automation. You have to be willing to let your cybersecurity products take action on their own and machine learning and AI play a very large role in that.”
Other speakers who were interviewed on theCUBE included Dan Burns, chief executive officer at Optiv Security Inc.; Russell L. Jones, certified information systems security professional and partner for Cyber Risk Services at Deloitte; Elisa Costante, security researcher at Forescout; Joe Cardamone, senior information security analyst and NA privacy officer for Haworth Inc.; and Doug Merritt, chief executive officer of Splunk Inc.; Sean Convery, vice president and general manager, security and risk business unit at ServiceNow Inc.; Brad Medairy, senior vice president at Booz Allen Hamilton; Charlotte Wylie, chief of staff at Symantec Corp.; and Chase Cunningham, cyber security leader at Forrester Research Inc.
How to watch theCUBE interviews
We offer you various ways to watch all of theCUBE interviews that took place at RSA 2019, including theCUBE’s dedicated website and YouTube. You can also get all the coverage from this year’s event on SiliconANGLE. There’s also a Cybersecurity Special Report that includes news highlights from the show.
Watch on the SiliconANGLE YouTube channel
All of theCUBE interviews from RSA 2019, which runs March 4-8, will also be loaded onto SiliconANGLE’s dedicated YouTube channel.
TheCUBE Insights podcast
SiliconANGLE also has podcasts available of archived interview sessions, available on both iTunes, Stitcher and Spotify.