Author: Ratan Tipirneni, President and CEO at Tigera
Bio: Ratan Tipirneni is President & CEO at Tigera, where he is responsible for defining strategy, leading execution, and scaling revenues. Ratan is an entrepreneurial executive with extensive experience incubating, building, and scaling software businesses from early stage to hundreds of millions of dollars in revenue. He is a proven leader with a track record of building world-class teams.
Security operators are a critical line of defense against malicious actors in today’s cloud-first enterprises. Their primary objectives are to minimize the risk of attack, detect incidents quickly, mitigate an attack’s damage once detected, and share their learnings with engineering and DevOps to improve the organization’s security posture going forward.
But the tools in their arsenal are lacking – too focused on detection and not focused enough on minimizing the attack surface or reducing the potential blast radius of security incidents.
Safeguarding sensitive data and maintaining operational continuity requires a more holistic approach. Attack surface minimization, rapid threat detection and prioritization, and strategic mitigation reduce the burden on security teams and enable organizations to fortify their defenses against bad actors. So, why are such tools lacking and what does a truly robust security platform look like? Let’s explore the problem through the eyes of an end user.
Many attribute the challenges in cybersecurity to a skills gap – a shortage of trained experts needed to keep up with the work. However, the crux of the issue is often a build gap – security tools that are not built with operator needs in mind.
While detection tools receive the most attention, they are the largest cause of security teams becoming overwhelmed and burned out. This is because detection tools only focus on catching as many irregularities as possible. Threats and vulnerabilities are scaling exponentially, but scaling personnel at the same rate is both infeasible and unsustainable.
Even if security operators were able to keep up with the flood of alerts, they couldn’t simply take applications offline for weeks at a time while they identify and implement a solution. Without a way to bridge the gap between detection and remediation, teams struggle to maintain security without disrupting service. Once again, the list of needed fixes outpaces the available fixers.
Detection tools are also inherently reactive. They do not contribute to minimizing the overall attack surface. Nor do they capture lessons from breaches or vulnerabilities that could help DevOps teams prevent such issues in the future. These realities put security teams on an alert hamster wheel, guaranteeing they will never be able to get ahead.
The Necessity of Holistic Security Approaches
An empathetic approach reduces the time and energy required of security experts while providing the same level of robust protection.
Security teams need tools that reinforce their efforts at every level – starting with solutions that minimize the attack surface. Incorporating a defense-in-depth approach – or security at multiple layers – where each layer eliminates a portion of the risk is key. This includes preconfiguring the environment and workloads with default configurations to protect against known threats. It also includes providing detectors that require no additional setup to detect and alert against anomalous behavior.
Any effective security expert assumes that a security incident is a matter of when, not if. What they need are tools that they can use to identify the most pressing concerns. To reduce effort, the tool should improve the security posture by automatically collecting and correlating data, identifying vulnerabilities, and prioritizing them by severity. Risk scores factor in threat indicators, impacted assets, and vulnerability insights to highlight events requiring swift action. Response prioritization based on advanced threat intelligence and risk scoring accelerates identification of the most critical incidents and decreases the burden on security teams.
Unfortunately, breaches don’t simply halt once they’re uncovered and not all assets can be taken offline at a moment’s notice. This is why mitigating controls are crucial for security teams. Swiftly isolating compromised systems, disabling unauthorized accounts, and cutting off vulnerable access points can significantly curtail potential damage. These controls limit the spread of the attack and minimize service disruption while operators identify and implement a solution.
The Empathy Feedback Loop
The ability to quickly access relevant data during a breach is akin to having a flashlight in a dark room. Gaining insights into the source, type, and impact of the attack is essential for making informed decisions about how to counteract it. Centralizing and correlating data from various sources allows security teams to piece together the puzzle, identifying the attacker’s methods and motives.
This holistic insight into breaches not only aids in the ongoing response but also contributes to refining future security strategies. Collaborating with engineering and DevOps teams is equally critical, as it ensures a coordinated effort to remediate vulnerabilities and shore up defenses over the long term. By addressing the root causes and implementing patches, organizations can prevent similar breaches from occurring in the future.
While a security incident will always have costs, a holistic approach to security can significantly reduce its impact and severity. Effective prevention, strategic remediation, and reformed development all play a key role in limiting potential regulatory fines, legal liabilities, and reputational damage.
Empowering Security Teams
Truly user-centric design starts with understanding operators’ day-to-day challenges and building solutions backwards from these realities. This mentality drives the development of capabilities that simplify and empower – rather than complicate – operator effectiveness.
Amid a complex web of security processes, operators are stunted by myopic detection solutions that provide a constant stream of irrelevant alerts without further support. What does it mean to put empathy into practice? For example, an empathetic approach to container security tool design should be focused on providing a holistic approach, with container security capabilities that:
- Detect and block deployment of images with high severity CVEs
- Score and prioritize vulnerabilities that need to be addressed
- Detect and remediate misconfigurations in the environment
- Enforce secure posture for each workload
- Protect applications at runtime from known and zero-day attacks
- Provide tools to mitigate the risks of attacks
As threats continue to evolve, addressing the build gap with human-centric design remains critical to security operations success. Ultimately, providing defense in depth will empower operators with the highly-usable tools needed to protect organizations now and in the future.