As another year is completed, now is the time to spend reflecting on the state of technology, cybersecurity and innovations. The year 2020 (and previous years) has revealed some uncomfortable truths, despite our best efforts towards improving the future prospects for clients and our industry. We are confronted with some key issues to take to heart, to improve on what has been brought to light through recent cyber events – including the Marriott, TikTok, & Solarwinds incidents - among the growing list of breaches.
As Father Time stands watch and takes notes on our improvements for future reflection, we must reconcile our needs to continually strengthen operational resiliency, privacy and value to stakeholders, in our best efforts. While it appears, we are destined to live in this bleak cyber existence; the loss of privacy and security, continuous cyber-crimes, intrusions, compromises, theft and the chaos that rages all around us.
Yet, my fellow technologists - all is not lost. We have the ability to change the future. Make no mistake: we have been warned (continually); our own greed and mindless carelessness alone has put us in peril, but our intentions and resolve can put us on a path towards a better future.
The threats and vulnerabilities surfaced by the latest supply chain compromises are not new, nor are they unexpected. Lately the attack surface (or vulnerability surface) has only increased, in part fueled by:
- The push for CI/CD and DevOps
- The widespread use common libraries and shared frameworks (e.g. OpenSource)
- Cloud orchestration, cloud-native, and tool sprawl
These shifts in development and infrastructure are born out of the industry’s ambition to deliver valuable “on-demand” customer applications and the resilient infrastructure to support them to reduce down-time, service interruptions and reduce cost to deliver real-time information and services. The disparate processes, technologies, and cloud tools call for agnostic observability solutions to really help monitor for anomalies and changes and to reduce the vulnerabilities that come with stitching them together to deliver cloud-based services.
In addition, as we transition to the latest technologies for network, operational and security services we must grapple with how to handle current problems in these environments, and ask ourselves to understand if these transformations will solve or exacerbate those problems?
Moving to a new, shiny red ball (technology) does not necessarily solve existing problems, or those created or encountered in our current instances without thinking about the attack surface, as well as failure modalities and whether or not new technologies solve for those problems or if they just recreate them in a more scalable manner - where we'll have 'kicked the proverbial can down the road' only to still have to deal with those legacy problems…and likely at ever increasing machine speeds, in less time, and at larger scale.
For years now, going back to hardware systems (ye remember the days of yore, before cloud infrastructure?), it had been widely acknowledged that specific network components, chips and hardware designs were vulnerable and, in some cases, fully compromised. Not surprising, various governmental organizations have known for the last few years, and warned us that there is the need for better security processes, standards and controls, including a proposed form of a “library of congress”, whereby there would be validated, trusted sources of certain tools, libraries, and components that are validated as safe, secure and of known provenance.
How best to strengthen the k8s supply chain?
Nay, as potential future meetings with Father Time will indeed remind us of the woe and sorrow that will come to pass unless something is done. Consider the effect of various forms of compromise and implications of what is one of the fundamental tools for cloud development and deployment: the Kubernetes infrastructure (k8s). A significant compromise in the broader k8s supply chain could undermine much of the commerce, finance and telecommunications infrastructure and these effects would propagate malicious functions to anywhere on the planet at the speed of light. Likewise, consider the exploitation of the various Unix Debian and development repos (repositories). These are the basis of software programming efficiencies, the network of libraries of software components that developers across the globe share and use to get new pieces of software code for products they are building. From the display on your refrigerator door, to the Apps on your phone, the guidance system in your car.
Again, as we move through this year and think about our future meetings with Father Time to reflect on our best efforts and intentions for the industry, the events that are unfolding all around us, and the ones that have already been put into motion, are well within our power to control. There are key frameworks that may serve us well in time, if made best use of now:
Key Frameworks that may serve us well
Zero trust:
Trusting no-one or nothing is the ultimate extreme. Unfortunately, this may not be possible, or warranted, in all cases. However, trust but verify (from trusted sources) may be more feasible. You wouldn’t go to a buffet and eat with a dirty fork, or pick up and eat the Christmas pudding you found on the crowded sidewalk, would you? Likewise, we (the technical community) need to exercise common sense and thoughtful consideration of the consequences of our actions as well as “good cyber-hygiene”. There is a growing reference list of good examples from the business response to Covid-19 thrusting organizations to broadly enable zero-trust with positive outcomes.Defense in depth:
Redundancy, belts and suspenders… these are not bad, nor are they wasteful, expensive or slow. Remember the cloud: infinite resources on demand, the ability to instrument data at the source. The technology eco-system has given us security and network tools to be more secure and reliable. Why fight it when the future is at stake?Process, process, process:
The booming ecosystem of vendors, service providers and enterprises that build unique solutions or leverage disparate tools to deliver their solutions will be well served to adhere to common architectural and security guidance to ensure a baseline is established, tracked and improved upon.The many frameworks, NIST CSF, FedRAMP, CMMC, HITRUST, to name a few all provide a method for establishing process around technology. These best practices and frameworks coupled with good process: code reviews, audit-ability from the cloud service providers along with better observability technologies such as cloud native tools (eBPF) from the Linux kernel community offer the potential to provide a continuous, real-time, immutable source of truth for operational and security investigations. Combined with analytics and workflow tools, these processes can be managed and effectuated in the cloud at machine speed and scale. Additionally, combining advanced versioning and authentication tools and processes (think MFA and blockchain) - the provenance, security and safety of reusable components can be ascertained and tracked ---more to follow
At MantisNet we continually think about how to effectuate improved observability, cyber posture, operational efficiency and value for the solutions we work with our clients on. As cyber practitioners, architects and engineers we have the Cyber awareness and mindset combined with innovation as well as new technologies and security capabilities grounded in people, processes and technology to bring innovate approaches to help customers in the areas discussed above, such as we believe that the application of new observability tools; continuous, real-time inspection, the ability to correlate events as they occur, across complex networked systems, more efficient processing of events into information at the edge, close to where the events are happening, new forms of telemetry… in doing so we stand the best chance of starting the new day as the first on a journey to a better future…
Father time may not care about the tactical details of the transformative nature of the migration to cloud-native architectures, or the improved business and lifetime value 5G will provide, or the nuances of compliance frameworks to incorporate these new technologies, but the reconciliation of how we implement them for the betterment of clients and industries will be brought to light and reflected upon in the future.
