(PART 2) FireEye & SolarWinds Breach: Continuous Assurance Explained & Why DevSecOps Is Not Enough
Dec 21, 2020
In Part 1 we helped with the understanding gap using this unfortunate, but recent, real-world example of a supply chain attack. Simply, this breach demonstrates the weakness in most software organizations we all rely on.
At Tauruseer, we take our science seriously and help our customers do the same. With a clear understanding of the challenges we all face, and with a shared framework to help us move forward, we can (and should) accelerate software ecosystems of risk posture maturity.
*Post updated 1/5/2021.
Executive summary
Tauruseer:
- video walkthrough of software ecosystem risks from April 2020
- introduce proactive concept like DevSecOps and while necessary, it is not sufficient
- propose Tauruseer's novel approach with out-of-the-box, automated use cases to detect and prevent future software supply chain attacks
Attackers Continue To Exploit Product Security Weaknesses
Preventing supply chain attacks via siloed departments and the team microcultures utilizing the many disconnected toolsets like the ones we explain below is proving to be very difficult, if not impossible. Simply deploying these technical tools alone will not reduce these risks. New visibility and control mechanisms are needed that will tie the software stack, security, and operations together in a comprehensive way that eliminates complexity and uncertainty.
*See the zoomed in view below to understand the complexity of every DevSecOps team's microculture of people, processes, and technologies.
How will top software organizations embrace the agility required while gaining visibility and control into this complexity to truly maintain security?
PROBLEM: the below is an example of ONE team microculture...how many applications do you have in your environment?
DevSecOps is necessary, but not sufficient
In the wake of the SolarWinds breach, NIST's Ron Ross turns to DevSecOps approaches, where we must look at Agile & DevOps processes in an interview called, 'The Adversary Lives in the Cracks.' Ross calls attention to the fundamental need for better security across the entire software development lifecycle, stating the reality: "adversaries are exploiting bugs, weaknesses, and deficiencies in software to their advantage."
If "DevOps" is to succeed, there must be changes in the role of proactive prevention to secure software ecosystems. But first, we must systematically change and improve from within:
- A modern IT DevOps staff must be familiar with various technical tools, like:
cloud computing, containers, microservices, code repositories, continuous integration, continuous delivery, continuous deployment, and application performance monitoring.
An organization with “DevSecOps” enhances cyber and risk approaches. DevSecOps is the concept of embedding security, privacy, policy, and controls into DevOps culture and processes through automation across the software development lifecycle to share security responsibility.
- A modern IT DevSecOps staff must be familiar with various technical tools, like:
software component analysis (SCA )for open-source software components, dependency vulnerability mapping (DVM), static application security testing (SAST) for developers' code, container security scanning for container misconfigurations and vulnerabilities, and dynamic application security testing (DAST) for vulnerabilities within developed software.
But why is DevSecOps not sufficient?
None of these approaches alone would have found the attack as they are disconnected in siloed departments or separate tools (point solutions). The backdoor or malicious code was not in an open source library and the compromised DLL (dynamic-link library) was signed by a valid certificate.
Software Composition Analysis primarily identifies third-party software vulnerabilities which would not be effective in detecting malicious code in your own repository. Code Signing only ensures the code has not been tampered with and has no ability to identify malicious code.
Ross later suggests the concept of a "lean systems security engineering," so you get the benefits without stopping technology progress and innovation. With certain scenarios monitored to lock down the system with earlier detection, attacks can be made fairly predictable—making the system “resilient.”
Enter: Tauruseer's Continuous Assurance Platform
By now, most people realize this is a real wake-up call and a real opportunity. If a company wants to prevent malicious code injections, they must take steps to identify and monitor for the scenarios when this can happen. Tauruseer maintains the ability to automatically identify when a repository is out of governance, in this case a public repo, and when a non-team member has committed code.
Our patent-pending Cognition Engine™, Inventory of Intelligence™, Environment Optimization Scorecard™ helps to monitor for these scenarios for when they can happen.
- Cognition Engine™
— Tauruseer's proprietary correlation engine automates analytics with a growing list of pre-built "risky combinations" called "Cognitions." Cognitions pinpoint areas of change risk and illuminates actionable scenarios with prescriptive advice to prevent exploitation. Cognitions can also be predictive, automating data science techniques for visibility into potential future risks.
- Inventory of Intelligence™
— Tauruseer's proprietary entity configuration approach we call the Application Centric Risk Model™, simplifies complexity to contextualize and personalize high-priority risks for better communication, collaboration, and accountability.
- Environment Optimization Scorecard™ — Tauruseer's proprietary environment optimization tools continuously identifies adherence to best practices, regulatory compliance, and company policies to give management and senior leadership confidence security controls are adequately deployed, operating effectively, and proving continuous risk performance.
"Risky Combinations" and the cyber imperative
For those companies operating valuable business processes or producing products critical to their customers via software, this is your call-to-action to begin implementing proactive prevention measures via a platform-driven approach.
Either one of these alerts, if handled by a human, can prevent malicious code from going unnoticed and making its way into the distribution channels. But it is the historical tracking of "risky combinations" that could have further helped the teams see a threat pattern.
- In this context, an empowered IT DevSecOps organization leveraging the Tauruseer Continuous Assurance Platform could have:
1. Contextually baselined every application's supporting infrastructure, Bill of Materials, tool configurations, team members, certificates, risk performance metrics, and underlying dependencies
automatically checking for security violations with continuous feedback results for risky changes, prioritization, and remediation.
2. Detected malicious activity in any source control system for any code committed
that falls outside standard practices and security policies independent of any tool.
3.
Detected if an unauthorized individual has added code to a repository
across their entire application portfolio to determine if anyone was messing with their codebase and secretly installing backdoors or malware.
4. Detected any code repository change from private to public across their entire application portfolio to determine insecure misconfigurations, intent, and whether to revoke access control, and understand the potential business impact.
5.
Automatically mapped supply chain known vulnerabilities to every entity
so when an agency like NIST or The Cybersecurity and Infrastructure Security Agency (CISA)
releases an alert detailing active exploitations
with associated CVEs (CVE-2020-10148,
CVE-2020-14005, and
CVE-2020-13169) people can research and within minutes (rather than weeks or months) take action on
the right systems (your most critical risks).
Additionally, historical tracking of events in one platform enables our
Cognition Engine™ to alert when any
"risky combinations" like these are observed.
Prevent cyber breaches and your next operational disruptions before they even happen by implementing Tauruseer’s Confidence Cloud™
in hours:
- Get code-to-cloud visibility and control of change risk across all of your operations
- Detect and mitigate security hygiene issues to reduce your attack surface
- Automate KPIs as policies in CI/CD pipelines to enforce risk posture across your full stack
- Stay audit ready for NIST, FedRAMP, CMMC, FISMA and other requirements
The Pentagon’s Cybersecurity Maturity Model Certification program starts next year. And, with the news of this exploited vulnerability in a commercial software product leading to a supply chain attack, achieving and keeping your Authority-to-Operate (ATO) is proving to be more critical than ever.
Tauruseer is always thinking about how challenges like these could have been solved before an event. We’d love to hear from you to start reducing software operational and supply chain risks. Please get in touch to solve these problems together at: hello@tauruseer.com.
SHARE!
More news and blogs
Gula Tech Adventures, Lytical Ventures, and Dasein Capital lead Seed investment in Start Left™ Security, supported by other strong investors: DeepWork Capital, Florida Opportunity Fund, and Bootleg Advisors. JACKSONVILLE, FL, June 27, 2023—Start Left™ Security, powered by the patented Tauruseer Application Security Posture Management (ASPM) Platform and SPACE™ Behavioral Analytics, today announced that it has oversubscribed and closed $3.0 million Seed financing led by notable cybersecurity, data analytics, and artificial intelligence (AI) venture capitalists and industry experts. This demonstrates the market’s confidence in Start Left™ Security's vision and its ability to deliver innovative solutions that address evolving security threats.
Introducing Start Left™ Security: Embracing a New Name, a New Perspective in Security
Achieve SOC 2 Compliance and Security Posture Management Maturity with Minimal Spend Leveraging Tauruseer's differentiated Cloud-Native Application Protection Platform (CNAPP): Security Posture Analytics + Cognition Engine (SPACE ™ ), Purpose-Built for Growth SaaS Startups and Small to Midsize Businesses.
Designed to enable cloud-native innovators to quickly scale, become enterprise-ready, and transact on the Azure marketplace.
“ Cloud security posture (CSPM) incumbents launched traditional approaches leaving huge gaps, as they don’t understand the needs of modern DevOps pipelines or developers.
Business Leaders: Is your DinoCISOaur holding your company back, slowing innovation, upsetting developers, and placing business at risk?
JACKSONVILLE, FL, June 9, 2020 – Tauruseer is the proud official presenting partner for SAE International's 2020 Government and Industry virtual conference! This conference is an opportunity to explore how technology, regulations, and legislation will affect the design of aerospace and defense solutions in terms of software, hardware, and product integrity. Tauruseer co-founders have been invited to present at the SAE G-33 to the entire Configuration Management Committee on how a model-based enterprise, adopting concepts such as " Shift Left ", the Product Centric Risk Model ™ , Inventory of Intelligence ™ , Centralizing Monitoring , and Continuous Assurance drives the way DevOps is supposed to be. Tauruseer will demonstrate what true DevOps looks like and how Tauruseer's platform can provide demonstrable evidence of DevOps done right. Furthermore, they will walk through how Continuous Assurance enables organizations to fully embrace DevOps through holistic change, resulting in quantifiable benefits: Enhanced Situational Awareness across product portfolio Enterprise Visibility (human, product, and process threats) Efficiency gains (productivity on the right things) Decreasing costs (intentionally designed controls) Reduced complexity (robust decision support) VERIFIED Governance, Risk, and Compliance "GRC" (Continuous Assurance) Tauruseer will highlight real-world examples that shine a light on how technology that we depend on everyday can make a difference between life and death. While DevOps seeks to balance throughput, stability, quality, and speed, Tauruseer assures organizations there is not compromise in security, performance, and compliance while doing so- especially when lives are at stake. Sharing stories enables better collaboration when standards, regulations, and legislation needs updating to align with continuously evolving product development practices. JOIN THE CONFERENCE! TAURUSEER PRESENTATIONS TIME: 1:55pm EDT TOPIC: Software SecDevOps and Configuration Management (CM) – Understanding the Challenges Speakers: Larry Gurule, Jeremy Vaughan & Alex Borhani TIME: 3:10pm EDT – 4:00 pm EDT TOPIC: Software SecDevOps and Continuous Assurance (CA) – Achieving Management’s Goals and Continuous Improvement through appropriate Configuration Management (CM) Speakers: Larry Gurule, Jeremy Vaughan & Alex Borhani Virtual Details: WebEx G33 Meeting Meeting number: 622 476 853 Meeting password: June2020 Call-in number: 1-866-469-3239 INFO: SAE International's G33 standards are adopted and enforced by NATO, NASA, FAA, DOE, DOD, aspects of the European Union, and the European Space Agency for large federal suppliers contracted to provide tamper-proofed audit trails, traceability, and trusted reporting of managed compliance as it relates to Software Configuration Management and Continuous Assurance. Visit Tauruseer's website and ask for a demo to showcase a variety of GRC for DevOps use cases: Proactive Security Continuous Compliance Conduct & Culture Insider Threat Reporting
Part 1 in this series: “ Risk Enabled Growth: Business Strategies to Leveraging Risk & Capitalizing on Digital Growth Opportunities " included the perspectives of cybersecurity and integrated risk management expert Jeff Sauntry of Risk Neutral, privacy, risk, and compliance experts Rob Harvey and Greg Kraft of Online Business Systems, and business strategy, product innovation, and product security expert Jeremy Vaughan from Tauruseer Inc. Watch if your role involves: - Maximizing value creation achieved at the synergy of talent, tangible, and intangible assets - Enabling trusted digital experiences for employees, partners, and customers - Oversight for Strategic, Operational, Financial, Compliance or Reputation Risk as part of your organization's 3-Lines of Defense (3LoD) - Mitigating the potential disruptive impact of events and unlocking the economic potential of your organization's resources and assets
JACKSONVILLE, FLORIDA; ATLANTA, GEORGIA; TAMPA, FLORIDA; PORTLAND, OREGON; MINNEAPOLIS, MINNESOTA; CALGARY, ALBERTA; TORONTO, ONTARIO, WINNIPEG, MANITOBA; LONDON, ENGLAND ( PRWEB ) - OCTOBER 4, 2021 Online Business Systems (Online) and Tauruseer announce a partnership to deliver compliance sustainability through a robust SaaS solution that enables DevSecOps and CI/CD engineering, along with essential cybersecurity, cloud, and compliance services. With recent high-profile attacks driving U.S. Executive Orders for Critical Infrastructure Cybersecurity Performance and Software Bill of Materials (SBOM)-powered software supply chain security , this partnership comes at a pivotal moment in time as organizations and boards look to understand software risk and compliance on a portfolio basis. “ We are focused on helping our clients quickly discover, manage, and reduce the threats that pose some of the largest risks to their business ,” said Rob Harvey, Managing Director, Risk Security & Privacy, Online . “ By partnering with Tauruseer, our clients have access to a single platform for understanding and addressing security, governance, and compliance goals. Separating signal-from-noise across silos with the use of their cognitive engines — especially when a product team may require 20 to 50 tools — is something no point tool can do. We haven’t seen these capabilities before .” Solving Security and Compliance Sustainability Together DevSecOps is a combination of tools and workflows making software development and deployment faster, more reliable, and more secure. Tauruseer unifies all the risk data from all the tools, connecting people, processes, technologies, and behaviors. The platform allows end-users, operators, and analysts to configure product-centric software and infrastructure in a no-code manner that helps monitor and troubleshoot systems. The solution provides complete visibility across the DevSecOps infrastructure and allows users to analyze every layer of their operation. Online wraps their proven, robust risk, security, and privacy domain knowledge around the tooling, and its findings, to address the operational process needs and attestation tasks. Their portfolio of services is designed to solve cybersecurity and risk challenges the right way, the first time. This partnership solves critical challenges for clients. Whether it’s reducing the cost of compliance reporting, monitoring, measuring and analyzing every step of CI/CD pipelines, supporting security audits or developing custom dashboards and KPIs/KRIs for customers—the partnership provides an out-of-the-box solution. Organizations in various vertical markets such as financial services, payments, digital commerce, healthcare, energy, and government contractors will benefit from: Faster, more agile delivery and reduced time to market Improved security posture and reduced risk Reduced operational and development costs Improved customer experiences and satisfaction Environment-agnostic builds to avoid vendor lock-in Maintained audit ready compliance for less operational disruption “ Everyone wants to “shift left,” yet the reality is the tools and processes are built for developers, leaving cybersecurity out of the conversation. Online is a very exciting opportunity, already proving incredible expertise in solving cybersecurity problems and staying ahead with innovation. With our ‘no-code’ approach, security leaders are able to ramp up Product Security programs quickly without having to be a developer. Online’s ability to seek out solutions like this prove they go above and beyond to ensure customer success makes this a tremendous partnership ,” said Jeremy Vaughan, CEO Tauruseer . Using a shared support model, Online and Tauruseer provide value long after initial deployment through a service level agreement (SLA), defined professional services, and a commitment to future product innovation. The pricing is simple for end users wishing to purchase a single bundle with the option to include a SaaS subscription. The partnered offerings are available today. To discuss, please contact rsp@obsglobal.com or sales@tauruseer.com . About Online Business Systems Online Business Systems (Online) is a digital transformation and cybersecurity consultancy. Since 1986 Online has been using technology to deliver dramatic business results for companies throughout Canada, USA and EMEA. Their unsurpassed delivery, people, and the Online culture of loyalty, trust and commitment to mutual success set them apart. Today Online has over 350 business and technical consultants throughout Canada, US and EMEA. Online has been recognized on the “Best Workplaces in Canada” list for 15 consecutive years. For more information about Online or their services please visit https://www.obsglobal.com/ About Tauruseer Tauruseer is the Security Posture Analytics + Cognition Engine (SPACE) Platform. Powered by the patented Cognition Engine and PIRATE™ risk model, the platform was purpose-built to optimize DevSecOps performance, security, and compliance – enabling Security and IT professionals to intelligently adapt software delivery in real-time based on proactive insights across products, infrastructure, and development. Tauruseer helps product-led businesses establish and scale risk-based Application Security Posture Management , Software Supply Chain Security and Cloud-Native Application Protection Programs automatically and continuously—company-wide. The result is significantly reduced costs and risks — speeding up the business without sacrificing compliance needs or compromising security. Tauruseer was built by enterprise CTOs, CISOs, and a former Unit Chief for FBI Cyberterrorism. For more information, please visit https://www.tauruseer.com/ Media Contacts: Online Business Systems media@obsglobal.com Tauruseer Inc. media@tauruseer.com Links - Jacksonville Business Journal: Jax-based Tauruseer announces Canadian partnership
Start Left™ Security is a proactive security firm that partners with software product companies leveraging DevOps CI/CD and Cloud. Powered by the first product-centric security analytics solution, Start Left™'s SaaS platform combines patented technology that frees up resources to focus on facilitating software delivery and commercial value, rather than reacting to cyber risks.
