Kelly Shortridge, Senior Principal, Product Technology at Fastly, took part in a Cloud Security Alliance (CSA) webinar near the end of 2022. Titled Security Leaders Debate: Cybersecurity Predictions for 2023, Kelly joined a group of panelists from JupiterOne, Omdia, and Symmetry Systems looking ahead to 2023 and sharing what they believe will be the hot trends or happenings in the New Year.
Kelly’s primary prediction for 2023 is that security teams will use engineering tools, particularly continuous integration (CI), continuous deployment (CD), and infrastructure as code (IaC) tools, more readily for audit trails and to solve other pressing security problems in 2023. In this article, I'll explore this prediction more closely and, based on Kelly's comments during the session, offer some further comments from the JupiterOne perspective.
Cybersecurity’s 'secret weapon'
Continuous integration, continuous delivery, and infrastructure as code are methodologies that, in some manner, automate the development and deployment of software and infrastructure into your production environment. According to Amazon, continuous delivery “is a software development methodology where the release process is automated,” whereas continuous integration “is a software development practice where members of a team use a version control system and frequently integrate their work to the same location, such as a main branch.”
Red Hat has a similar definition for infrastructure as code, defining it as “the managing and provisioning of infrastructure through code instead of through manual processes.” Infrastructure is clarified later in the article as including “servers, operating systems, storage, and other infrastructure components.”
These methodologies, inherently focused on automation, don’t say anything about security. That doesn’t mean, however, that security teams can’t take advantage of the benefits they provide. This makes engineering tools a ‘secret weapon’ of sorts for security teams looking for an operational edge. It also encourages developing deeper ties with the engineering teams at their organization, bridging the gap between two groups that have traditionally been very siloed.
According to Kelly, “There are some key use cases, for IaC in particular, that means that it’s more viable for security, or at least more viable in solving a lot of these problems. You can do faster incident response. You’ve got automatic redeployment of infrastructure when incidents happen. Even better, you can automatically respond to leading indicators of security failures.”
Part of her prediction, or perhaps it should be considered a parallel yet related prediction, is that engineering and infrastructure engineering teams will receive more budget in 2023, making it likely usage of these tools will continue to expand. Since these teams are already using IaC for audit trail purposes, it makes sense for security teams, instead of opposing or fearing these tools, to consider the benefits they could bring to a more resilient cybersecurity posture.
Reliable audit trails lead to resilience
The first thing many people think of when they hear the term ‘audit trail’ is compliance. Modern enterprises need to account for so many different regulations, including those protecting privacy, health, financial, and intellectual property information. And, of course, audit trails figure heavily in accounting and finance.
Comprehensive and accurate audit trails can help in the wake of a cybersecurity incident, as well. And some organizations are already doing this. “I’ve talked to many organizations that are already using it [IAC] very much for things like even software provenance, but certainly just your standard audit trail and being able to revert things,” Kelly said. “It’s great if you want to understand things like for blameless postmortems, what went wrong. It’s fantastic for incident response … Even if security teams don’t get on board, this is still happening and it’s still going to impact security.”
Safety and resilience
An interesting offshoot of the conversation was about the term cybersecurity, which has become more than a buzzword over time. While not a prediction itself, the conversation is worth noting and could be seen as a paradigm shift in the broader security discussion.
Sounil Yu - JupiterOne CISO and Head of Research: “A lot of the things that we do are actually more cyber safety than cybersecurity. So if not ‘security-as-code,’ could we actually label this as ‘cyber safety-as-code?’”
Kelly Shortidge: “I’m loath to use cyber for much else on what we already have … I think what’s important is we’ve already alienated software engineering teams who are the ones that predominantly control budget and software … We probably want to stop alienating them and start collaborating with them. The more we put cybersecurity into anything, I think the worse. I personally like the term resilience, just because that covers you being able to gracefully adapt to any sort of evolving condition and any sort of failure scenario.”
This may be where many security teams, many organizations, have failed over the years. Cybersecurity was rigid, a virtual stone wall put up around the perimeter. That may have worked well against certain threats, but the lack of flexibility and adaptability led to increasingly larger and more frequent breaches.
As we continue to move toward the cloud and ‘off-premises’ infrastructure, I’d like to interject and suggest that we normalize replacing cybersecurity with the words safety and resilience. This begins with security and engineering teams working in lock step together, not in opposition to each other.
As we all know too well, attacks will happen. Breaches and incidents will compromise your information assets. Accepting this, building to adapt and respond quickly, with security and engineering teams working together toward this goal, can only make your organization, and its customers, safer in the long term.
More predictions for 2023
The conversation featured during the Security Leaders Debate: Cybersecurity Predictions for 2023 panel webinar included some thought provoking predictions for the coming year. Alongside Kelly, JupiterOne CISO Sounil Yu, Fernando Montenegro, Senior Principal Analyst at Omdia, and Claude Mandy, Chief Evangelist for Data Security at Symmetry Systems. If you haven’t already done so, be sure to watch the full webinar on-demand here.
If you’re interested in delving deeper, JupiterOne also put together a bonus article covering 12 predictions the panel didn’t have the chance to get to during the webinar. Check it out for more on what may come in 2023!