(PART 2) FireEye & SolarWinds Breach: Continuous Assurance Explained & Why DevSecOps Is Not Enough
Dec 21, 2020
In Part 1 we helped with the understanding gap using this unfortunate, but recent, real-world example of a supply chain attack. Simply, this breach demonstrates the weakness in most software organizations we all rely on.
At Tauruseer, we take our science seriously and help our customers do the same. With a clear understanding of the challenges we all face, and with a shared framework to help us move forward, we can (and should) accelerate software ecosystems of risk posture maturity.
*Post updated 1/5/2021.
Executive summary
Tauruseer:
- video walkthrough of software ecosystem risks from April 2020
- introduce proactive concept like DevSecOps and while necessary, it is not sufficient
- propose Tauruseer's novel approach with out-of-the-box, automated use cases to detect and prevent future software supply chain attacks
Attackers Continue To Exploit Product Security Weaknesses
Preventing supply chain attacks via siloed departments and the team microcultures utilizing the many disconnected toolsets like the ones we explain below is proving to be very difficult, if not impossible. Simply deploying these technical tools alone will not reduce these risks. New visibility and control mechanisms are needed that will tie the software stack, security, and operations together in a comprehensive way that eliminates complexity and uncertainty.
*See the zoomed in view below to understand the complexity of every DevSecOps team's microculture of people, processes, and technologies.
How will top software organizations embrace the agility required while gaining visibility and control into this complexity to truly maintain security?
PROBLEM: the below is an example of ONE team microculture...how many applications do you have in your environment?
DevSecOps is necessary, but not sufficient
In the wake of the SolarWinds breach, NIST's Ron Ross turns to DevSecOps approaches, where we must look at Agile & DevOps processes in an interview called, 'The Adversary Lives in the Cracks.' Ross calls attention to the fundamental need for better security across the entire software development lifecycle, stating the reality: "adversaries are exploiting bugs, weaknesses, and deficiencies in software to their advantage."
If "DevOps" is to succeed, there must be changes in the role of proactive prevention to secure software ecosystems. But first, we must systematically change and improve from within:
- A modern IT DevOps staff must be familiar with various technical tools, like:
cloud computing, containers, microservices, code repositories, continuous integration, continuous delivery, continuous deployment, and application performance monitoring.
An organization with “DevSecOps” enhances cyber and risk approaches. DevSecOps is the concept of embedding security, privacy, policy, and controls into DevOps culture and processes through automation across the software development lifecycle to share security responsibility.
- A modern IT DevSecOps staff must be familiar with various technical tools, like:
software component analysis (SCA )for open-source software components, dependency vulnerability mapping (DVM), static application security testing (SAST) for developers' code, container security scanning for container misconfigurations and vulnerabilities, and dynamic application security testing (DAST) for vulnerabilities within developed software.
But why is DevSecOps not sufficient?
None of these approaches alone would have found the attack as they are disconnected in siloed departments or separate tools (point solutions). The backdoor or malicious code was not in an open source library and the compromised DLL (dynamic-link library) was signed by a valid certificate.
Software Composition Analysis primarily identifies third-party software vulnerabilities which would not be effective in detecting malicious code in your own repository. Code Signing only ensures the code has not been tampered with and has no ability to identify malicious code.
Ross later suggests the concept of a "lean systems security engineering," so you get the benefits without stopping technology progress and innovation. With certain scenarios monitored to lock down the system with earlier detection, attacks can be made fairly predictable—making the system “resilient.”
Enter: Tauruseer's Continuous Assurance Platform
By now, most people realize this is a real wake-up call and a real opportunity. If a company wants to prevent malicious code injections, they must take steps to identify and monitor for the scenarios when this can happen. Tauruseer maintains the ability to automatically identify when a repository is out of governance, in this case a public repo, and when a non-team member has committed code.
Our patent-pending Cognition Engine™, Inventory of Intelligence™, Environment Optimization Scorecard™ helps to monitor for these scenarios for when they can happen.
- Cognition Engine™
— Tauruseer's proprietary correlation engine automates analytics with a growing list of pre-built "risky combinations" called "Cognitions." Cognitions pinpoint areas of change risk and illuminates actionable scenarios with prescriptive advice to prevent exploitation. Cognitions can also be predictive, automating data science techniques for visibility into potential future risks.
- Inventory of Intelligence™
— Tauruseer's proprietary entity configuration approach we call the Application Centric Risk Model™, simplifies complexity to contextualize and personalize high-priority risks for better communication, collaboration, and accountability.
- Environment Optimization Scorecard™ — Tauruseer's proprietary environment optimization tools continuously identifies adherence to best practices, regulatory compliance, and company policies to give management and senior leadership confidence security controls are adequately deployed, operating effectively, and proving continuous risk performance.
"Risky Combinations" and the cyber imperative
For those companies operating valuable business processes or producing products critical to their customers via software, this is your call-to-action to begin implementing proactive prevention measures via a platform-driven approach.
Either one of these alerts, if handled by a human, can prevent malicious code from going unnoticed and making its way into the distribution channels. But it is the historical tracking of "risky combinations" that could have further helped the teams see a threat pattern.
- In this context, an empowered IT DevSecOps organization leveraging the Tauruseer Continuous Assurance Platform could have:
1. Contextually baselined every application's supporting infrastructure, Bill of Materials, tool configurations, team members, certificates, risk performance metrics, and underlying dependencies
automatically checking for security violations with continuous feedback results for risky changes, prioritization, and remediation.
2. Detected malicious activity in any source control system for any code committed
that falls outside standard practices and security policies independent of any tool.
3.
Detected if an unauthorized individual has added code to a repository
across their entire application portfolio to determine if anyone was messing with their codebase and secretly installing backdoors or malware.
4. Detected any code repository change from private to public across their entire application portfolio to determine insecure misconfigurations, intent, and whether to revoke access control, and understand the potential business impact.
5.
Automatically mapped supply chain known vulnerabilities to every entity
so when an agency like NIST or The Cybersecurity and Infrastructure Security Agency (CISA)
releases an alert detailing active exploitations
with associated CVEs (CVE-2020-10148,
CVE-2020-14005, and
CVE-2020-13169) people can research and within minutes (rather than weeks or months) take action on
the right systems (your most critical risks).
Additionally, historical tracking of events in one platform enables our
Cognition Engine™ to alert when any
"risky combinations" like these are observed.
Prevent cyber breaches and your next operational disruptions before they even happen by implementing Tauruseer’s Confidence Cloud™
in hours:
- Get code-to-cloud visibility and control of change risk across all of your operations
- Detect and mitigate security hygiene issues to reduce your attack surface
- Automate KPIs as policies in CI/CD pipelines to enforce risk posture across your full stack
- Stay audit ready for NIST, FedRAMP, CMMC, FISMA and other requirements
The Pentagon’s Cybersecurity Maturity Model Certification program starts next year. And, with the news of this exploited vulnerability in a commercial software product leading to a supply chain attack, achieving and keeping your Authority-to-Operate (ATO) is proving to be more critical than ever.
Tauruseer is always thinking about how challenges like these could have been solved before an event. We’d love to hear from you to start reducing software operational and supply chain risks. Please get in touch to solve these problems together at: hello@tauruseer.com.
SHARE!
More news and blogs
Start Left Security, a pioneer in the product security / cybersecurity space has been selected to participate in the Microsoft for Startups Pegasus Program
Gula Tech Adventures, Lytical Ventures, and Dasein Capital lead Seed investment in Start Left™ Security, supported by other strong investors: DeepWork Capital, Florida Opportunity Fund, and Bootleg Advisors. JACKSONVILLE, FL, June 27, 2023—Start Left™ Security, powered by the patented Tauruseer Application Security Posture Management (ASPM) Platform and SPACE™ Behavioral Analytics, today announced that it has oversubscribed and closed $3.0 million Seed financing led by notable cybersecurity, data analytics, and artificial intelligence (AI) venture capitalists and industry experts. This demonstrates the market’s confidence in Start Left™ Security's vision and its ability to deliver innovative solutions that address evolving security threats.
Introducing Start Left™ Security: Embracing a New Name, a New Perspective in Security
Achieve SOC 2 Compliance and Security Posture Management Maturity with Minimal Spend Leveraging Tauruseer's differentiated Cloud-Native Application Protection Platform (CNAPP): Security Posture Analytics + Cognition Engine (SPACE ™ ), Purpose-Built for Growth SaaS Startups and Small to Midsize Businesses.
Designed to enable cloud-native innovators to quickly scale, become enterprise-ready, and transact on the Azure marketplace.
“ Cloud security posture (CSPM) incumbents launched traditional approaches leaving huge gaps, as they don’t understand the needs of modern DevOps pipelines or developers.
Business Leaders: Is your DinoCISOaur holding your company back, slowing innovation, upsetting developers, and placing business at risk?
JACKSONVILLE, FL, June 9, 2020 – Tauruseer is the proud official presenting partner for SAE International's 2020 Government and Industry virtual conference! This conference is an opportunity to explore how technology, regulations, and legislation will affect the design of aerospace and defense solutions in terms of software, hardware, and product integrity. Tauruseer co-founders have been invited to present at the SAE G-33 to the entire Configuration Management Committee on how a model-based enterprise, adopting concepts such as " Shift Left ", the Product Centric Risk Model ™ , Inventory of Intelligence ™ , Centralizing Monitoring , and Continuous Assurance drives the way DevOps is supposed to be. Tauruseer will demonstrate what true DevOps looks like and how Tauruseer's platform can provide demonstrable evidence of DevOps done right. Furthermore, they will walk through how Continuous Assurance enables organizations to fully embrace DevOps through holistic change, resulting in quantifiable benefits: Enhanced Situational Awareness across product portfolio Enterprise Visibility (human, product, and process threats) Efficiency gains (productivity on the right things) Decreasing costs (intentionally designed controls) Reduced complexity (robust decision support) VERIFIED Governance, Risk, and Compliance "GRC" (Continuous Assurance) Tauruseer will highlight real-world examples that shine a light on how technology that we depend on everyday can make a difference between life and death. While DevOps seeks to balance throughput, stability, quality, and speed, Tauruseer assures organizations there is not compromise in security, performance, and compliance while doing so- especially when lives are at stake. Sharing stories enables better collaboration when standards, regulations, and legislation needs updating to align with continuously evolving product development practices. JOIN THE CONFERENCE! TAURUSEER PRESENTATIONS TIME: 1:55pm EDT TOPIC: Software SecDevOps and Configuration Management (CM) – Understanding the Challenges Speakers: Larry Gurule, Jeremy Vaughan & Alex Borhani TIME: 3:10pm EDT – 4:00 pm EDT TOPIC: Software SecDevOps and Continuous Assurance (CA) – Achieving Management’s Goals and Continuous Improvement through appropriate Configuration Management (CM) Speakers: Larry Gurule, Jeremy Vaughan & Alex Borhani Virtual Details: WebEx G33 Meeting Meeting number: 622 476 853 Meeting password: June2020 Call-in number: 1-866-469-3239 INFO: SAE International's G33 standards are adopted and enforced by NATO, NASA, FAA, DOE, DOD, aspects of the European Union, and the European Space Agency for large federal suppliers contracted to provide tamper-proofed audit trails, traceability, and trusted reporting of managed compliance as it relates to Software Configuration Management and Continuous Assurance. Visit Tauruseer's website and ask for a demo to showcase a variety of GRC for DevOps use cases: Proactive Security Continuous Compliance Conduct & Culture Insider Threat Reporting
Part 1 in this series: “ Risk Enabled Growth: Business Strategies to Leveraging Risk & Capitalizing on Digital Growth Opportunities " included the perspectives of cybersecurity and integrated risk management expert Jeff Sauntry of Risk Neutral, privacy, risk, and compliance experts Rob Harvey and Greg Kraft of Online Business Systems, and business strategy, product innovation, and product security expert Jeremy Vaughan from Tauruseer Inc. Watch if your role involves: - Maximizing value creation achieved at the synergy of talent, tangible, and intangible assets - Enabling trusted digital experiences for employees, partners, and customers - Oversight for Strategic, Operational, Financial, Compliance or Reputation Risk as part of your organization's 3-Lines of Defense (3LoD) - Mitigating the potential disruptive impact of events and unlocking the economic potential of your organization's resources and assets
Start Left™ Security is committed to equipping product teams with the tools they need to excel in delivering world-class software while propelling the careers of developers forward. Our AI-powered SaaS platform, backed by multiple patents, offers a robust suite of capabilities spanning software supply chain security, product security, security posture management, and secure code training in a gamified DevSecOps experience.
