2022 Gartner® Magic Quadrant™ SIEM
Get the reportMore
During our sixth-annual user conference, Illuminate, Dave Frampton, General Manager of the security business at Sumo Logic, hosted a panel discussion with Yaron Levi, CISO of Dolby, and Tyson Martin, member of the CISO group at AWS, about the challenges and opportunities of securing modern applications. These are the key takeaways from that conversation..
Over the past 10+ years, the shift to cloud-based services and architectures has seen organizations increasingly adopt new technologies, open-source tools, SaaS, and various cloud applications. But this change brought more technical debt and a larger threat surface. Historically, security was mostly focused on traditional threats to the enterprise, like ransomware and phishing. Today, the scope of concern for security teams is much larger as companies have become more decentralized. Levi points out, “Companies are using resources across the globe, on top of the massive shift to a hybrid workforce in the past two years.”
“Security is expanding from just managing my enterprise to much more of a strategic function across enabling the business.”
The proliferation of modern applications and their rapid adoption has outpaced most organizations’ security teams. Today’s typical SOC is not adequately lowering risk or getting the right return on investment. Team members must spend valuable cycles on validation instead of problem-solving. These teams have too much to respond to and too limited data to rely on to make a good decision.
As Martin points out, much of a CISO’s job to rise to this challenge is orchestrating cooperation between teams. “The CISO today realizes that the less buy-in we have from our partners across the business, the more they want to move fast and possibly move with not as much care and due diligence as you would like,” he says.
Establishing a solid foundation is key to successfully evolving the focus of security teams to include modern applications. As Martin warns, “It’s easier for our relationship to become adversarial, instead of working with one another to amplify each of your strengths to increase innovation and improve customer experiences.”
In most organizations, there is a clear division between those building applications and SecOps resources. Historically, in many organizations, the IT team and the engineering team don't mix. They sometimes don't even talk to each other. Levi points out there are traditionally two ways companies operate, “Everything has to go through security for approval, or organizations that decentralize everything and they end up in chaos.”
There are some clear best practices for these groups to start collaborating, learning from each other and executing workflows efficiently.
To that end, Martin says, “It's the establishment of processes, policies, procedures, and a culture of understanding in the organization that unlocks alignment and synergy between the two.”
Similarly, Levi sees room in the security community for both DevOps and SecOps to come together to leverage their respective strengths, whether security is centralized or decentralized. “Some functions are centralized, some are decentralized, but ultimately there's a concert that works together, and there's overall governance on top of that, he says.
It’s no secret that to assess if an application is fundamentally secure, you have to trace all the way through its lifecycle––from the build phase, code scanning and application security testing, to deployment and posture management, to the run phase. Coordinating security through all those phases remains largely elusive for many organizations but is quickly becoming a necessary priority.
The complexity of cloud-based environments needs clear guidelines and policies. Equally important, says Levi, is a shift in mindset.“ I don't want to be in a situation where somebody develops something, throws it over the fence to a security team to do whatever with it, and then throws it back over the fence. That doesn't work. We have to be aligned with the process.”
Security processes are notorious for being restrictive and highly variable depending on the technology on which they rely. Martin points out that, “Processes should not be there to hinder evolution and invention and creativity. There needs to be a safe place for play, and that safe place for play and experimentation needs to still have guiding principles within it.”
It’s those guiding principles that are essential but often missing, says Levi, “I think one of the challenges in the security industry is we don't have generally accepted security practices or concepts. We have many frameworks, but to actually apply them we need principles to guide the management of risk and security.”
Organizations seeking to enhance the security of their modern applications are in no short supply of options. But the risk of tool fatigue and further complicating the tech stack make choosing the right tool especially difficult.
To evaluate possible solutions, Martin recommends asking, “Does a technology bring value across the business to as many business units as possible?”
Limiting tool sprawl across build, deploy, and run, means synthesizing the output of all of these tools in a way that's consumable, tied to workflow, and enables collaboration.
Levi adds that tools for securing modern applications have a dual purpose of not only minimizing security threats but also surfacing which threats to prioritize first.
Martin concludes, “That visibility needs to be that telemetry that enables us to monitor our process, the efficacy of our process, the risk to our process, and enable us to make decisions through that process.”
See the full conversation:
Reduce downtime and move from reactive to proactive monitoring.
Build, run, and secure modern applications and cloud infrastructures.Start free trial