×

Seemplicity secures a total of $32M to bring the future of work to security teams!

Seemplicity
Read More

Category: Uncategorized

Security Remediation Game of Tag: You Are It!

Posted on by Adi Levy

Ah, Security Remediation. The game of tag we all know and love. Security teams “tag” Devs, DevOps, or IT teams with a security finding to fix, and then Devs put it at the very bottom of their to-do list as an issue to get to “someday.” Finally, a Dev gets around to fixing it… but wait! Security team didn’t tell them the specifics of what needs to be done! Back to the bottom of the pile, it goes. Thus begins this endless game of Security Remediation tag that leads to long security backlogs and increased friction between Security and Dev teams.

 

Endless Risks, Limited Time: Navigating the Security-Dev Conundrum

 

Security tools are everywhere. Businesses run multiple initiatives to manage risk, from cloud security to vulnerability management, application security, penetration testing, and bug bounties – the list is endless.

Risks and vulnerabilities generated by these tools can pile up overnight. Security teams must prioritize the remediation efforts, act as traffic controllers, and manually get the findings to the right “fixer” teams – developers, DevOps, or IT.

The problem? Devs, DevOps, and IT teams have sprints, daily tasks, and projects to finish. Their focus is on writing code and pushing products to market. As a result, security and compliance requests tend to be added at the end of the to-do list. Remediation tickets are often pushed back or dropped because there is no time for them, the fixes are too complex, or the devs simply don’t understand the security context.

The struggle is real: security teams battle with snowballing risks and nag the developers, again and again, to get the issues fixed. At the same time, devs try to stay focused on their work and avoid being dragged down into the Security team’s remediation backlog rabbit hole.

This escalates the friction between Security and Dev teams and causes a long backlog of security findings waiting for remediation, which keeps snowballing into an unmanageable mess, and the risk grows with it. Security teams are stuck in a constant loop of chasing developers and DevOps to fix the issues while developers keep pushing their compliance items further down their list of priorities. It is a vicious cycle that needs to be broken.

 

Why are Dev Teams Reluctant to Handle Security Tickets?

 

There are several reasons why developers are reluctant to handle security tickets.

First of all, security fixes can be tricky and require specialized knowledge. Devs are also missing the all-important context. They often will get tool-specific lists with no prioritization across findings, which makes it hard for them to understand which fixes should take priority.

Second, dev teams have limited resources and existing workloads that must be completed. Security remediation tasks can sit at the end of their list and are often pushed back or dropped due to time constraints.

Moreover, remediation is seen as “just another item in the list of tasks,” not a priority since devs are measured on the number of features they can deliver, not on how many remediation tickets they managed to close.

And finally, remediation sits outside of the product’s core development process. Security teams use different tools, have different processes, and work under different timelines than dev teams. Security issues are not necessarily aligned with sprints, workloads, or ticketing tools. Security tasks are not integrated into the development ecosystem and, therefore, not a part of their CI/CD process. This disconnect makes it hard for developers to understand what is expected from them and why they need to do it.

 

Automation of Security Remediation Workflows – The Answer?

 

But what if Security Remediation could be automated? Then Security teams wouldn’t have to spend time playing tag. They would just send the Dev team an automated ticket with the details of what needs to be fixed and how. And Dev teams would immediately get to work on fixing it before something serious happens in production.

Security backlogs can be managed more quickly, with Security teams able to automate much of the Security Remediation process, from assessment to prioritization and assigning tickets to developers. Security information can be integrated into the developer’s workflow with context and priority, enabling them to understand the risk of each item and what needs to be done quickly.

 

How Does Automation Improve Remediation Efforts?

 

  • Devs receive the right ready-to-fix items, at the right time, with all the context they need
  • Embedding security tasks into day-to-day development workflows
  • Empower devs to own & manage the security backlog like any other backlog
  • Manage all security tasks in the same ticketing systems as other tasks

 

How Seemplicity Helps

 

The trick is to bridge the Security and Dev worlds. Seemplicity’s platform helps Security and Dev teams work together, empowering developers with the context they need to knock down security tasks from their to-do list. Seemplicity’s automated remediation workflow delivers prioritization of findings and guidance for Dev teams. Security tasks can be managed in the same ticketing systems as other tasks and are integrated into their CI/CD process.

With Seemplicity, Security and Dev teams have a shared understanding of the security process with fewer manual steps, improved visibility to security tickets, no back-and-forth between Security and Dev teams, and security tasks integrated into their existing workflows.

Seemplicity empowers Security and Dev teams to:

  • Integrate remediation efforts with existing ticketing and reporting tools to automate the entire remediation ticket lifecycle seamlessly.
  • Automate ticket opening and assignment to the relevant board or project as soon as a risk is identified.
  • Continuously track and update remediation progress and automatically close fixed issues.
  • Tag tickets with user-preferred labels and fields.
  • See all status updates and comments in one place without the need to login to multiple systems.

Remediation tasks don’t need to be a distraction to dev teams. With Seemplicity, Security and Dev teams can work together more efficiently, managing security tickets the same way they manage other tasks – with fewer manual steps, improved visibility, and security tasks integrated into their existing workflows.

Now that’s a win-win for everyone! So get ready to automate your Security Remediation workflows with Seemplicity.

Are you ready to stop playing remediation tag? Get started with Seemplicity today!

All I Want for 2023 are Improved Security SLAs

Posted on by Adi Levy

It’s that time of the year again. With 2022 behind us, you are probably considering your new year’s resolutions and setting your security team’s goals for 2023.

So how can you ensure remediation effectiveness and add value to the risk reduction process this year?

It’s time to put tracking of Security SLAs at the top of your resolution list – and instead of letting SLAs get lost in the shuffle of daily tasks, turn them into practical and measurable goals.

 

What is Security SLA Tracking?

Many organizations outline service-level agreements (SLAs) for remediation in their security policies. SLAs define expectations of how quickly security teams should address problems and how to prioritize risk levels.

Often SLAs require security teams to fix certain risks within a specific time frame. For example, many companies aim to fix vulnerabilities with a CVSS Score of 7+ in 30 days or less and a 4+ CVSS score in under 90 days. The SLAs vary from company to company and depend on their security maturity.

 

The Importance of Security SLA Tracking

Security SLAs, while important, are usually purely theoretical. They often get lost in the shuffle of daily tasks and management requests.

The first issue is the lack of accountability. It’s easy to forget the SLA deadlines when there is no system in place to call out if they are not met.

The second issue is that it’s equally challenging to prioritize SLAs when there’s no way of knowing which risks need to be addressed first. What happens when there is a backlog with multiple SLAs at risk of being late or not met? Or even worse, when a security team works on too many remediation tasks simultaneously with no way of tracking the SLA statuses?

Next, there is a lack of visibility into the remediation efforts. Knowing exactly how many issues have been fixed and which ones are still outstanding requires a system that can track efforts and results. It can be hard to find out if risks are being addressed fast enough, if they’re being prioritized correctly, or who’s responsible for fixing them.

Another victim of the lack of visibility is collaboration between security and dev teams. Without a good tracking system in place, it can be hard to establish effective channels of communication. Nobody likes to have to ask the same questions all over again, and if there is no visibility into the progress of tasks, it can lead to delays and frustration.

Without a system to track the amount of work required for resolution and real-time communication between all the counterparts involved, there is zero accountability or visibility into who is responsible for fixing a risk, when it needs to be fixed, and whether it has been achieved.

 

Effective Security SLA Tracking

Here are the good news: with the right tools in place, all these issues can be solved.

There is a saying: what is measured can be managed.

That’s why effective security SLA tracking is so important. Companies need tools to measure the extent of work before imposing an SLA on their “fixer” teams – developers, DevOps, or IT.
In short, they need a data-driven approach to prioritize, set, and manage timeframes for different remediation tasks.

Security teams need tools to help them answer high-level questions like:

  • Are we meeting our SLAs?
  • How long does it typically take to fix a risk?
  • Are there any recurring issues that keep coming up, and if so, what is the typical resolution time for those?

They also need tools to keep track of ongoing remediation efforts:

  • What is the progress on the SLA fix for a specific risk?
  • What is the current status of the remediation efforts?
  • Who are the people responsible?
  • What capacity do they have left for new tasks?

 

Manual Work is in the Way of Accurate Security SLAs

There are many moving parts to remediation – getting a unified list of all security findings, identifying who is responsible for fixing them, opening remediation tickets, and ensuring they are followed up on. Reports and SLAs are an integral part of it, giving a bird’s-eye view and insights into the entire process.

But since remediation still relies heavily on manual work, getting these insights is not an easy task.

Today’s security teams manually collect data from siloed scanning tools and try to deduplicate and prioritize to-dos. Since the security teams cannot fix the risks they find, they have to act as a “middleman” and run manual processes to delegate remediation tickets to different “fixer” teams.

Getting metrics such as average time to remediation, open vs. closed findings, SLA compliance, and many more can be very challenging when there is no automated tracking of the remediation steps.

With manual and fragmented processes, how can you expect to track remediation, let alone set goals and KPIs or monitor SLAs?

 

Security SLAs as Part of a Holistic Remediation Process

What’s the key to simplifying the complexity of the remediation process and its tracking?

Automation and data-driven processes.

Having a risk reduction platform in place that automates remediation workflows from start to finish assures having all the remediation-related data built into it.
The data can then be distilled into meaningful insights and actionable items, providing better visibility and end-to-end accountability for the remediation process.

To make sure that SLAs are met every time and at all levels, organizations need a platform that will allow them to:

  • Define multiple SLAs based on the organization’s needs, including deadlines and priorities
  • Track the progress of security SLAs across teams and business units
  • Identify and report bottlenecks and quickly detect any potential delays or failed commitments
  • Automatically assign tasks to the right person or team when a risk is identified
  • Monitor performance to ensure that SLAs are being met
  • Provide visibility into the lifecycle of remediation activities

Security teams can ensure they are meeting their deadlines and maintaining accountability by having a risk reduction platform. And with standard operating procedures in place, your organization will benefit from improved security posture.

Improved SLAs are a new year’s resolution you can actually keep with the right tools in place.

With Seemplicity, you can:

  • Scale and automate risk reduction workflows into one platform
  • Get full visibility of the end-to-end remediation lifecycle
  • Track progress & reduce time-to-remediation
  • Track remediation progress by teams, tools, severity, and more
  • Plan ahead with expected workloads according to SLA
  • Empower developers to own the security backlog

We invite you to schedule a Seemplicity demo today. Happy 2023! 🥳✨🎇

The Cybersecurity Professionals Burnout is Real – Here’s How Automation Can Help

Posted on by Adi Levy

It’s no news that cybersecurity professionals are experiencing dangerous burnout levels.

In a recent PR, Gartner mentioned that nearly half of the cybersecurity leaders will change jobs by 2025, with 25% pursuing different roles entirely due to workplace stress. 

A global study by Mimecast, found that nearly a third of cybersecurity professionals are considering quitting their jobs. 

When asked about the risks they face relating to their role, stress (59%) and burnout (48%) were the top responses by CISOs, according to a recent survey by the executive search firm Heidrick & Struggles.

Matt Aiello, partner, and leader of the cyber practice at Heidrick, said:

“They’re choosing to punch out. What we hear in off-line conversations is that it’s a great role, but it’s very hard, and the regulatory pressures are increasing, and that makes being a CISO even more challenging.”

So, why have cybersecurity roles become so unbearable? 

 

The Roots of Cybersecurity Fatigue

To successfully investigate the roots of burnout, a deeper dive into the daily work processes of security teams must be taken. A closer look will show that, for some reason, many of these processes are still manual, siloed, and involve administrative work. 

Security teams today are required to deploy a variety of scanners to monitor an ever-growing attack surface – from cloud security to vulnerability management, application security, and SaaS security scanners. 

While this approach helps organizations better understand risks across the scope of possible attack vectors, it also brings downpours of findings to the security team’s desk, resulting in alert fatigue.

Consider that today’s average enterprise deploys 45 cybersecurity-related tools, each flagging thousands of daily findings, which security teams need to manually sift through at any given time. That not only makes workers more prone to error but also takes a toll on their well-being. 

And what’s the only thing in common with all these findings?

The security team cannot fix any of them. And so, they are forced to play matchmaker between remediation tickets and fixers – either development, DevOps, or IT teams. 

This process is managed inefficiently, as security professionals find themselves stuck managing administrative tasks and passing action items between teams and work environments. This bottleneck bogs down investigations around whether any given risk is critical and needs to be prioritized, further adding to the backlog and appropriating precious time in which those critical risks could have been addressed.

Adding to these technical frustrations is the enormous amount of pressure placed on these teams to bolster their organization’s cyber posture. Studies show that 75% of cybersecurity analysts spend their days worrying about missing incidents, a third of whom admit to worrying “a lot.” Their worries are understandable – failure to meet these mounting expectations and the security of the entire organization (and possibly their job) is put at risk.

Not only do these compounding issues have a tangible negative effect on security teams’ daily tasks, but the subsequent burnout can lead to high employee turnover in cybersecurity roles. Which, in turn, affects the retention of critical organizational knowledge and further fuels the remediation bottleneck.

The impact of this unsustainable remediation model is that it perpetually puts security teams on the back foot – consistently in “firefighting” mode, with more fires than they have buckets of water for. Business leaders and security managers must revisit their remediation strategy to relieve fatigue and burnout. They should strive to initiate a process that puts their security teams in a position of proactiveness rather than reactiveness. 

Accordingly, organizational leaders would do well to seek out any relevant tools to weed out duplicates, aggregate findings across security platforms, and significantly minimize backlogs. Such tools should also automate manual tasks and automatically assign tickets to the appropriate teams as soon as previous ones are closed, thus unclogging both the bottleneck and the backlog.

 

A Farewell to Fatigue

Finding and dashboard fatigue can create a vicious cycle of inefficiency – in which cybersecurity teams cannot keep managing the growing number of findings. They must constantly chase after risks, which in turn leads to employee burnout, high turnover rates, and an organizational security posture that is more prone to human error, yielding yet more findings and risk.

Throwing human resources at the problem won’t go very far – adding more employees into a system that chews them up and spits them out will only contribute to further employee burnout, not a safer enterprise. Instead, decision-makers and security leaders need to focus on optimization and automation, adopting solutions that allow security professionals to stress less and fix more. Security teams that are empowered by fewer findings and swifter internal processes will be more effective in their mission of keeping their organization safe. 

 

How Seemplicity Helps

Security teams that effectively leverage security orchestration and automation using a platform like Seemplicity can spend less time manually connecting the dots between fragmented security findings, siloed teams, and distributed tracking systems. 

Using a platform like Seemplicity will free up valuable time for security teams and allow them to focus on their actual work rather than spend time on administering remediation. 

We welcome you to sign up for a Seemplicity demo today. 

The Great Risk Reduction Fire

Posted on by Adi Levy

On a quiet Sunday morning in 1904, a fire broke out on the west side of downtown Baltimore. It started to spread quickly, and soon it became apparent that the city’s firefighters could not fight it alone. Immediately, calls for help were telegraphed to other cities.

Fire companies from New York, Philadelphia, Wilmington, Harrisburg, and elsewhere rushed in to help and had more than enough water and people to fight the fire. 

There was only one problem – most of their fire hoses wouldn’t fit Baltimore’s hydrants. So with many firefighters having to sit on the sidelines, the fire prolonged to 31 hours and damaged an area the size of 80 blocks.

How could that be, you ask?

Apparently, in 1904, there were roughly 600 varieties of fire hydrant hose couplings and outlets in the US. This incident brought the National Fire Protection Association to push for a change, and in 1905 a standard was proposed and adopted by several large US industry groups.

 

Similarly, Security Teams are also Left Alone to Fight the Fire.

The Great Baltimore Fire ended up being the most destructive in the United States since the Great Chicago Fire. You can’t help but think how much damage would have been avoided if reinforcements could help. 

It’s a tragic example demonstrating the critical importance of standards for products that need to interoperate for the safety and protection of individuals.

Ironically when it comes to the cyber security world, lack of standardization is still a common problem. 

Security teams have to manage endless lists of security findings from disparate scanning tools, not to mention the constant hand-raising and spreadsheet management that is still prevalent for tracking the progress of remediation tasks.

These fragmented processes increase friction, slow remediation down significantly, and keep security teams in a constant firefighting mode.

A recent survey conducted among over 400 IT decision-makers at companies with 500+ employees in the US and UK found that:

 

“When asked about the aspect of their role that they disliked most, 30% cited the lack of a work-life balance, with 27% saying that much time was spent on ‘firefighting’ rather than addressing strategic business issues.”

 

Managing Findings from Disparate Security Tools 

When it comes to security scanning tools, findings come in all shapes and sizes.

A key challenge in the remediation process is making sense of the numerous and diverse streams of scan and monitoring data. 

Each of the many types of scanners deployed has a unique set of metrics and log data structure. 

For example, the level of severity alone has many different scales across various tools: 

Seemplicity data sources

Gaining timely and actionable insight into a system’s overall security posture status requires an in-depth understanding of these tools, mainly because there isn’t one system that standardizes all the findings.

As a result, the security team has to manually organize the data from the different scanners – make sure there are no duplications, and try to prioritize it best they can before handing it over to remediation teams – Development, DevOps, and IT. 

 

Assigning Remediation Tasks to “Fixer” Teams

What’s the only thing in common with all security scanning tools?

Security teams cannot fix any of their findings.

One of the critical challenges that security teams face is that although they are responsible for identifying findings, they cannot actually fix the risks they find. Instead, they need to assign them to the right team for remediation.

The “fixer” teams usually have a full-stack responsibility and therefore require one consistent and prioritized security backlog to help them understand what is on their to-do list.

The fact that communication between these two teams relies on multiple different reports, with varying formats and scorings, creates a great deal of noise that necessitates an enormous amount of manual work, leading to an inefficient remediation process that is full of friction and wasted time.

There’s a fundamental necessity for a system that will standardize the communication of remediation workflows between Security and fixer teams. 

 

Follow up on Security Findings Fixes

Even after the remediation task has been assigned, the security team has to follow up to ensure that it was fixed and collect data on different metrics for reporting purposes. Since many teams are responsible for fixing risks, security teams spend a significant amount of time following up with various teams using different tools.
Once again, the lack of standardization slows the tracking and verification process.

 

The lack of standardization causes the lives of security teams to be more about putting out fires rather than focusing on long-term planning. But do they need to spend so much of their time on “administration”?

 

How to Standardize Risk Reduction Workflows

It is clear that security teams require one standardized and centralized platform that consolidates end-to-end remediation from the minute a security finding is discovered to its complete remediation. 

Seemplicity was created just for this purpose. It brings standardization to risk reduction and uses process orchestration to manage the remediation workflow lifecycle end-to-end across various teams and systems, unifying multiple individual tasks into one smart unit and automating hand-offs between teams and tools. 

Using a platform like Seemplicity, security teams can effectively leverage security orchestration and automation and spend less time manually connecting the dots between fragmented security findings, siloed teams, and distributed tracking systems. 

We welcome you to sign up for a Seemplicity demo today. 

Getting Ready for the OpenSSL Critical Vulnerability

Posted on by Adi Levy

As already reported by ZDNet and other sources, the OpenSSL Project team announced a critical severity security vulnerability on October 25, 2022.

Mark Cox, the Apache Software Foundation VP of Security, tweeted: “OpenSSL 3.0.7 update to fix Critical CVE out next Tuesday 1300-1700UTC.”

 

 

What is OpenSSL and why is it so important?

OpenSSL is an open-source project that implements the SSL protocol and enables servers across the internet to securely communicate with their clients. It is also included in many operating systems, client-side software, and websites.

Because OpenSSL is so widely used, there’s an urgency to patch and update the systems affected by it. 

 

Which OpenSSL versions are vulnerable?

OpenSSL versions 3.0 and above were reported as vulnerable, and these critical security vulnerabilities will be fixed in the upcoming 3.0.7 release which will be available on November 1st, 2022.

 

How can I prepare for the OpenSSL critical vulnerability?

Until more details are revealed on November 1st, we recommend that you identify all your vulnerable assets running OpenSSL3 and be prepared for the update.

For Seemplicity customers, we suggest using the “OpenSSL Vulnerability – Early Warning” filter, which will identify all the resources in your different data sources exposed to this vulnerability.

Seemplicity OpenSSL

We’re here to help

If you require further support with understanding how OpenSSL will impact your team and the ways to fix it effectively, please don’t hesitate to reach out to us at info@seemplicity.io

CISOs are Now Expected to Become Yogis — Stretching Up, Down and Across

Posted on by admin

Back in the old days, CISOs played a somewhat secondary role in business growth and strategy. The CISO role was largely technical and reactive, with a focus on technical architecture and response to security threats and data breaches after they happened. At that point, CISOs were considered technical experts for a part of IT that was about security, and not business influencers.

Fast forward to January 2022, those days are long gone. Security as a business function is a business enabler today. CISOs are now taking on a serious strategic role — blending technical expertise with business acumen, plus the ability to communicate complex issues to non-technical board members. Although they are no longer required to possess in-depth expertise in one specific security issue, they are now expected to have a reasonable understanding of all possible security risks, develop strategic security protocols that could enhance the business process.

With that, CISOs have stepped out of the server room and are stepping into the boardroom, the risk steering committee, the security team meeting, the sprint planning meeting, the audit meeting, and the list goes on…

The CISO role has become undoubtedly one of the most multifaceted positions in a company. Just to add some imagery to that, CISOs are now expected to be super flexible yogis — stretching their attention up to the boardroom, down to their security and across to the multiple teams they interact with daily — development, IT, operation, legal HR, and more.

While this has, without a doubt, made the CISO role more central and rewarding, it has also made it much much more challenging. Let’s break down these challenges across the dimensions:

Stretching upwards

In a world where the day’s headlines are increasingly dominated by news of the most recent data breach (ahem Log4j -we had to mention it because what’s a cyber blog today without it?) it’s no surprise and it isn’t new that cybersecurity is front and center for the executive suite as well as the corporate board of directors.

CISOs are expected to keep these key stakeholders informed in a way that is delivered in the language of business and in line with strategic business objectives. The goal is to illuminate risk metrics, risk appetite and security investment ROIs, all without getting too technical, yet with quantifiable evidence.

To do that effectively, CISOs are often faced with the challenge of collecting fragmented pieces of information spread around different tools and spreadsheets and then putting together hand-calculated performance metrics. This means that before every board meeting hours are spent on manually putting together a holistic cybersecurity picture together.

Stretching downwards

Most businesses are currently going through some form of digital transformation, either to improve their offering or streamline their operations. While on one side of the sword this spurs growth and helps maintain a competitive advantage, on the other side of it, it introduces new risks and increases the company’s attack surface.

Security teams are now running multiple programs at once. This includes vulnerability management, misconfiguration fixes, application security, pen-testing, bug bounty, awareness and training, SaaS compliance, API security and the list goes on. With all of this happening across different tools and possibility different teams, it can be a real challenge for CISOs to oversee

With this all happening, CISOs are expected to oversee all the different programs at every point in time and are required to provide advise and insight when necessary. Sounds similar to other managerial roles, doesn’t it? Well unlike other managerial roles, CISOs don’t have their go-to workspace where they can see everything and manage by exception. While sales directors can understand the status of their teams by glimpsing at Salesforce, and R&D leads by glimpsing at JIRA, CISOs have to go from one security scanner to another and have constant status calls to understand how each program is doing.

Doing the splits across

Security holds a unique role in the organization, unlike any other functions. Security itself does not manage a single process or entity, but rather it is an enabler that sits on the critical path of many business processes and projects. The more obvious processes that security enables are those technological ones with the development, IT, operation and DevOps teams. But there are also those less obvious ones with HR, legal and even marketing.

This means that many of the people, procedures, and technical infrastructure required for security’s success is actually out of security’s direct control. As such, CISOs need to enable their security team to collaborate with other teams across the organization in a manner that does not disrupt or make security feel like a damper on operations or creativity.

To genuinely make security an integral part of existing processes, CISOs need to empower their teams to provide a self-service approach where the relevant peers can “consume” security in their own way. With security teams already being spread-thin and overworked, this isn’t a simple task as it requires in-depth business context, significant automations and a diverse set of tool integrations.

SeemplyDev: It’s 18:00 O’clock Somewhere!

Posted on by dana

In Seemplicity we work in a “Continuous Deployment” method. Every PR that a developer merges into the “main” branch is automatically delivered to production, and becomes customer-facing within about 30 minutes. One of the advantages of working this way, is that it empowers developers to own their code (new feature, bug fix) end-to-end –  From development (code review, unit tests, design) to deployment (system tests) and post production (monitoring the feature over time). 

At Seemplicity we believe that when developers own their code & are supported to do their best work, everyone wins. As such we’ve built process and use tools that help us empower such accountability. The  “After 18:00” extension we’ve built is a small fun piece of it. The inspiration for this came from a post by Maya Gershovitz Bar, who is a Software Engineer at Facebook and an active tech blogger. The idea is that after 4pm, the normal “Ship It” button changes to “Ship It? After 4pm”.

This is a simple yet powerful feature, in my opinion. On the one hand, it reminds developers that there are consequences to merging the PR and deploying it to production, on the other hand, it leaves the control and choice in the developers’ hands. Its power is in its simplicity. Or as we say it in our language – seemplicity. 

Because we couldn’t find an equivalent feature in Github, we decided to build it ourselves. We implemented it as a Chrome Extension that only works on Github’s “pull request” pages, and changed the text on the “squash and merge” button to “Are you sure you want to squash and merge after 18:00?” in our case. Like all other tools we use, it is up to the developer to decide whether he/she would like to use it. 

Today we are releasing this code as open source. You can find the source here. Feel free to contribute of course!

Time to Rethink Over Prioritization & Under Remediation

Posted on by dana

Enterprises face new security threats daily. Whilst keeping up with the influx of these threats has become a top priority for security teams, the average organization still finds itself with a backlog of more than 57,000 unfixed security issues within 6 months.

To deal with this huge influx of findings, security teams often heavily rely on prioritization. Sounds logical right? If we compare this to our daily lives, in times when we have an abundance of errands that need to get done, we write a to-do list and prioritize what needs to be done first.

The difference with security findings is that the people who are responsible for writing the to-do list are not the same people who are responsible for executing the errands, and the ratio between the “planners” and “doers” is far from equal. To put this into security context, the security team plans the remediation to-do list and prioritizes the most important items to drive forwards, while the development teams actually remediate the prioritized items. What adds complexity is the fact that the ratio of security personnel to developers is normally 1:100, and development teams are often distributed both geographically and organizationally.

As a result of this entire situation, the biggest irony of it all happens — the security team becomes the bottleneck to driving remediation forwards. The scope of remediation can only be as wide as the security team’s ability to prioritize findings, while development teams are only aware of items that have been filtered from the to-do list. Even if development teams have the capacity to fix more than has been allocated to them by the security team, they have no visibility into the entire “to-do” list. To sum a long story short, the over reliance on prioritization essentially results in under-remediation.

But it doesn’t have to be that way. What if each development team was given the entire to-do-list that’s relevant to them, without security acting as the middleman?

You are probably saying to yourself, well without any filtering by the security team, a lot of junk would end up being passed on. You are right, but prioritization doesn’t solve that either. What’s needed is for the data to be “cleaned up” and then to be properly distributed to the right team at the right time.

With a self-service approach, the scope of remediation can be as wide as the development teams’ ability to handle fixes and security teams no longer have to act as project managers. Prioritization then becomes the exception, only in cases where a single development team has more fixes than it can handle. With prioritization as an exception rather than the rule, security teams can be left to focus on real strategic security rather than on project managing tasks.

With a self-service approach the security to-do list is no longer solely owned by the security team, but the ownership is now shared across security and development teams. To put it into “mathematical” terms….

With a prioritization approach:

Time-to-remediation = Time taken to process by the security team + Time taken to remediate by the development team

With a self-service approach:

Time-to-remediation = Time taken to remediate by the development team

To learn more about a self-service approach to remediation, drop us an email at info@seemplicity.io

Pages: 1 2

Do too Many Cooks Spoil the Broth? The Cybersecurity Recipe

Posted on by dana

Let’s start by putting a fact on the table. The cybersecurity software industry is a crowded space.

If you’ve ever walked the exhibition floor of a conference like RSA or if you’ve witnessed the almost-daily announcements of new cyber startups on LinkedIn you probably know what we’re talking about. Estimates vary, but it’s safe to assume that there’s over 5,000 vendors in the security marketplace today.

While for an outsider (cyber outsider) it may seem like an overkill, there is a good reason. With no silver bullet to guarantee effective security posture against the increasingly dynamic and complex threat landscape, security teams have a lot of ground to cover. The landscape includes cloud-native environments, Infrastructure-as-Code (IaC), containers, secrets management, remote work —  and that’s just to name a few. See the CyberScape map below:

A survey of 400 global security leaders carried out by Check Point at the end of 2019 found that:

  • 49% of all organizations use between 6 and 40 point security products
  • 27% of larger organization use between 11 and 40 different vendors’ products
  • 98% of organizations manage their security products with multiple consoles, creating visibility silos.
  • Small organizations are using on average between 15 and 20 security tools, mid-sized businesses are using 50 to 60, and large organizations or enterprises are using over 130 tools on average.

The More you See, The Less you Do?

The problem is that as organizations race to adopt more security tools, they don’t necessarily benefit from an improved security posture. In fact, the opposite is true. Research by IBM has shown that the amount of security tools that an organization was using had a negative impact across multiple categories of the threat lifecycle amongst those surveyed.

Organizations using 50+ security tools are 8% lower in their ability to detect threats compared to those using fewer toolsets.

There’s no single thing to blame for this reality. One issue is the enormous overload of alerts produced by such tools, all in different formats, received through multiple channels and dashboards, with duplications and no clear action. Weeding through these alerts takes significant time, as security teams switch between different technology consoles trying to put the pieces together. Spending so much time on data gathering, enrichment and prioritization take time away from the actual remediation. In fact, it’s reported that

44% of all alerts don’t get investigated at all and 49% of legitimate alerts go unremedied. 

Another factor is the well known cyber security talent shortfall. Organizations simply don’t have the number of qualified and competent cybersecurity professionals necessary to operate the manual overhead of each tool.

Finally there is also the issue that these security tools can’t keep up with the agility of development teams. Given that development teams are often the ones who actually remediate those weaknesses identified by the security tools, it’s crucial that security findings can be ingested by them in a way that works for them.

What can be done?

Given all of the above, the question pops. Should organizations cut down on their security tooling? The short answer is  —  Absolutely not. Well, if there are tools that produce exact duplications then yes (and that itself requires time to understand). But otherwise, organizations require multiple security tools to cover that increasing attack surface.

The key to successful gain value from security tools is to focus on the interaction between security tools, people and processes. This can be achieved via consolidation, process automation and orchestration

  • Consolidation: A truly consolidated solution leverages a single–pass architecture, in which, security engines process traffic in parallel with a unified single context. This facilitates one fully informed decision instead of a series of half-blind ones, and greatly enhances security coverage. Consolidation doesn’t necessarily mean the end of best-of-breed solutions. Consolidation can come in the form of a “management layer” above the siloed solutions beneath. One which empowers the current shortage of skilled information security professionals and the much-needed focus on retention, to simplify, centralize, and ease the burden on security teams.
  • Process Automation: While automation usually makes the completion of individual tasks easier and faster, process automation often removes bottlenecks, making the operational steps needed to complete a project more accurate and efficient. Process automation deals with formulating multi‑step processes that occur between any combination of people and systems, streamlining interactions and handovers. Process automation isn’t just keeping track of the business, it helps you run the business, day to day. When it comes to reducing cybersecurity risk, process automation can help optimize and scale these lifecycle processes that often involve continuous back-and-forth interactions between security, development, IT and DevOps teams. This not only saves security teams a whole lot of manual effort, but it also eliminates the friction between security and their counterpart and accelerates time-to-remediation.
  • Orchestration: While process automation will handle automation of individual business critical tasks, process orchestration is what glues these individual parts together into a cohesive workflow from beginning to end. Process orchestration will manage the automation lifecycle end to end, across various teams and systems, unifying multiple individual tasks into one smart unit. Security teams that effectively leverage security orchestration and automation are able to spend less time on manually connecting the dots between fragmented security findings, siloed teams and distributed tracking systems and can focus on the tough problems that really need the human touch for investigation, mitigation, and remediation.

What’s Next?

The ever-evolving cyber-threat landscape is creating a continuous need to adopt new security solutions in order to keep our networks and IT assets protected. Each organization has a tipping point at which the number of products they bring on board becomes too complex to handle and begins to hinder their security posture. As a growing number of IT leaders come to realize this, the demand for simple, coherent, orchestration solutions will continue to grow and become their de-facto go-to security strategy. No longer are security and consolidation on opposite sides of the trade-off scales. They are, in fact, growing increasingly synonymous.

3 Things to Consider When Choosing a Workflow Platform for Your Security Team

Posted on by dana

Whether streamlining sales processes or developing applications at a faster pace, digitized workflows benefit modern enterprises across many important business domains. However, cybersecurity is an exception that still depends on manually coordinating between data, people and tools and strenuously pushing forwards risk-reduction actions across the organization.

Modern security teams spend much of their time manually operating risk reduction workflows. This operation involves coordinating a growing list of disparate security tools to work together harmoniously and pushing remediation tasks across the organization. Setting rules and even coding scripts to integrate everything and connect the dots between disparate tools and teams takes a lot of effort and time. Compounding the problem is the friction that results from scattered workflows across different security initiatives, programs, and teams. The lack of cohesion and orchestration in the risk reduction workflow landscape within an organization makes it difficult for security professionals to get things done. Adding value to your company’s security posture becomes more difficult when friction dominates over cohesive, integrated workflows. Whether it’s securing the cloud, sanitizing data, remediating vulnerabilities, or managing digital certificate lifecycles, tracking all these security workflows with sufficient transparency is impractical in the current landscape. For your security team to excel, there’s a pressing need for smarter workflows with more automation, better integration, and clearer KPIs.  

Here are three things you should consider when looking for a workflow platform for your security team:

1. It’s Time for No-Code Automation

Automation without code provides a powerful way to digitize cybersecurity workflows. You need your security experts to spend their time strengthening and defending your security posture in real-time instead of handling time-intensive workflow management tasks. This can only happen when those tasks are handled automatically. Codeless automation uses out-the-box workflows for common risk reduction use cases. The plug and play nature of it facilitate seamless integration between different tools, teams and workflows. All of this should be accessible from a central user interface with the ability to granularly track KPIs for different workflows from one place. The codeless aspect is critical because if teams still need extensive coding to maintain or update workflows, they’re still going to end up bogged down by manual tasks. You don’t want a situation where switching to a different CSPM solution necessitates manually updating all your security workflows. Your teams need seamless functionality that gets security operation workflows running coherently with the same speed and efficiency as other departments. Security professionals should spend the bulk of their time on strategic planning and conducting deeper investigations for genuine threats. 

2. Generic Workflows won’t suffice 

Security expertise is critical for an automated security workflow tool to add value. Generic workflow tools won’t suffice because they aren’t built on a solid foundation with security knowledge at the core. In order to gain value for your risk reduction efforts from an automated workflow platform, the following capabilities are required:

  • Normalization of findings —A generic workflow with no security expertise would at most be able to ingest findings from different tools within their original format. This doesn’t help move efforts forwards. In order to be able to efficiently drive risk down, security teams must be able to look at one normalized coherent list of security findings – with standardized severity scores and in a single format. 
  • Organizational knowledge —Confusion over who needs to take ownership of a remediation task and what assets are impacted is a significant barrier to the swift remediation of security findings. Organizational knowledge built into workflows enables your business to easily and dynamically map tasks to owners and assets in an automated way for optimized decision-making.  
  • Actionable remediation items— With a deep understanding of security findings, multiple weaknesses can be turned into precise remediation actions. Through deduplication and grouping of multiple findings with the same action and/or the same owner the huge influx of findings can be reduced into actionable items. This level of know-how digits findings into bite-sized actions, increasing efficiency significantly. 

3. The Value of Customization

Every business has different needs, priorities, and idiosyncrasies that pre-built workflows can’t fully capture. A cornerstone element of digitizing cybersecurity workflows is customization. Fully customizable workflow profiles can make room for different rules depending on the user, process, or data source. Your security teams can use customization to focus on what matters most in securing infrastructure and information. 

It’s time to rethink your security workflows

An automated workflow solution modernizes security and brings it up to the standards of efficiency and agility expected by businesses. Customization provides the flexibility to build workflows in line with your unique security posture. Now is the time to digitize your security workflows.