How can you have any pudding if you don't eat yer meat?

Elephant in the room

How can you have any pudding if you don't eat yer meat?

"Wrong, do it again!"

"If you don't eat yer meat, you can't have any pudding. How can you have any pudding if you don't eat yer meat?"

"You! Yes, you behind the bikesheds, stand still laddy!"

“We don't need no education”

Pink Floyd, Another Brick in the Wall Part 2


Well newsflash, it seems we do need some education, because everyone is eating their pudding first, and hackers continue to exploit simple, wide open gaps, in peoples security postures because of it.

You know the drill. It first starts with

“We want to reassure our customers that their security is our number one priority, and that none of their data was taken.”

Next up it's usually something like

“The hackers used a highly sophisticated attack, and breached a tiny gap in our security. We are investigating, but do not believe that any customer data was stolen.“

Next up, and this only occurs if they are caught with their pants around their ankles of course, is a litany of full on damage control tactics, from hiring Mandiant, the world's best forensics guys, check, to hiring a big brand name CSO, check, and any number of other reactive parlor tricks to divert attention. Free cyber insurance, free credit checks and free cuddly toys. 

A tweet today (Sunday) had me smiling while on a plane to New York. I can’t find it because Virgin Wifi is like a wet bit of string, Twitter search is literally designed by a mad man, and I need to queue this up to auto post tomorrow, so can't wait until I land, but it was from an experienced forensics guy, and was something along the lines of 

It is rarely managed hosts with MDR that are part of a compromise scenario, it is hosts that no one knew existed that are the culprits.

It made me smile, because the same is as true in the cloud, as it is on the desktop, although the difference of course, is that a cloud workload is likely to be much, much, more valuable than a laptop. 

It's those hosts that no one knew about, that are usually the ‘tiny gaps’, that are anything but tiny gaps.

There is a growing movement in the security industry that we are proud to be a part of. It is about getting the basics right first. Don’t ignore the elephants in the room, just because you don’t know how to solve it, pretending that the advanced security solutions are the ones that are going to save the day. It’s a common sense approach to a set of incredibly complex problems, and knowing what you have, and that you aren't flying blind, is about as fundamental as it comes. 

Said another way, eat your main course (no entree does not mean main course) before you eat your pudding. 

You may well be asking, how come most people are still flying blind when it comes to app visibility then? Surely we all use devops orchestration everywhere, and you can use your cloud provider or even a CSPM to interrogate your infrastructure, so everyone should know what apps are running in their cloud?

The key nuance here is the ‘what’ and the important bit is the word app.

DevOps orchestration, and CSPM, are all about infrastructure, and infrastructure is not aware of the context of code. Sure you can see there is something running on a workload, but Jo Babys test code, Jo Juniors swiss cheese code, Jo Blows hardened code, and Jo Mamas backdoored code, are all very different things. Not knowing the difference is more than a ‘tiny gap’. 

The only way to solve this dilemma is to know what code you have and where it is running. That is an application and code catalog, powered behind the scenes by code and build provenance. 

On Weds, I will push a recipe for using Chalk and CloudCustodian to know what's ‘prod or not’. The Zuck would be proud of me for that phrase. You could do the same with Wiz or Prisma or whatever. Early December we expect to push a fully automated application inventory and code catalog feature into the platform. If you are on the early access program will get it automatically. 

Prod or not works by chalking your code when it’s built, and then using the chalk marks to correlate with the infrastructure to trace where that code was deployed. If a repo hasn’t been chalked, there is a very strong correlation that it hasn't been deployed. When it was built with Docker you know the container it was deployed on and canquery the infra or CSPM for the container ID and, voila, that's Joe Mamas backdoored code, yikes! 

App inventories and code catalogs may not be sexy, but neither is being caught with your pants down by the hacker du jour. If you find yourself in that situation you might be talking though your PR team and using phrases like “it was a tiny gap in our security”. 

"Wrong, do it again!"

"If you don't eat yer meat, you can't have any pudding. How can you have any pudding if you don't eat yer meat?"

"You! Yes, you behind the bikesheds, stand still laddy!"

PS I am a committed vegetarian until someone puts a burger in front of me and I very occasionally cave when they agree to add bacon.

As always this article is cross posted to Linkedin for comments and feedback here.