LAS VEGAS – Kelly Shortridge is on a mission — a “resilience revolution” as she describes it — to help defenders outmaneuver threat actors by using the same tactics they employ against other organizations.
“In cybersecurity, we feel like attackers continually outmaneuver us as defenders. Attackers are fast, they’re ever-evolving,” the senior principal engineer in the CTO office at Fastly said Wednesday during a presentation at Black Hat USA 2023. “How can we possibly keep up, right?”
“Well, the answer is we become more like attackers, we become nimble, empirical, curious,” Shortridge said.
Defenders can do this by reorienting systems defense around resilience and reclaiming attacker advantages for themselves, Shortridge said.
Much of this realignment comes down to modern software engineering practices. Development tools and processes that guide software production and management today can also benefit security objectives.
“As an industry you’ve been so focused on AI that you’ve missed groundbreaking things like this that are happening elsewhere in software land. And I think it’s sad,” Shortridge said. “We should really leverage this blessing to its greatest effect. But we don’t today, and it’s driving me absolutely bonkers.”
These advantages in software are rooted in speed, design, systems and data.
Faster operational tempo
Defenders can speed up their operations by adopting configuration and infrastructure as code with CI/CD pipelines, Shortridge said.
Organizations can limit manual processes by creating and managing infrastructure via declarative specifications and declaring software changes through markup. This makes processes more repeatable and less prone to mistakes such as misconfigurations, Shortridge said.
Infrastructure as code with CI/CD pipelines can also automatically deploy patches and security fixes within hours.
In that environment, those changes are tracked automatically and can be reversed as needed. “That’s something attackers can’t do,” Shortridge said. “They don’t get an undo button.”
Solutions that encourage the nimbleness that defenders envy in attackers must be designed with minimal dependency on human behavior, Shortridge said.
Cybersecurity professionals usually overlook design-based solutions like isolation or modularity because it’s easier to implement a security tool such as a secure access service edge application.
Modularity in complex systems allows distinct parts to retain autonomy during periods of stress, fail independently and minimize the impact of attacks.
“By adopting isolation, we can force attackers to slow down, we keep them from evolving, we hurt their ability to adapt,” Shortridge said.
Organizations need to challenge their ‘this will always be true assumptions” that manifest in every part of the tech stack. Attackers deliberately target these hidden assumptions and try to break them, according to Shortridge.
“We’re so focused as an industry on ingress and egress that we miss how services talk to each other. And, by the way, attackers love that we miss this,” Shortridge said.
This mindset and strategic shift requires defenders to stop thinking in components and instead think in systems like attackers.
Decision stress and resilience stress testing can help defenders refine these models continuously and before attackers exploit them, Shortridge said.
Tangible and actionable success metrics
Threat actors realize the impact of their campaigns in actionable and tangible ways. They know if they have access, how much and how it can be used to accomplish their goals.
Organizations need system signals that can inform quicker defensive actions, and reliability signals from DevSecOps and site reliability engineering teams are very useful in that regard, Shortridge said.
Knowing who deployed what and when, who has access to what and when, database logs, billing records, and high CPU usage or memory shortage alerts can all strengthen an organization’s defense.
“You need to learn your organization’s observability stack, not just the security one,” Shortridge said. “We need feedback loops to give us more immediate sensory input, just like attackers gain.”
Disclosure: Black Hat and Cybersecurity Dive are both owned by Informa. Black Hat has no influence over Cybersecurity Dive’s coverage.