Vulnerability Management: If you think it’s about missing patches, you’re missing the point

Unlike technology as a whole which continues to advance at an astoundingly rapid rate, vulnerability management is one area of cybersecurity that is harmfully stuck in the past.

In the 90s the primary sources for vulnerability information were mailings lists like Bugtag and FD. With the volume in these public lists security professionals struggled to scan, identify and patch their systems – but the long gaps between exploit releases gave security teams the luxury of time. The early 2000s brought remote vulnerability scanning engines that were managed, woefully, in spreadsheets. In that time we had learned two things: first that there was more to vulnerability management than missing patches, and second that identifying missing patches and unpatched systems was the easy part. But over a decade later in the 2010s spreadsheets were still the predominant vulnerability management tool. And now here we are in 2021, and what is the state of the art for vulnerability management? If you guessed vulnerability scanning and spreadsheets – you’re unfortunately correct. Nearly 30 years and countless technical advancements later, and we’re still basically on clay tablets and chisels.

Today’s Vulnerability Landscape

The time between a software or system vulnerability being identified and a readily available, weaponized, exploit in the wild has shrunk to a sliver of time. Security teams no longer have the luxury of time to try to scan, find systems, manually triage, prioritize and then push patches. Never mind that patching is only a part of overall vulnerability management.

In spite of all the latest technology now available to us, the lessons we’ve learned over the three decades, and the renewed sense of urgency brought on by the COVID19 pandemic, the whole vulnerability management process is a train wreck. IT and cybersecurity professionals are still primarily focusing on missed patches and relying on spreadsheets for reporting and prioritizing vulnerabilities – and no one is being held accountable. Combine that with the work-from-home environment, and you have an avalanche of new vulnerabilities daily, more tools than you can effectively manage, insufficient resources and skills to dig yourself out – and all of it is driving increased business risk.

So, let’s get back to fundamentals, and attempt to understand the problem we’re trying to collectively solve for. First, a vulnerability can be any weakness in your infrastructure that could compromise business operations. And they can come from anywhere. Yes, missing patches are a major factor, but so are misconfigurations, penetration test results and bug bounty programs (if you have them). Vulnerability scanners are highly ineffective in dealing with anything outside missing patches, so they’re not your solution. Finding vulnerabilities is relatively easy, but what do you do with them once they’re uncovered, and when they’re so out of date that patching isn’t an option (also known as technical debt)?

Many IT leaders think the answer lies in purchasing state-of-the-art technology. No matter what the buzzwords, technology doesn’t solve a human problem. Most companies have a volume problem, as well as a culture problem – but we’ll address that in another blog. When you have potentially 10,000 or more identified vulnerabilities, prioritization becomes a pretty tough obstacle to overcome. Your fancy tech is only as good as the analyst who operates it, no matter how much magical “AI” secret sauce is in their marketing fluff. Don’t get me wrong, a strong and capable technology platform is crucial – but that comes after you’ve addressed the human-sized problem in the equation.

What you need is a Programmatic Reduction of Risk

Unfortunately, a significant portion of technology owned by organizations is outdated or worse, no longer being supported by your vendors. This is partly due to tight budgets, partially feature dependence and partially an if-its-not-broken-don’t-fix-it mentality. What may seem like a minor issue today can result in a massive breach tomorrow. While the business is asking for agility from its technology, CIOs everywhere are facing huge technical debt. And the longer it goes on, the more expensive it becomes to fix or replace. How do you extinguish all of these burning fires?

The CIO essentially has to declare technical bankruptcy. Take inventory, acknowledge there are problems, identify them and create a plan to fix them. Communication and accountability among business leaders and IT professionals is the key to implementing an effective solution. In many cases, this includes admitting that the organization lacks the in-house expertise to solve the problems.

The most forward-looking CIOs turn to a trusted provider for help. Lightstream is one such partner with the expertise to move your organization out of this quagmire, and our Rapid Risk Profile is often the best place to start your risk management assessment. This approach helps us to understand your biggest systemic risk so we can work together to create an informed path forward that aligns to your business goals and financial situation. The first step is easy, no-friction, and involves virtually no invasive technology. What we assess and identify are hallmark people, process, and program categories to understand your organizational and program maturity. Whatever stage your organization is at in its journey and program development, we can provide understanding and high-level guidance.

The immediate next step is to take a consultative and technical deep-dive, to understand not only what your organization does in terms of vulnerability management, but how it does it. We create your baseline, and provide a gap-assessment against industry-driven baselines. Lastly, we develop a bespoke roadmap that involves both short-term tactical remediation strategy to prevent catastrophic business disruption, and long-term program development to aid your business into effectively managing technical debt and vulnerabilities across the business. Lightstream’s suite of packaged services provides peace of mind, technical as well as program capabilities, and continuous evolution in your vulnerability management program. The key to effectively managing vulnerabilities is to go beyond patching and implement a lifecycle approach for identification, triage, mitigation and reporting.
Stop buying into the misconception that vulnerability management is about scanning and patching. It’s time to acknowledge the magnitude of the problem and the risks it’s creating for your business. Contact Lightstream today to find out how we can help you establish an effective vulnerability management program – protecting and future-proofing your organization while creating a culture of accountability.

Have You Completed an AWS Well-Architected Framework Review Lately?

Amazon Web Services (AWS) first introduced customers to its AWS Well-Architected Framework in 2020 in the form of a whitepaper designed to help cloud architects build secure, high-performing, resilient and efficient infrastructure for their applications and workloads. As my colleague Ty Annen outlined in his Annual Performance Review blog post back in June, The AWS Well-Architected Framework is divided into five pillars of architectural best practices:

  1. Operational Excellence
  2. Security
  3. Reliability
  4. Performance Efficiency
  5. Cost Optimization

The AWS Well-Architected Framework has rapidly expanded to include domain-specific lenses, hands-on labs, and the AWS Well-Architected Tool, all of which provide a consistent approach for AWS cloud users to evaluate architectures and implement designs that can scale over time.

Once a Well-Architected Framework has been established, AWS encourages customers to keep their cloud environments finely tuned by regularly evaluating their AWS workloads, identifying high risk issues and making and recording their necessary improvements. It provides a way for you to consistently measure your architectures against best practices and identify areas for improvement.

How it Works

The AWS Well-Architected Framework Review, often called the “AWS WAFR,” was developed to help IT professionals, operations staff and anyone with a cost interest to evaluate the workload and implement improvements for future workloads. AWS advises customers to complete the Framework Review quarterly.

As an AWS Advanced Consulting Partner and member of the AWS Well-Architected Partner Program, Lightstream has deep AWS knowledge and is certified to deliver an AWS Well-Architected Review that includes strategies to help you compare your workloads against best practices and obtain guidance to produce stable and efficient systems.

Prior to your Well-Architected Review, Lightstream can help you identify a priority workload to evaluate. Then together we’ll take a deep dive into that critical workload and provide recommendations as well as a roadmap to making the recommended modifications. Once you implement the modifications, you will receive credit funding from AWS to cover the cost of the review and remediation.

It’s not uncommon for overworked and understaffed business leaders and IT professionals to put off performing Well-Architected Reviews. They think, everything is running smoothly so why try to fix something that isn’t broken? But the truth is, no matter how well your environment seems to be performing or how much you’ve managed to improve processes and increase your organization’s efficiency, you have the opportunity to do it even better.

The bottom line is this: you have a duty to correct misconfigurations and proactively avert security threats and financial and operational inefficiencies. And between new instances, changing security groups, and updated service offerings, you must make sure that your organization is maximizing every opportunity for savings and automation. The longer you put off your AWS Well-Architected Reviews, the greater your organization’s vulnerability is to cybersecurity attacks and getting bypassed by your competition.

Contact Lightstream to find out how Well-Architected Framework Reviews can optimize and update your AWS cloud environment, ultimately helping your organization to cut costs, increase revenue, ensure compliance, go to market faster and increase the quality of your products and services.

 

Introducing Well-Architected Framework Workshops from Microsoft Azure

Microsoft began familiarizing customers with its Azure Well-Architected Framework in 2020 in order to help customers design and build secure, scalable, high-performing solutions in Azure and to effectively and consistently optimize workloads. As I outlined in my Annual Performance Review blog post back in June, the Azure Well-Architected Framework is divided into five pillars of architectural best practices:

  1. Cost Management
  2. Operational Excellence
  3. Performance Efficiency
  4. Reliability
  5. Security

Once a Well-Architected Framework has been established, Microsoft encourages Azure customers to keep their cloud environments finely tuned by having periodic reviews performed against Azure best practices as well as specific business priorities in their cloud journey.

In August, Microsoft started offering Well-Architected Framework Technical Workshops for qualifying Azure customers. Each of the workshops in the series focuses on a different best practice pillar. It is recommended that reviews be performed quarterly, however Microsoft offers eligible customers fully funded workshops once a year.

How it Works

As a Microsoft Gold Cloud Platform Partner, Lightstream has deep Azure knowledge and is certified to help assess and analyze your architecture with Azure’s Well-Architected Review tool to identify risks.

Workshops begin with an evaluation of that specific aspect of your cloud environment – i.e., operational excellence, performance efficiency, reliability or security, depending on the workshop. As you complete the assessment, you’re provided a score for each pillar that you chose to evaluate and an aggregate score across the entire workload. Then we’ll advise what actions should be taken for optimization and create a plan to implement the prioritized, and funded recommendations.

It’s not uncommon for overworked and understaffed business leaders and IT professionals to put off performing Well-Architected Reviews. They think, everything is running smoothly so why try to fix something that isn’t broken? But the truth is, no matter how well your environment seems to be performing or how much you’ve managed to improve processes and increase your organization’s efficiency, you have the opportunity to do it even better.

The bottom line is this: you have a duty to correct misconfigurations and proactively avert security threats and financial and operational inefficiencies. And between new instances, changing security groups and updated service offerings, you must make sure that your organization is maximizing every opportunity for savings and automation. The longer you put off Well-Architected Reviews, the greater your organization’s vulnerability is to cybersecurity attacks and getting bypassed by your competition.

Contact Lightstream to find out how Well-Architected Framework Technical Workshops can optimize and update your Azure cloud environment, ultimately helping your organization to cut costs, increase revenue, ensure compliance, go to market faster and increase the quality of your products and services.

 

A Streaming Video Platform & Production Company Cuts Costs and Enhances the User Experience with Help from AWS CloudFront and Lightstream

The company achieves financial and performance optimization via CloudFront and Lightstream Cloud Managed Services

Business Challenge

A budding streaming content and production studio with a growing number of subscribers based throughout the world is dedicated to providing customers with the best viewing experience possible while keeping an eye on its bottom line. Company leadership made the right choice in utilizing content delivery networks, or CDNs, to take advantage of their high availability and performance benefits. CDNs put the streaming content physically closer to subscribers via a geographically distributed network of proxy servers and their data centers.

The company had many of its workloads housed in AWS  but was using a competing CDN provider to deliver its streaming content. Around 2016, it became evident to the organization’s leadership that they were spending an exorbitant amount on CDN services. Moreover, performance in certain areas of the world wasn’t as fast or efficient as it could be due to the nature of the CDN provider’s edge locations. On the brink of launching a new global streaming series, the company was looking for new ways to streamline content delivery as well as improve the day-to-day management of its multi-cloud environment.

Solution

Lightstream’s specialized engineers analyzed the company’s AWS environment against technical and operational best practices and identified areas for financial, operational and security optimization. Lightstream is an AWS Advanced Consulting Partner and provides the company with ongoing cloud advisory services through its Cloud Managed Services offering.

With the launch of the new streaming series in mind, it was determined that part of the financial and performance optimization involved creating a pathway from the company’s original CDN to Amazon CloudFront to accommodate large data transfer at a lower cost and integrating it with other AWS services. Lightstream worked with the company to understand the benefits of switching to CloudFront for the streaming series’ future traffic, which delivers content to end users with lower latency using a global network of 225+ Points of Presence (215+ Edge locations and 13 regional mid-tier caches) in 90 cities across 47 countries. Using CloudFront on AWS lowers customers’ data-out charges in comparison with competitors. It also leverages Amazon’s highly resilient, fully redundant, global backbone network for superior performance and availability for end users.

Partnering with Lightstream for CMS also allows the company to tap into Lightstream’s expertise on the latest and greatest AWS offerings. AWS is constantly adding new capabilities so users can leverage cutting-edge technologies to experiment and innovate more quickly. Staying on top of this became burdensome and time consuming for the company’s in-house IT professionals. With Lightstream Cloud Managed Services, a team of cloud and security experts helps continually optimize the financial, security, technology, and operational aspects of a company’s AWS cloud. When specific issues like CDN optimization arise, the Lightstream team is already on hand to recommend best practices and drive successful outcomes.

Business Outcomes

Since CloudFront is an AWS solution, the service is bundled into the company’s overall AWS usage. Supported by Lightstream, this gave the organization leverage to negotiate better rates than it had been paying with its previous CDN. CloudFront’s cost-efficient and customizable pay-as-you-go model resulted in greater financial optimization since the company no longer had to pay high data-out transfer fees to deliver the new streaming series globally.

With Lightstream, the company was able to successfully re-route the streaming series’ content to CloudFront. Thanks to the success of the series, CloudFront’s monthly usage has grown from 2 PB to 10 PB without an exponential increase in cost the company would have experienced with the competitor’s CDN. CloudFront’s global network of edge locations has also improved content delivery and performance to certain areas of the world. Its flexibility enables the company to easily scale up and down with subscriber demand.

With Lightstream Cloud Managed Services, a team of experts consistently analyzes the company’s technology spend and performance and guides them toward greater financial savings as well as enhanced operational and security measures.

Contact Information

To find out how Lightstream can help your business implement Amazon CloudFront and integrate it with other AWS services or to learn more about how Lightstream Cloud Managed Services can support the successful migration and optimization of your cloud environments, fill out the information-request form on this page.

High-Stakes Software Company Optimizes its AWS Cloud Environment with help from Lightstream

Lightstream’s Cloud Managed Services empowers the company with enhanced visibility, security, configuration and a 20% savings in overall cloud spend

Business Challenge

A leading developer of governance, risk management, and compliance software solutions was housing most of its infrastructure within Amazon Web Services (AWS). Migrating to the cloud made it easy for the company to procure and spin-up resources quickly in real time, increasing their agility and innovation and giving them an edge over the competition. Security was of utmost importance, with high-profile customers frequently exchanging extremely confidential documents and assets. The cloud gave the company a secure global portal and facilitated communication and collaboration between customers and IP.

While the focus on advanced technology and security had always been a top priority, service procurement and spending visibility had become increasingly challenging as the company’s cloud usage expanded along with its global footprint. Employees across all areas of the company utilized AWS cloud services for their daily operations, resulting in a high monthly expenditure that was exceeded only by payroll. The organization was using dozens of AWS services and constantly flexing up and down to meet ever-changing demands.

Getting an accurate picture of their cloud spend had become very difficult as their cloud infrastructure had become more complex. Despite a broad client base and significant investment into multiple cloud services across AWS, the company received a single monthly invoice offering no insight into what cloud resources were being used and who was using them. This inability to delineate costs and analyze spending made for a hugely complicated client billing process. Moreover, the lack of visibility and control was causing the company’s financial and IT leaders to question the efficiency of their cloud usage and spend.

Solution

Lightstream tailored its service package with the goal of achieving four main objectives for the organization: cloud optimization, in-depth spending visibility, waste management, and cost reduction. They began by negotiating a contract with AWS and the software company to resell its cloud services in order to gain visibility into the organization’s spend and identify opportunities for optimization.

The organization also contracted with Lightstream for its Cloud Managed Services (CMS). Using its proprietary tool Lightstream Connect, Lightstream took a holistic view of the company’s technology spend and performance to gain a clear vision of how the cloud resources were being allocated. Lightstream identified several areas for optimization which would allow the company to take advantage of greater financial savings as well as enhanced operational and security measures.

Since its inception, Lightstream’s experience with organizations of all sizes and across all sectors led its leaders to the understanding that “advanced optics of spend” is a continuous challenge for everyone. In fact, 80% of enterprises struggle with cloud spend management.[i] That’s why the provider developed Lightstream Connect, a system that provides advanced visibility of cloud service usage. From the very simple instance all the way up to a macro pie chart of how a company spends money across AWS services, Lightstream Connect translates bills and tags into data that provides real-time clarity and accountability for consumption. This allows customers to gain a deep understanding of how their budget is being allotted as opposed to the single-line invoice they previously received.

Partnering with Lightstream for CMS has also allowed the company to tap into expertise on the latest and greatest AWS offerings. AWS is constantly adding new capabilities so users can leverage cutting-edge technologies to experiment and innovate more quickly. In addition, AWS frequently modifies its savings plans to offer more flexibility and cost savings for customers. Instead of blindly renewing their cloud services, Lightstream’s procurement team identifies and applies the appropriate new AWS offerings to the organization’s cloud environment in order to deliver the greatest performance, security and efficiency.

Business Outcomes

Lightstream’s in-depth understanding as to which AWS services would deliver the most value for this particular customer has allowed the organization to experience increased flexibility of service usage. When Lightstream first began working with the company, they were less than 10% optimized across their AWS usage. In less than six months, Lightstream has helped the company to achieve 64% cloud optimization, and is continuously working to improve upon that number.

The organization has been saving more than $50,00.00 per month through procurement optimization and waste management, i.e., the identification and elimination of unused services. Lightstream has also applied identity and access management best practices in order to enhance the company’s cloud security.

Once cloud optimization was achieved, Lightstream entered the organization into the AWS Enterprise Discount Program to reduce costs by an additional 10%. Lightstream is in the process of negotiating a private pricing offering that has the potential to cut the organization’s overall spend by an additional $40,000.00 per month over the next three years.

Lightstream directly supports the organization’s C-level executives, meeting with them regularly to report on efficiency enhancements and new opportunities for technical, financial and security optimization. Going forward, Lightstream plans to continually perform security assessments in order to routinely upgrade its configuration, identity and access management, and overall cloud performance.

Contact Information

To learn more about how Lightstream can support and optimize your cloud deployments on major platforms like AWS and Microsoft Azure with technical and operational best practices and cost optimization, visit www.lightstream.tech.


[i] https://www.informationweek.com/cloud/10-tips-for-managing-cloud-costs/d/d-id/1332242?

 

Faster, More Reliable Content Distribution at a Lower Cost? Thank you CloudFront

Those of us old enough to remember downloading songs from Napster will recall how frustrating it could be due to the time-consuming, constant buffering process. Fast forward to 2021, when nearly everyone has access not only to streaming music on demand, but endless video content from Amazon Prime, Netflix, Hulu and an ever- growing variety of media apps. It’s never been easier or faster to listen to music or view content whenever and wherever we desire it.

The reason for this huge jump in speed and convenience is content delivery networks, or CDNs. Once only afforded by large corporations like Apple and Facebook, the cloud now gives organizations of all sizes cost-effective access to CDNs. Amazon first introduced its CloudFront CDN back in 2008, and it has evolved into an easy-to-use, convenient add-on for AWS cloud customers. Today, Amazon CloudFront delivers content to end users with lower latency using a global network of 225+ Points of Presence (215+ Edge locations and 13 regional mid-tier caches) in 90 cities across 47 countries. CloudFront customers enjoy three distinct advantages: an enhanced user experience, financial optimization (FinOps) and greater security.

Enhancing the User Experience

End users are provided faster, more reliable content when it’s hosted on a CDN. That’s because the global network of edge locations puts the content physically closer to the user, whether that content is high-def videos or documents and data used for business applications. CloudFront also leverages Amazon’s highly resilient, fully redundant, global backbone network for superior performance and availability for end users. Moreover, it automatically maps network conditions and intelligently routes a user’s traffic to the most performant AWS edge location to serve up cached or dynamic content.

But most users aren’t aware of all of that. All they know is that they’re able to set their eyes (and/or ears) on whatever documents or rich media content they’re seeking without hassle or interruption. And as we know, this has become the expectation. Organizations simply can’t afford to deliver anything other than a seamless user experience.

Harnessing Cost Savings, or FinOps

AWS customers who use CloudFront benefit from a cost-efficient and customizable pay-as-you-go model. Keeping everything “in house” with AWS means there are no transfer fees for origin fetches from any AWS origin (or server). And at no additional charge, AWS Certificate Manager (ACM) lifts the burdensome process of purchasing, uploading and renewing SSL/TLS certificates. Simply put, the data-out charge you pay on AWS is cheaper when you use CloudFront (versus a competitive product).

Earlier this year, Amazon introduced the CloudFront Security Savings Bundle, which, in exchange for a monthly spend commitment, provides businesses with up to 30% savings on their CloudFront bill. Customers looking to take advantage of even steeper discounts and custom pricing can do so by agreeing to minimum traffic commitments typically in the area of 10 TB/month or higher.

Augmenting Security

CloudFront adds an extra layer of protection for websites, as the CDN puts additional security features at the edge location. AWS Shield Standard uses application-level and network-level security assets to keep data safe against common network and transport layer DDoS attacks. Organizations wishing to protect against more complex infrastructure attacks have the option to add products such as AWS Shield Advanced and AWS Web Application Firewall (WAF).

Contact Lightstream today to find out how we can help you implement Amazon CloudFront and integrate it with other AWS services such as AWS Shield for DDoS mitigation, Amazon S3, Elastic Load Balancing or Amazon EC2 as origins for your applications and Lambda@Edge to further enhance the user experience by running custom code to personalize content and improve latency.