The Security Table
The Security Table is four cybersecurity industry veterans from diverse backgrounds discussing how to build secure software and all the issues that arise!
The Security Table
Security Posture is a Thing
What is security posture? Izar was at a conference in Amsterdam, where he was asked to define security posture and how to measure it. Is security posture qualitative or quantitative, and can it be compared across teams, organizations, and departments? This led us down this rabbit hole; what is security posture, and is it even possible to measure?
Security posture is multi-dimensional, differentiating between organizational and system security postures. Security activities that are reasonable to a company's level of risk acceptance are essential. Leadership changes could impact security posture; the departure of a CISO, for example, doesn't immediately affect the security posture as the policies and experiences built up over time remain.
Tools and processes assess security posture. An organization's security posture doesn't necessarily reflect the system's security posture. You must understand where a design is starting regarding security and where it is now.
The episode concludes with a call to listeners to share their thoughts on security posture and contribute to the ongoing discussion. The hosts express their interest in learning from different perspectives and experiences in security.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!
[00:00:00] Chris Romeo: Hey folks. Welcome to another episode of the Security Table. This is Chris Romeo, joined by my friends Matt and Azar Tarandach. And the topic for this week is security And so I'm gonna turn it over to Izar and let him explain he means when he says posture. Kind of set the stage for this conversation. So that we can get rolling. So Azar.
[00:00:36] Izar Tarandach: Okay, so let, let me watch philosophical here for a second. Uh, couple of episodes ago we spoke about how we don't know everything, and I actually just met the other side of that coin and the fact that there are some things that we, me, me, at least speaking about myself, take almost as, uh, axiomatic. And think that everybody knows what I'm talking about and that everybody agrees that that's the definition and that they're, it, it's such a basic thing that nobody should actually raise a discussion about it.
But, uh, a couple of weeks ago I was in, uh, Amsterdam, had a, a lot of fun in the go to Amsterdam 2023 conference, and I had the opportunity of meeting, uh, a PhD student of one of the Netherlands, uh, uh, universities. And, uh, very, very smart person. Apparently they only have that kind of flavor over there. Uh, very smart people doing, uh, PhDs and, and teaching.
And, um, that actually posed a, a, a challenge to me after my, my presentation. It was something like, okay, so you're talking about this security posture thing over and over and over again. What, what do you mean by it? And how do you measure it? Is it qualitative or quantitative? If it's quantitative, it's some, is it something that you can compare between teams, organizations, departments, whatevers, that got me thinking.
I know usually it's like security posture. Sometimes you talk about reactive, about proactive, about detective. I've always thought about aggressive security posture or defensive security posture, and I really wanted to hear where you guys are at with that and uh, if that makes sense.
[00:02:39] Chris Romeo: Yeah, I think it makes sense. I mean, let's, let's think about. What is security posture first, right? Before we even think about how do you measure it? Let's see if we see if we're all on the same page about what we even think of as security posture.
[00:02:54] Izar Tarandach: Yeah.
[00:02:54] Chris Romeo: from my perspective, when I think about posture, it's. My stance, it's how am I, am I approaching a, a given how I'm securing something. So my security posture how good of a job am doing? It's, it's my approach. It's, it's how I'm doing it Matt, are you, is for you, does security posture mean the same thing or does it mean something different?
[00:03:21] Matthew Coles: I think very, very close. I think I'm, I'm, uh, well, I'm gonna take the, compliance road a bit here. I, I don't mean to, but I think in terms of, of re residual risk. Right, and, defensive capability. look into those terms, I guess. Right. So posture, think you said it right, is uh, what's your, what's your stance, what's your, not necessarily something that you're going, you as a, not to put ourselves in, I guess in ours, in our systems here for a moment or for organization's.
Shoes for a moment, right? It's not something that our organization is gonna go out and do, but the ability to resist, uh, you know, intrusion. And what are my, what risks do I have what is my defensive ability to resist those intrusions? That's, that's what think of when I think about security posture.
[00:04:14] Chris Romeo: on it too, right? So I can say that institution has a weak posture, that institution has a strong security posture, but it's not really like a qualitative, I'm not, I'm not, it's more like a gut feeling when I say that. I don't, I don't have, don't have metrics to say that it's, well, they're 10, which
[00:04:40] Izar Tarandach: Finger to the wind.
[00:04:43] Matthew Coles: it's, it's actually interesting. You could have a measure, you could measure, you could measure things that contribute to posture. But there is nothing def, there's no current yardstick that I'm, at least I'm aware of. That says you're strong or you're weak. Right. Because there's no, there's no universal standard for that today.
Right. And that's why, that's why I like look towards risk. I can, you can. I can tell you how much risk I have. I can tell you what, what risks. Risks. worried about Threats I'm worried what? threats I know I can't defend against, that would contribute to saying I'm strong or weak. Now, that may be more of a subjective feeling cuz I don't know if I'm strong or weak compared to you or
[00:05:28] Izar Tarandach: So W wait, B b before we go. Comparing things. So the, the way that you put it, so we have a collection of, of metrics, right? That express a lot of stuff by the nature of math, I I math, not math. I want to believe , I want to believe that there's a way to bring all those numbers together into one big number, right?
So that one big number is the quantitative, let's call it score for the, the lack of a better word for that specific thing, place, organization, whatever that we're measuring. My gut feeling says that if, if I put that score measured over some period of time and. I start looking at the slope of the graph that connects all those data points.
If it's going up, then I say, Hey, this place has a, a positive security, security posture. They're getting better over time by these metrics, and if it's going down, then they have, uh, less than positive. I won't call it negative, but less than positive.
[00:06:35] Matthew Coles: But, but that's, that's great for over time. But how do you know where you're at at any
[00:06:40] Izar Tarandach: But so, so that's a, that's a great question. Does it matter where I am at any given time, or does it only matter over time? Is this something that makes sense to measure right now? Or is it something that to be understood and to actually have some value as a measurement, it has to happen over time.
[00:06:55] Chris Romeo: It matters if you don't wanna get compromised.
you don't wanna get
[00:06:58] Izar Tarandach: But wait, is my posture a measurement of not being compromised? Or is that,
[00:07:03] Chris Romeo: weak security
[00:07:04] Matthew Coles: but you could be, IM.
[00:07:05] Chris Romeo: then you ha you are susceptible. To some types of attacks, and we know that experience, if you put a Windows box unprotected on the unpatched, it'll be compromised in less than 60 seconds.
[00:07:21] Izar Tarandach: But wait, wait, wait, wait, wait. That, is that something that factors into. Security posture, calculus, because what happens if I am in an organization and they have an amazing security posture? The CSO just left to go be amazing somewhere else, and the next guy in line is a bit of an idiot. What, what, what's my security posture right now?
I, I, I was good yesterday.
[00:07:45] Chris Romeo: measurement. It's a measurement of where you moment. But you're, you're, you're not gonna, just because the CISO left doesn't mean that they erased all the policies and, and all the experience that have been up over a period of time. Yes, it could go on a trajectory, the CISO walks out the door, the security team doesn't just fall apart and die. continue operating, the SOC keeps things. Um, cloud security people keep the policies of IAM and, and access control you know, it doesn't, you don't break in one second.
[00:08:21] Matthew Coles: this, this, applies you're talking a a product, or a component, an organization, a nation, right? Presidents change all time. the national infrastructure doesn't just cuz you a new president, right? Same thing with a ciso or same thing with, uh, a new kernel.
You update your kernel. It doesn't necessarily change your security posture immediately. maybe it's a bad example, but an os you may do an OS update. It doesn't necessarily all at so your posture changing. There may be a effect. could measure your posture, but it's not like everything because a person or a component change if there's good underlying capability.
[00:09:05] Izar Tarandach: So,
[00:09:06] Matthew Coles: Now it's interesting you said, you said improving or or ipro decreasing or, you know, increasing or decreasing posture. you start from zero, you can go up a hundred, a hundred percent from zero and still be Swiss
[00:09:19] Izar Tarandach: and.
[00:09:20] Matthew Coles: Right. So there is a notion that you, in order and in fact in order to know to be able to say, where was I and where am I? Right? you to able what your is at any given order to know if
[00:09:33] Izar Tarandach: So with this a time function,
[00:09:35] Matthew Coles: Improving. I think there is a way to put it into a time function, but I think you, to be able to measure at any given You to be able to say, you have to, you have to be able to say, I have certain characteristics that I'm looking at that tell me I have a posture. And that posture then can be then measured time, gives me a rate of change.
[00:09:59] Chris Romeo: don't really care about the measurement. If you're in, if you're in the basement of security privacy program, deployments, meaning you don't have any protections, it doesn't matter if you're a zero or a two. You're still in big trouble. You still have to put together teams that are gonna go fix things and, and, and build new processes and, and new improvements.
Add new technology to get yourself to that base level. So I measurement is important, but
[00:10:29] Matthew Coles: Yeah.
[00:10:30] Chris Romeo: going from, you know, one to two a scale a doesn't matter if, if 35 is our base level, meaning if you're below 35, you're in trouble. Measurement matter. But now I do wanna measure how it me to get from zero to 35. How long does it take me to get 35 to a hundred over a period of time? But I'm just saying there's a, there's a minimum drawn across somewhere that says we don't care until we get to a minimum level.
[00:10:59] Matthew Coles: Now. So what's really interesting about this, just thinking about this logically, right, there's this, oh, there's this. Famous, you know, quote, and, I, I'm gonna misquote it, uh, here, but you a former, a, a former executive leader in the United States said a set of no knowns and no unknowns, known unknowns and whatnot. Well, at some point you may have a posture that you don't or cannot measure. may be
[00:11:27] Izar Tarandach: whoa. Okay. Okay. No, no. Wait, wait, wait. Now. Now you blew me. What?
[00:11:34] Matthew Coles: Well, so, so if you, I guess if you deploy a, if you, you have a system and you don't have it connected to the internet, your posture's pretty good, but maybe you can't measure it cuz you can't actually touch the system, right? So don't know what you don't, don't, don't know what it actual capabilities are, what its actually defensive options are, but
[00:12:00] Izar Tarandach: but now the posture, wait, wait, wait, wait. I have to clarify this for, for, for me and for the listeners, if we have any. So now that the security posture is, is, is the characteristics of a single system or are you using that system as a, as a, as a.
[00:12:15] Matthew Coles: I'm just using, I guess I'm using it as an example, but also could measure a posture of a thing, collection of things, an organization, a pe, a person, a collection of people, an organization, a, a system, a collection of systems. The collection of all of those things all the way. I mean, it's, it's, uh, a posture does not exist for just single entity or the collection of an, of
[00:12:44] Izar Tarandach: Is,
[00:12:44] Matthew Coles: that entity. I, I think it, you
[00:12:46] Izar Tarandach: is the measurement of that security posture, the place where we want to go? Or is it a stepping stone to get there? Meaning, once I can measure posture,
[00:12:59] Matthew Coles: I,
[00:13:00] Izar Tarandach: can I, can I say I have an understanding of my security at this point in time?
[00:13:08] Matthew Coles: I think if you can measure it. you have things to measure and you measure them, you can make certain claims un have certain understanding about your posture. You could potentially guess or predict those as well. So this direct measurement like. What? And, and I, so this is where, if I, this is why I think still think, uh, risk is a good way of describing this, right?
Or threat threats. Let's use threats cuz we all know threat modeling, right? I'm, if I can measure what threats I have I think I'm going to have and I measure, do I actually defenses against them? I can certain understanding about my posture, I'm resilient to attack or resilient
[00:13:53] Izar Tarandach: you just measured residual residual risk.
[00:13:57] Matthew Coles: I did, yes, but I could also predict that, right? Oh, we're going to implement new features. I can predict where I'm going to be without measuring it, but I only have confidence in the things I measure. I don't have confidence in the things I predict. So I think you, when you measure something, when you, when you measure in this context, when you measure it, you can know what your posture is. can understand what your rigid residual risk is. But you can also look ahead and predict what it is going to be as a means of making change. Maybe that's a
[00:14:37] Izar Tarandach: Yeah.
[00:14:37] Matthew Coles: for us to talk about we're still stuck on the concept of what is, what is, what is a security posture, uh,
[00:14:45] Izar Tarandach: Yeah. I'm pretty stuck there because we are talking about measuring things, but let's go back and say, okay, what's the equation to get to my security posture right now?
[00:14:58] Matthew Coles: I I, don't think that that's a universal, there's no universal for that, I don't think. I think it's so, so let's let, let me, let me throw this an option here. So if we use risk as an example, you may use, some arbitrary scale. That you are like, you may use the risk risk management framework from NIST as your means of assessing or analyzing or understanding risk and and recording risk.
You know, it's a zero to five. There's zero to five measurements on various things, and you harms against the organization, whatever. you may use the fair model, right, to calculate a dollar amount of risk. Both are valid. Both inform or or rather, are informed by your security posture or may actually express your security posture?
[00:15:48] Izar Tarandach: Will those measurements always agree with each other?
[00:15:53] Chris Romeo: I think
[00:15:54] Matthew Coles: I don't think so. I don't think they,
[00:15:56] Chris Romeo: we're, I think we're mixing multiple things up. I'm not convinced on this, on, on
line of argument that says risk is the way to get to posture.
[00:16:09] Izar Tarandach: I think that the way that you,
[00:16:11] Chris Romeo: above posture.
[00:16:12] Izar Tarandach: the way you address risk to me is an indicator of what your posture is, and that's why I used aggressive, defensive, reactive detective.
[00:16:23] Chris Romeo: Yeah. When,
[00:16:25] Matthew Coles: way you address risk or
[00:16:27] Izar Tarandach: No, the way that you address the risk that have
[00:16:31] Chris Romeo: I mean, there's, there's risk everywhere. Maybe
[00:16:32] Izar Tarandach: it, it, it's,
[00:16:33] Chris Romeo: We need to work need, we need to, we need to put a, a scenario out here on the, on the, the ether into the ether, and try to fi, try, try to what's the security posture.
[00:16:49] Izar Tarandach: it's starting to feel to me like one of those cases of, I don't know what it is, but when I see it, I recognize it.
[00:16:55] Chris Romeo: That's the expert angle of SEC of us being security with decades of experience though, right? Like you show me in our a network architecture, you show any of us a network architecture, within five minutes, we'll get a feeling for the security posture of that environment
[00:17:13] Izar Tarandach: But you see that,
[00:17:14] Chris Romeo: things.
[00:17:15] Izar Tarandach: but, but that's where the, that, yeah, that's where the, the student got me.
[00:17:19] Chris Romeo: let's use, let's pretend, let's, let's, let me, let me define the scenario. Okay. We're, let's talk about, we all have been in, and been around startups and small, you know, new companies that are, that are building something new and they're deploying it to the world. let's just, let's just imagine we've got a, a, one year, uh, some, some number of years early stage startup. They're, they're, they're deploying application in the cloud. It's, um, backend API written in TypeScript and uh, a JavaScript front end for whatever their SAS based solution is that
[00:17:55] Izar Tarandach: Okay.
[00:17:56] Chris Romeo: So they come to us and they say, ESR and Matt as wise security professionals, how, you know, do a, do an assessment of our
security
[00:18:09] Matthew Coles: So doomed. So doomed.
[00:18:11] Chris Romeo: thing that we do? Like, let's, let's, let's figure that to us, Hey, look, can you assess our security posture? What would
for first? What, what would
you would say? Show me
would it be? First?
[00:18:26] Matthew Coles: architecture, we're gonna wanna see your architecture.
[00:18:27] Izar Tarandach: to see.
[00:18:28] Matthew Coles: That's number one. We wanna see what the,
[00:18:30] Izar Tarandach: I want to see their AppSec. Well, no, no, no. I'm assuming that, that there's a need for an AppSec function, and we discussed last week that there isn't always No.
[00:18:40] Chris Romeo: and I would say in that early stage startup, there's, they're not gonna be an AppSec person. They're not gonna
[00:18:44] Izar Tarandach: Yeah, yeah. Yeah.
[00:18:45] Chris Romeo: let's say they're, they're a
or 20 person startup who's mostly engineering. So they've got, High-end senior developers that are cranking out and building vision for a new product
[00:18:56] Izar Tarandach: Oh my goodness.
[00:18:58] Matthew Coles: The first thing I'm gonna gonna wanna see, the first thing I'm gonna wanna see is what are their inputs and outputs, right? What's their attack surface?
[00:19:04] Chris Romeo: though,
[00:19:05] Izar Tarandach: No, no, no.
[00:19:06] Matthew Coles: of the, of the app or the, well, the app and the, and the, and the network, right? So the, how the components stitched together and where
[00:19:13] Izar Tarandach: I want to see the list. Of security activities that they're putting in place that is reasonable to their level of risk acceptance. Yeah. There's that word again.
[00:19:29] Matthew Coles: They're gonna laugh you out
[00:19:30] Izar Tarandach: No, they won't. No they won't. Because, well, if they do, it's not gonna be first time, but they won't because again, we, we, we are coming out of the reason reasonability thing.
That, that startup can only do so many things, and that to me is a security. In this example case consultant, it's going to indicate that their readiness, their, their, their, they're ignorant, eager, how eager they are to do security, and that's going to reflect to me their security posture.
[00:20:10] Chris Romeo: let me, let me answer your question. I'll, I'll, I'll pretend I'm, I'm on the
of the table. I'm, I'm the representing the startup being assessed here. Um, okay. So, you know, our, our our VC people told us that security was important and we needed to do some things for it. So we wrote an incident response plan. Based on one that we found on the internet, um, we, we added a software composition analysis open source tool. We, we found an open source tool that works for JavaScript, so we added that to our build pipelines. Um, we're running NPM audit in the build pipelines to, in to, to at least alert us and break build if there's any known security vulnerabilities. we're at this open source static analysis tool. That, uh, we, we think we can, we can put into the pipeline with, with minimal efforts. So that's, that's
approach security so far.
[00:21:01] Izar Tarandach: that to me tells me that they took all, most, many reasonable activities at the level that they are right now
to get them to a better place in a security journey than they were yesterday. So to me, that indicates a positive and growing, and I wouldn't even call aggressive security posture because they're actually. Doing things.
[00:21:30] Matthew Coles: Can, can I ask a,
[00:21:31] Chris Romeo: Definitely.
[00:21:32] Matthew Coles: can I ask a follow up question? So, uh, to you as the, as the, leaders of this company, So you implement all these what are you doing
[00:21:41] Izar Tarandach: Oh yeah. I assumed that. That's a very good question.
[00:21:43] Chris Romeo: Yeah,
[00:21:44] Izar Tarandach: That's a.
[00:21:45] Chris Romeo: we break the build with mp. So if MPM audit runs and, and throws some type of a dependency vulnerability, that does break the build, the individual engineer will then chase that down, whoever committed the PR that. to commit the next pr, we'll just grab the issue and fix it because their PR is not gonna go through the pipeline. Um, we do have a filtering capability in there's There's some that they don't have. We're, we don't have for yet. That's the JavaScript, um, infrastructure. Same thing with the, that looking at with the SAS tool is you know, we'll, um, we'll, we'll, we'll, break the build at the individual PR level, um, for any new code that's been added.
So that engineer will then have to go back and fix it before the PR will be, um, accepted.
[00:22:32] Izar Tarandach: So Chris, you, you described the what to do with the results of all the tools and processes you put in place, as Matt pointed out. And, and then my next question is, under what circumstances are you willing to let go of doing those things? Meaning when is something else more important than those security measures that you are taking?
[00:22:56] Chris Romeo: Yeah, I would say since I'm not a security person, I would say that, you know, we do, uh, we do, we are considering both the business risk to the mar in the marketplace and the security risk involved. And so we have it. We're trying to do the best thing that we can for security, but we're also a small startup who if we lose our innovative edge, we'll go outta business and be gone in three months or six months from now.
[00:23:28] Matthew Coles: do you know what you're trying to defend against?
[00:23:32] Chris Romeo: Um, bad attackers on the internet is our primary focus of what we're trying, we're trying to prevent, we're trying to protect our customers, is our primary focus because we know that we have sensitive data from our customers on the financial side, and so we, we, we don't, we don't really have a good view of our adversaries other than everybody on the internet who wants to steal our customer data.
[00:23:59] Izar Tarandach: So you said to, to me, it keeps mounting and mounting to something that feels like a, a positive security posture
[00:24:07] Matthew Coles: I have no idea how you're making that judgment call.
[00:24:10] Izar Tarandach: because the tools are going into place, the results of the tools are being used. They are, they have a limit on appetite that says, I'm willing to wear risk. Because of this is my business interest, and they're doing this proactively by actually discussing and keeping things in mind. Like there are bad people out there who want what we have, and we have to defend against that.
So to me, that sounds like people who, who, who are posturing themselves in a, in a, in a, in a positive manner.
[00:24:50] Matthew Coles: So let
[00:24:50] Izar Tarandach: As opposed to No, wait, wait, wait. As opposed to, as you pointed, pointed out correctly, if they just had the tools but they weren't doing anything of the result, then that would not give me the same gut feeling
[00:25:01] Matthew Coles: So let me, let me ask you a clar, let me ask a, I'll throw out a clarifying. I guess, let me throw out a point here. Are we assessing the risk, the security posture of the people in the organization and the business or the system that they're building? Because what you, what was described about how they run tools and they break builds and et cetera, um, To me doesn't give me an understanding of what their system's security posture is.
It tells me what their organization posture is, but not what their system's security posture is.
[00:25:39] Chris Romeo: So it sounds like there's multiple pieces then, is what you're,
[00:25:42] Izar Tarandach: I, I'm, I'm going to sort of disagree there because. They're showing me processes and tools that they're putting into place. Whatever the, the security status of the system is at any given point, those tools and processes are going to give some result that they already shown that they are willing to take into consideration and act upon.
So in my head, that plays as the quality of the security of the system is going to grow over time.
[00:26:15] Matthew Coles: I, I would agree with you, but we don't know where they're starting from and where they're at now. So they
[00:26:21] Izar Tarandach: assume that they, they started from zero,
[00:26:23] Matthew Coles: well, but they could have, they, yes, they, they certainly did. But, but, so they're can improve over time from zero, but we don't know where they are. Cause we don't know code coverage.
We don't know what rules they're running. We don't know what their ability of their developers are to fix the issues. They can, they can make the tool shut up, but that doesn't mean that they're gonna be secure.
[00:26:40] Izar Tarandach: True. But, but, but see that's the thing. They said that they, they are taking care of the results. That lets me assume that they're not shutting the tool up. But you are right. You're completely right. And here you are putting together the, the quantitative, uh, meters that I was asking. Can we sum them up and get to a security posture, quantitative measurement.
[00:27:05] Matthew Coles: But I think it's really important that we, we have dimensions of, of posture. Organization versus system, or just two that we're exploring here?
[00:27:14] Chris Romeo: Well, there are two inputs to the same thing though, right? Like I wouldn't, I wouldn't describe an organization's system security posture different than I would what their, how their people are approaching it, that are building that system. It's all one answer.
[00:27:29] Izar Tarandach: I think it's parked. Yeah.
[00:27:31] Matthew Coles: I I don't think it can be one answer. Well, it depends. It depends. I, I think it needs to depend on, There's other information you need there, right? If I'm a pro, if I'm a product company, I don't deploy my product at my company, I deploy my product at somebody else's company, so I may measure two different postures.
[00:27:50] Chris Romeo: But posture then is also your attitude. I think is where Izar was leading us here. Like his, he was measuring my responses based on my attitude towards security. And a strong, you could say, for a startup that has a limited amount of money, they have a limited amount of time. The, my attitude, my positive attitude towards security was a, was a demonstrator that I have a greater than,
[00:28:18] Matthew Coles: Yep.
[00:28:18] Chris Romeo: know, I ha I, I, I'm somewhere on the positive side of my security posture.
[00:28:22] Matthew Coles: I, I don't disagree with you and what I, but I, what I will throw out there is now I think we are reinforcing that there's subjective and non-subjective measurements
[00:28:31] Izar Tarandach: Yes.
[00:28:32] Matthew Coles: for posture.
[00:28:34] Izar Tarandach: And, and that takes me to the next step. Let's assume for a second that we can put a number to security posture measurement because of the nature of all the different variables that we have been talking about for the last couple of minutes. Would, would there be any sense then to compare security postures between different organizations? And that's where I'm going to go and say, personally I don't see it be.
[00:29:07] Matthew Coles: I think I can see it in one area, and I'm gonna throw out another term. I've, I've talked about it in the past. Assurance or confidence, and actually confidence is the word I want to use, not assurance. The subjective measurement that you asked about, like what's your thought process, what processes you have in place, how do you handle results?
That gives confidence in the, in the response, meaning whatever posture we might measure. We have confidence that that is a good measurement and you're on an upward trend. And with that I can, I can compare company A and company B, or you know, org A or B of is one giving more confidence than the other. That doesn't tell me what their posture explicitly is. That doesn't tell me whether they're defend. They can defend against the latest malware or ransomware attacks, but we can say one is improving and the other one is maybe not. Im improving.
[00:30:02] Izar Tarandach: And. How is that different from having a number of consultants show up in a number of different companies, query them about all kinds of practices that they have, along all kinds of measurement access and draw a radar graph and say, this company is more security minded, security whatever, than this company in this vertical.
And end up with an with, with an, with an ordered list
[00:30:33] Matthew Coles: Yeah, the spider chart is a, is a wonderful thing in this context.
[00:30:39] Izar Tarandach: So how, how, how is that different? Do, do, do all of a sudden, uh,
[00:30:47] Matthew Coles: But there's a scale that they're, in order to get that, in order to get that pus, in order to get that assessment, they have a consistent scale. They ask the same questions of different companies, and they get results, and they measure those results on a sim on a similar scale.
[00:31:00] Izar Tarandach: But do, do you agree with me that doing the same things in a five people startup and in a 5,000 global organization,
the, the, the, the, the sheer idea of comparing those things in the same scale is, makes no sense to me,
[00:31:23] Matthew Coles: Uh, so organizationally maybe I would agree with you. System wise, I think it wouldn't matter. The technology for any, for like technology, they're gonna have similar problems and similar, similar ways of addressing it. The number of people in that, in my, in my mind, the number of people involved, if, if you're deploying a Kubernetes system, you know, Kubernetes to the cloud, and, and you're using, you know, on, on AWS or Azure or whatever, it doesn't matter if it's five person startup or a 5,000 person multinational.
[00:31:57] Izar Tarandach: But it does.
[00:31:58] Matthew Coles: your abilities to manage it, change as an organization and the processes and all the places where you have to look may change, but the tech, the technology doesn't change.
[00:32:09] Izar Tarandach: But to go back to a simpler
[00:32:10] Matthew Coles: of that technology doesn't change.
[00:32:12] Izar Tarandach: static code analysis, you, you mentioned coverage. How much coverage do they have in those things that they put in place, the the five person startup? By, by, by, by nature is going to have to possibly be easier to get a higher coverage than the 5,000 person organization.
[00:32:29] Matthew Coles: How do you, how we don't know what their lines of code are. We don't know what their code complexity is. We don't know how they manage their source code.
[00:32:37] Izar Tarandach: They are five people trying to coordinate one single activity against 5,000.
[00:32:42] Chris Romeo: right? I mean, nobody, nobody goes into a startup and says, we're gonna have 15 products across five product lines, and
[00:32:50] Izar Tarandach: They do, but not for long.
[00:32:52] Chris Romeo: Yeah. They go out. I mean, you know, so it's, it's very much a. Focus of the, the, the five person startup is going to have a more simple world.
[00:33:05] Matthew Coles: Uh, so again, let's be careful here about making, I mean, what you're saying is because they were successful, they got 5,000 people, and that means they most likely branched out from the thing that they were building in the first place.
[00:33:19] Izar Tarandach: No, that, that's not what I'm saying. What I'm saying is somehow they got to 5,000 and And they survived.
[00:33:24] Chris Romeo: mean, that's basically the, I mean, sh tell me a company that didn't go through that lifecycle.
[00:33:30] Matthew Coles: I mean, SpaceX built one thing.
[00:33:35] Izar Tarandach: Yeah. But they don't care when things explode.
[00:33:37] Matthew Coles: they went from five people.
[00:33:39] Chris Romeo: but now they build, but now they've taken that one first rocket that they built and turned it into five different product lines of different rock rockets and payload trailers and all kinds of other things. So it doesn't,
[00:33:52] Izar Tarandach: when, when they explode, they look at the camera and smile. So it's not like they're
[00:33:56] Chris Romeo: but I mean, it's, it's, it, they, they didn't start by building all of those lines of, of rockets that they do today.
They started with building an engine, I think, if I remember correctly. I think that was the first thing they built, was an engine that, um, somebody else could, could use. That was
[00:34:12] Matthew Coles: they built a flame thrower.
[00:34:14] Chris Romeo: that's the boring company, isn't it? Or the flame? I don't
[00:34:16] Matthew Coles: it's boring.
[00:34:17] Izar Tarandach: Yeah, that, that's the
[00:34:18] Matthew Coles: Yeah, so, so what you're suggesting is a company grows because they diversify, not because they just need more people for building what they build.
[00:34:27] Chris Romeo: I mean, they either, either that single product grows in complexity, you know, let's use Salesforce as an example, right?
[00:34:34] Izar Tarandach: Where are we going with this?
[00:34:36] Chris Romeo: I have no idea where I'm going with this. I'm just talking like
[00:34:39] Izar Tarandach: What about the security posture? We haven't answered that question
[00:34:42] Chris Romeo: Yeah. That's true. I mean, it's, it's,
[00:34:44] Izar Tarandach: Answer me,
[00:34:44] Matthew Coles: No, no, but it, it was important because you called out. Well, a smaller company will have an easier time managing their code base, and what I'm suggesting is whether you have five people or 5,000 people, you if for like code bases, it won't matter.
[00:34:58] Chris Romeo: Yeah, but there's no way it's
[00:34:59] Izar Tarandach: but it does.
[00:35:00] Chris Romeo: code base. You can't have, it is not gonna be a light code base if you have the same code base in a 5,000 person company that I do in a five person company.
[00:35:08] Matthew Coles: maybe you're dedicating everything to sales. Maybe those 5,000
[00:35:11] Izar Tarandach: Matt, Matt. No, no, no, no, no. Matt, Matt, Matt, Matt. Matt. Let's assume that we have a startup that's just got like a a 30 million lines of code, code base from somewhere else, and they are building a product out of that. Okay? But they have five people. Now, let's say that we have a 5,000 people organization with.
A hundred thousand lines of code.
[00:35:32] Matthew Coles: They're not like code bases.
[00:35:33] Izar Tarandach: Wait, wait, wait, wait, wait. And, and 3000 developers. The fact is that coordinating security between five people is always going to be easier than coordinating security with 3000 people.
[00:35:46] Matthew Coles: I agree
[00:35:47] Chris Romeo: say, Hey everybody, come here for a second. Come on. Hey, listen. Listen real quick. I need everybody to hear this. With a 3000 person company, you need 10 people who just communicate like that's their job is to ensure everybody gets the word.
[00:36:01] Matthew Coles: Yeah, I agree with you, but now you're talking different systems, different code bases, different
[00:36:05] Izar Tarandach: No different sizes. Only like, uh, I, I just don't want to, to get the assumption that the, the startup for being a startup has like this, this psy one, one repo, 10 lines of python thing. I'm saying it can, but, but it's a people person now.
[00:36:24] Matthew Coles: But but any mean posture. So posture, again, posture of the organization versus posture, the thing that's being built, right? If they're both building databases, the posture of the database won't matter how many people they have.
[00:36:39] Izar Tarandach: Okay, so let me ask this differently. I I, if you're taking this down to the level of products in the one company that has 250 products, they end up with 250 postures. Do they have one posture? Do they have one posture that, uh, reflects the 250?
[00:36:59] Chris Romeo: I think so that's, I mean, ultimately, okay, per case in point, I'll use the historical case cuz why not go into the past 2004? William Gates sends the trustworthy computing memo. Right as a, as a result of a lack of security across everything Microsoft was doing at that point, that's the one flashpoint that, that generates a positive step forward for them as a, and, and so you would, in those days, you might, I mean, we're all old enough to remember, like Microsoft security was a joke.
Like if you, if someone said Microsoft and security in the same. But Microsoft was probably making something at that time that was perfectly adequate. There was some product somewhere that its security was actually okay,
[00:37:49] Matthew Coles: Mm-hmm.
[00:37:50] Chris Romeo: but I would say po. You know, earlier 2004 and and earlier Microsoft security posture was junk
[00:37:59] Matthew Coles: Okay. But, but I think, but that, that was an overall consideration. Think about it though. Windows 3.1 versus Access versus Excel. Each of those had their own security posture. That the collection of those together was
[00:38:15] Chris Romeo: the collection is what people knew. Nobody knew about Access I, I didn't even think about access in those days as far as its security posture. I just knew, and we as an industry said, I. Up to that point, Microsoft security has been bad and Bill Gates said it because he wrote the trustworthy computing memo.
We got sdl, we got threat modeling, we got everything that came from that, but that was
[00:38:36] Matthew Coles: the perception, but the perception was driven by real world information. That real world information drew a perception both of the, from their customers as well as internal and. They needed to address that, right? Because their perception was driving their Be was driving poor sales
[00:38:54] Chris Romeo: that's, maybe there's a lesson there that security posture is really about perception and
[00:39:00] Izar Tarandach: Yeah, and then, then it's a subjective thing all the way. And if it's perception, then it definitely doesn't make sense comparing among different things that you are percepting.
[00:39:14] Matthew Coles: I don't know if I could go out there that that's a bit of a stretch I think. I think there are portions that are per, I think there are portions that are that matter. Perception drives risk in a different way, but to the organization. But the posture drives behavior in another way with respect to attacker behavior, right?
If I have a product that has the Swiss cheese on the network, I'm gonna get attacked more. I may drive a perception of bad security, but I can actually measure, I have bad security because I have wide open APIs and I have, you know, plain text encryption keys and whatnot. Right? So my posture can be measured and then the effect of bad posture can be predicted or understood. It's a symptoms
[00:40:01] Izar Tarandach: And corrected,
[00:40:02] Matthew Coles: and corrected. Yeah.
[00:40:04] Chris Romeo: Hmm.
[00:40:06] Matthew Coles: Perception is a lot harder to correct people. People get that view of, oh, Microsoft security was bad. Well, it took them 20 years for people to go, okay, I trust it now. Right.
[00:40:17] Chris Romeo: Yeah, and they've, yeah, I mean, think about where they are now. Like it's, nobody questions Microsoft Security now. It's, it's a gold standard in the industry except for esr.
[00:40:26] Matthew Coles: Except for the latest release of, uh, how China backdoored everything. And, you know, it's just all, all bad, right?
[00:40:34] Izar Tarandach: Oops. Who could possibly do that?
[00:40:38] Chris Romeo: So I don't know if we answered your question after all
[00:40:41] Izar Tarandach: I, I don't think so. I, I don't think so. And the more I think of it, it, I, I, I go back to the fact that it feels like we, we can't really, uh, define it. We can say, I know what it is when I, when I see it, but we, we are not currently able to define it. And we keep using that. We keep using the term, and I don't think that it means what we think it means.
[00:41:04] Chris Romeo: Hmm.
[00:41:04] Matthew Coles: Well, out of the
[00:41:05] Izar Tarandach: It is not for
[00:41:06] Matthew Coles: had, th outta the three of us, we have three different, three different opinions of what a posture, what posture is, and whether you can measure it and compare.
[00:41:17] Chris Romeo: So I think if we added more people, we would just add more opinions and more, more disagreement as far as what it is, but.
[00:41:24] Matthew Coles: You wanna take this to a LinkedIn poll, I mean,
[00:41:28] Chris Romeo: Let's, uh, I think let's leave it at, let's leave it where we are right now. I think we, I think we, I think we, the exercise was good though. I think go, I think we didn't have the same conclusion. I wouldn't have had the same conclusion when we started as where we've landed here as far as, yeah, it's actually pretty difficult to define what it is to compare these things amongst different entities and different size companies and whatnot.
So I think we've, I think, I think we learned something on the pathway of just. Just going down and exploring the example and everything. So I think we made, we made something good for the world.
[00:42:02] Izar Tarandach: Oh my god. We didn't see it. But NIST has a, a definition of security posture.
[00:42:10] Matthew Coles: You know, you could have started with that, right? Is there, could have done your own research
[00:42:13] Chris Romeo: that.
[00:42:14] Izar Tarandach: Yeah. I, we, we didn't Google things. Damn. We didn't Google. We didn't ask chatty pt.
[00:42:21] Chris Romeo: Read, read what it is. If you've got it in front of you. We'll, we'll,
[00:42:24] Izar Tarandach: The security status of an enterprise network, information and systems based on information, security, resources, people, hardware, software, policies and capabilities in place to manage the defense of the enterprise and to react as the situation changes people.
I don't think that we were very, very far away from that.
[00:42:43] Chris Romeo: Yeah. But that was, that's a very InfoSec flavored, so, Example, it's, and that's, yeah. So I mean, we could tear that apart too and say, what's it, it's not perfect. It's not a perfect definition based on, but the funny thing about, about this type of an exercise is the three of us are reflecting a definition off the decades of experience we have.
We're not, we're not going to a tech. We're not. We're not just reciting a textbook. We are remembering our brains are processing all of the things we've seen. And all the times we've come in and looked at something and gone, oh, the security and this sucks. How do you know? I can just tell by looking at it because this is here.
Well, no, because you don't have this, you don't have this, you don't have that. You don't have that. All of these things on your architecture are blank. You forgot all the things that provide security and build confidence in the architecture. And so I think, I think that's where we can leave it.
[00:43:41] Izar Tarandach: Yeah. And, and the final most important question here is after you gave your example, and Matt and I assessed it, where do we send the invoice?
[00:43:51] Chris Romeo: That would be on your Linux box. There is a
[00:43:55] Izar Tarandach: No.
[00:43:56] Chris Romeo: file called Dev/Null, file descriptor that you could send any invoice you ever have for me directly to that, and I promise we will answer within 1 billion days. That is our guarantee to you. 1 billion days. We'll get back to you. So folks, thanks for listening to Security Table.
We hope you, we hope you got something outta this journey that we just went on here. And tell you what, if you have other thoughts on security posture, um, uh, put your comments on the LinkedIn post. That you use to find this episode, and let's, let's keep, let's get your side of it too. Feel free to send that to us anytime you want.
We'd love to get other perspectives. Once again, other people have had different experiences than we had and come from different areas of security, and it's, it's good we can all learn from each other along the way. So thanks for listening to the security table.
