Views from a Fractional CISO delivering complete security: A conversation with Aruneesh Salhotra

[00:00:00] Aruneesh Salhotra: you can only protect what you know about. So cloud definitely has, has opened the doors, uh, for Misconfigurations and Misconfigurations can lead to breaches. And that’s, uh, like in, in a summary that I would say how cloud has, uh, changed the whole security landscape.

[00:00:18] Andy Schneider: Hello and welcome to Code to Cloud. I’m Andy Schneider, field C Mayor at Lacework, and I’m looking forward to speak to our today’s guest, Aruneesh Salhotra. Aruneesh brings with him more than 23 years of experience. Like me. So we have like 46 years of experience, uh, in this podcast. Uh, and he has a lot of experience across several fields like DevSecOps, security, container security, cloud security. He’s an award-winning presenter, panelist and author Aruneesh Welcome to the show.

[00:00:49] Aruneesh Salhotra: Thank you Andy. Thank thanks for having me. And I look forward to our conversation.

[00:00:54] Andy Schneider: On your opinion, on your, on your journey that you have, you have seen from that 23 years, um, did anything change specifically when we came to the cloud? Or if companies move to the cloud? Is there something new?

[00:01:09] Aruneesh Salhotra: I think one thing, uh, that a surface definitely increased many folds. So everything else maybe 10 years, uh, ago was everything was behind the firewalls. There was only like bunch of services which were exposed outside for integrations or maybe websites that were getting created, and that was like 10 years ago. And it was more manageable given, uh, possibilities of shadow it. The attack surface has increased manyfold and by attack surface is not only your websites or your api, it’s your source code. It’s your world’s secrets. Uh, everything that you are possibly, uh, can expose. I mean it, uh, I’ll give an example. If you’re working in the financial industry, you’ll have like a lot of traders or a lot of people running an application on their desktops. And God forbid if that is exposed outside, that’s another asset which is exposed outside, which you don’t know anything about. So like they say, you can only protect what you know about. So cloud definitely has, has opened the doors, uh, for Misconfigurations and Misconfigurations can lead to breaches. And that’s, uh, like in, in a summary that I would say how cloud has, uh, changed the whole security landscape.

[00:02:25] Andy Schneider: I would even say that the cloud is not forgiving. So if you do mistakes like Misconfigurations, um, as you’re so exposed, you will feel it very soon. You mentioned the, the source code. That’s, that’s an interesting one that we didn’t touch in, in, in the last episodes, but actually that’s for me, like the new crown jewel of everything. So, uh, from, from your experience, just let’s say a handful of tips, how do you protect your source codes?

[00:02:57] Aruneesh Salhotra: Many, many years ago, I was working for an organization, and this is when seam and log aggregation or anything fancy from A U E B A was not even existent. I had a hunch that something was fishy going on, uh, with, with, with a particular individual. And when I looked at some of the basic logging that was there in CVS and svn, I’m not talking git or anything, which is like super advanced in terms of what logging and identifying behavior. I found a behavior that there was excessive amount of checkouts that were happening in a short period of time. And again, this was very manual and, uh, I kind of figure out that there is a data, not a data, but more of a code leakage that happened and something that I flagged and we were able to bring back the source code into our organization. But again, that was like fifth all. I mean, I can’t even like say how many years ago because then you can actually find out which company I’m talking about. But that was many, many years ago. And fast forward, um, right now, uh, IP source code is definitely your crown jewel, right? So you have to protect that, uh, with, at most important, whether it’s healthcare stuff or, or your trading algorithm or, or something equal. And you have to protect so you have to actually bring in lot of different aspects, right? One aspect is even if you’re storing your source code internally, there is always a threat of internal actors acting against your firm, right? So you have to actually ensure. Predictive branches is definitely a no-brainer, right? So you want to ensure nobody is able to actually change your master branch. The second thing is you want to ensure like, uh, there is RBAs configured properly, properly in the sense that people who are supposed to have access, proper access should only have access. Let’s say you are a quality assurance engineer, right? So you should only have access to view the code. No edit is required. And in terms of, uh, people who are reviewing the code and merging the code, they should have a master or administrative access or, or manager access for, for your project itself. Everybody else needs to be a developer or a maintainer, something of, of that sort, right? So those are like two of the very basic, uh, stuff, right? You can actually go a little more in depth to ensure like the source code is being protected. And, and again, like not every organization would host their source code, the GitLab or GitHub on-prem, right? Some might be leveraging stuff on, on the cloud itself. So you actually have to manage, uh, that particular thing very, very closely, and especially if you are, uh, making use of third party contractors or or vendors out there who have access to your source code, you have to actually analyze, uh, like their activity on the source code, how many times the check-in is happening, what they’re checking in. And of course, if you’re working with third parties or contractors, you have to actually ensure your reviewer or, or somebody who’s enabling the merge request is as part of your own specific team, right? So you need to have like a balanced approach in that one.

[00:06:06] Andy Schneider: Yep. Totally agree. I I have a similar story. I, um, I, I have to tell it. So, um, I once did a, it was intentionally a pen test, but we didn’t see that the Pente pen test was successful with a purely digital company. But what they achieved, they found like, Unsecured credentials to, to access like, um, uh, a C I C D user in a repository. They took that over and they were able to completely change the complete code and they pushed malicious code. To production. It was not really completely malicious because it was a pen test, but no one noticed because they were able, as they had control over the whole C I C D pipeline, they could, um, pause all security checks that we had implemented and then reenable them afterwards. So we saw, okay, something was weird, but, oh, everything is running, all is good. So it shows that the repository is really key. Not to everything, but it’s something that you should not forget in your whole, um, cloud security AppSec journey. Um, one, one question to that. So, uh, if I, if I look back, uh, back the years when I was, uh, a CSO and also security practitioner, I never looked at the repository. So does it also mean that the, that the, um, skills security leaders need that they change if you move to the cloud?

[00:07:35] Aruneesh Salhotra: Absolutely. Absolutely. And if you look at, I’m not sure if there has been a survey done of background for every CISO. Some CISOs come with fair network background. Some come with like, uh, application security, some with like a thread intel background. So there is no like, like, like a report, at least of, of what I’m aware of. But I think the skills and then your awareness definitely changes manyfold, right? Like cloud was very different when, when we initially started, right? Like S3 buckets, all the misconfiguration that I’ve seen in, in the news was fairly new for most of, uh, the security practitioners. And now you actually fast forward, uh, six, seven years, uh, ahead in 2023, you have container security, you have API security. The attack surface itself is, is very different, right? So having that awareness of what can possibly go wrong, having an awareness of not just the, the, the, the field itself, but also understanding who are the key players. Like what they’re, uh, um, what is the value proposition of the solution that they’re building? How does it apply to my organizing? Is it even the right fit? Right. So I think, uh, there is lot of, uh, I would say like pressure on, on, uh, security leaders, security practitioners to not only realize the need for, for a particular, uh, control that you need to have within your organization, but at the same time trying to figure out what solution actually fits, uh, your, your organization based on the culture, your integrations. And how, how does it fit into your, you mentioned like from a C I C D perspective, does it have like integration enabled for the CA solution that you are using?

[00:09:18] Andy Schneider: There’s that controversial discussion that I’m, I’m following, um, that today’s security practitioners need to be able to write code. So they need to be, have developer skills. Uh, Um, some say it’s better to have the developers having security skills. So if you would look at that, what’s your gut feeling? Should, should developers take over more security task or should security, uh, people be more developers and have more engineering mindset, I think it’s a healthy balance of two, but I’m gonna, uh, say it’s, it’s more of the former where you want like developers to take the load from security teams because security teams as, as you might be, Aware is like the ratio could be anywhere from like one, 2000 developers or one 200, or one to 50 itself, right?

[00:10:08] Aruneesh Salhotra: So definitely security is, is not something that can scale according to your number of applications. So you have to, uh, bring in more developers who are like security friends. I mean, like, uh, they can actually take responsibility. And whenever I talk about security, I take it back to maybe 15 years ago where quality assurance was the in thing, right? You were looking at how do I make my code more performant? How do I make my code more resilient from like a null pointer exception or like a Java null pointer exception, all those things. So you actually have to actually bring, uh, solutions within the organization to empower developers to do the right thing. And, uh, some organization even scaled that particular thing to create security champions who maybe coming from a SRE background or DevOps background, or maybe developers who are like, like savvy about what’s happening in in security or what’s happening in infrastructure. You have to identify those people and scale your program according to that one. to that point you mentioned that, um, uh, SRE background picking someone from there. How do you. How do you tell developers today or such a security champion, what they shall do in security? Is there some experience you have or what, what were things that worked well so that developers actually take over security, um, tasks? So these days it’s, it’s fairly easy for selling security developers, right? Like anytime you open like Reddit or, or any of the social media platforms or any other forum or a newspaper, you see like constant stream of breaches happening, right? Malware attack, ransomware attack happening, left, right, and center. Right? And because developers are, are technical in nature, right? They have a technical hat, uh, that they, they bring into the organization so they can easily identify or understand what’s happening, right? So you’re not preaching to, uh, like a young kid or maybe somebody who doesn’t understand technology, so you’re not preaching to somebody who doesn’t understand technology. But if you correlate like a dollar figures for a particular breach, something similar, like if your application goes down in your production application goes down because of bug in your code, you understand the the key importance for a quality assurance, right? The same thing applies on security aspect.You have to make sure you’re looking at your source code, different lenses, like whether you are talking about your first party code or your third party code itself. There is an inherent risk in every aspect, right? If you’re creating like a web facing application itself, you have to think about, okay, is my application prone to like a SQL injection? As simple as that, right? And that’s the start of conversation, but it doesn’t end there, right? You actually have to empower the development tools so that they can cap capture or cash those exceptions as early as like their development in within their I D A. If you can actually do a SaaS scanning as early as your build time, it’s, it’s much more easier to fix those things.

[00:13:19] Aruneesh Salhotra: Rather like catching them in in your QA or maybe in production.

[00:13:23] Andy Schneider: So on the left side, so that’s the shift left, whatever push left, shift left, um,

[00:13:29] Aruneesh Salhotra: Yeah, that that’s one aspect. And also from a shift right perspective, you also have to think. Of course you cannot fix everything, right? If, if you’re running like a legacy shop itself, you cannot fix all the things, right? So you actually have to bring in control like the compensatory controls, which may not be able to be fixed in in your C I C D pipeline, but can be captured maybe from a zero trust aspect, right? You can actually think about micro segmentation, for example. But once you bring like an agent on, on those endpoints, you have to actually ensure, like it doesn’t break anything. It’s not causing CPU spikes or memory spikes in, in your environment, right? these are, these are like the same, the starting points, uh, for organizations or at least for, uh, developer teams itself.

[00:14:18] Andy Schneider: I often have discussions with developer teams that they just purely focus on, let’s say the left side. So the proactive way of, uh, avoiding that bad things might happen later. So, but I’m more an advocate of really. Pushing left and also shifting, right? So you have to do both sides. So without that, so I always compare it with like, uh, if you’re, if you’re, again, if you have a kid, um, you can remove all the burnable materials in your house. That’s the, let’s say, doing the things on the left side. But having a fire sensor might be a good idea. It’s the only thing that detects a fire. And maybe you want to have that in the room of your kid, so of your crown jewel. You have a strong background in, or as, as I hear in application security, is there, is there something, um, where you think that is missing today from security leaders? I’ll probably maybe take a different view on this one. Right? So back in the days of vulnerability management, which was more focused on your os, your network level issues, right? That was taking the center stage. And because more and more organization are becoming digital, uh, of course some organization are definitely creating their own application.

[00:15:31] Aruneesh Salhotra: They’re hosting their own applications on-prem or on the cloud. So AppSec is, is, uh, I would say like it’s gaining the detraction that it truly deserves. But what is missing is like a inventory of everything that you have, right? And try to do the correlation between your, like, physical assets or, or your VMs or EC two instances, or, or your serverless stuff, right? And try to correlate it back to your application. Your, your source code itself. So, so there are a couple of things that I would see are, are important or maybe even missing in some of the organization. First aspects is creating a complete inventory of, of your systems, right? I’ll take a simple example. If you have, uh, multiple websites that you’re hosting for, for your organization, how do you correlate, uh, that one to your cmdb? Are my number of endpoints, my number of APIs that I have are, are getting reflected in my, uh, in CMDB or not, right? Because most of the automation are keying off your data that’s is there in your cmdb. So inventory is definitely one of the, the big, big challenge for, for organization because there are applications which are, like, getting updated almost on a, on a weekly basis. Right? And the application which are getting deprecated because of X, Y, and z re reason. Maybe you’re exiting a particular business or you’re onboarding a new business, you are having new applications in there. Inventory definitely is one. Uh, the second aspect is the, uh, how do you identify who’s the owner for those applications? Like if something happens, right? You should be able to identify who’s my business owner, who’s my application owner, who’s my support owner, and what is my point of escalation? And if you’re talking in a tune of maybe a hundred application or maybe 500 or maybe thousand plus application, right? The complexity increases, right? So you actually have to rely on a lot of automation. And quite frankly, because security is fairly new for most of the organization in this particular space, and if you’re a small shop, it can be a huge undertaking to build that automation to ensure, like everything that you have is just reflected into like a source of truth, right? Which is reliable and it’s, it’s, uh, you’re confident about that one.

[00:17:49] Andy Schneider: Automate everything. That’s the one thing I learned in my career. Everything that you can automate, do it. It it’ll be a life saver for you because you can then maybe sleep better. Um, let’s, let’s move on. So, um, we touched it, so, but what would be an ideal, uh, security leader look like for you?

[00:18:09] Aruneesh Salhotra: One is, uh, security leader definitely needs to be inquisitive, should question everything, not just Bec uh, because, uh, he or she’s being asked from your management to control the budget, understand how the technology really works, how do the infrastructure, uh, works. How do you spin up resources? Like how does applications work? Right. Application architectures are important, but I think like you have to also identify that security leaders could be working in organization, which don’t have any internal application. They’re just hosting third party application and running insurance business, for example. Right? But having a base understanding of your infrastructure, your application, your thread intel. How do you actually correlate your thread until feeds into what’s sitting in your organization and, and try to analyze, am I really being exposed? I’ll give like, uh, two small examples on this. Uh, in application or a SCA space, there is, um, a talk of a reachability analysis visas, right? Like some scanners would say, okay, you are using this particular library. That’s why you are exposed, so you cannot use this particular library. But if you look, peel the covers, you say, okay, I’m using this particular library, but I’m not even calling this particular method because of which this library X is being tagged as, as being vulnerable. So having an appreciation that you’re not just looking like a binary, uh, decision of yes or no, right? You have to actually peel the, the covers or, or, or, uh, Like analyze, am I in the control path? So somebody who has that mindset, yes, it needs to be a risk based approach for remediation, right? If my vulnerability is not, uh, going to be exposed, why am I even blocking that particular artifact in the first place? Or if I’m running like a infrastructure stuff, which is, has a particular CV associated with that, maybe I don’t even need to actually, fix it if it’s not even an inline.

[00:20:18] Andy Schneider: Got it. Fully understand that. Um, if you look back in your career, um, what was your biggest learning, that you, that you have made?

[00:20:28] Aruneesh Salhotra: Uh, there is another program that I led almost 11 years ago. Uh, there is a solution which does, uh, a batch automation, uh, it’s called like BMC Controller. And, and I like the global implementation of that one. And I think I inherently come with the background of like, how do I break stuff? In that one I was analyzing, uh, use cases where I can actually possibly cause like a, uh, like an issue with my organization because back in the days, uh, the agents for that particular application used to run as route and people with malicious intent right, can really go at a job, say I have access to that one and I can change a well drafted, like, come online, say, okay. Give me all the lock files. I’m doing like a CAD on on my listing, right? I can easily change that particular command saying, okay, RM minus RF slash blah, right? So you’re basically rendering your infrastructure, uh, unresponsive. And that can definitely have like monitoring implications, reputation implications. So I detected that as a use case. I brought it back to BMC in terms of this is probably not the right approach to run your agent as route. Right? So that was another one, uh, that stands out. And there’s another project that I think I’m like very, uh, proud of, like implementing that one in my previous organization. Uh, everything that we talk about, micro segmentation these days, I created something very similar. With the approach or the intent, very different. What I wanted to capture, like what are my connections in my production environment like, capture those in some sort of a database. Try to figure out, okay, these are my connections that I see, which are transient. These are connections which are persistent. And if I’m doing a maintenance or I’m doing, like there is some outage, right? I need to be able to identify, okay, what is my, uh, impact across my organization? And this was not a small organization. So created something similar, but the intent was different. But now I look forward in 2023, there are a lot of organizations or, or vendors which do micro segmentation, uh, concept remains the same, but the, the, the, the lens is more on security side, right? So one of the things that we started doing in my previous organization was taking the data from, from this particular database itself, and apply those four. Ensuring my firewall rules are intact. Whatever baseline I’ve, I’ve created is exactly what needs to be done. Everything else is is in a blocking mode.

[00:23:07] Andy Schneider: What would you say were the things that you learned didn’t work? So like one thing where you say, this just didn’t work in my career.

[00:23:15] Aruneesh Salhotra: I can think of one thing, um, but I think like towards the end we made it work, so I’m not so like, it, it definitely the initial design that we have for, uh, creating a data lake for, for, again, like it was not a security specific, uh, issue, it was something else. So we’re looking at building like a data lake to make some decision making.

[00:23:35] Aruneesh Salhotra: And of course, if you don’t take, uh, the scalability into the equation itself, it’s gonna hit roadblock, right? So you actually have to either redesign or gut the whole program. Or try to see how do I make it work? Right? So you actually bring in other folks in, into that program and see, okay, is it not working because of performance reasons or is the infrastructure issue, or may, maybe the architecture needs to be like tweaked a little bit where you can actually make it more performance. Or maybe I need to just, uh, change my, uh, database or my, my move from RDBMS to no sql, right? So that would definitely require change. Uh, so that data lake definitely stands out in, in my, in, in, in, in my recent recollection.

[00:24:20] Andy Schneider: So there was one thing, it was really, you could even say once upon a time, it’s really long ago, like, um, more than 20 years ago. Uh, and I was working at a bank with a trainee together and I was working on mainframe systems. So when you mentioned bmc, it really reminds me back, uh, the times there. We created on the mainframe, um, like a hyper device. There was a hypervisor available and we created a web front and a console, uh, where you could, um, order Linux on demand. It just took like, 30 seconds and then you had your completely fresh Linux, so with a click of a button. So we created, created that. The idea was to compete with the Unix colleagues and we were, the idea for me was we offer that to the external market as well. Then I went to the management and, and showed it, and they said, who in the world would ever want. Linux systems on demand by pressing a button. No one wants that. The real thing are data centers and bare metal. So what did I do? I threw it away. I thought no one needs that. So three years later, AWS became like the thing and the cloud started. So I thought maybe I should have been more, I should have followed that dream a little bit more. But I guess I was not the event of inventor of the cloud, but actually it was like the same thing. So never give up your dreams. That was my

[00:25:48] Aruneesh Salhotra: Yeah, I mean like we all have stories. We also have like regrets in our lives, so maybe I should have like, Pushed, uh, forward and we both would be like sailing or maybe golfing at this point in time.

[00:25:58] Andy Schneider: Yes, yes, absolutely. So, um, let’s, let’s move on. So when we last, uh, talked, you mentioned that you are also a fractional CSO. So for the audience out there, what is a fraction of ciso? How would you describe that?

[00:26:14] Aruneesh Salhotra: Sort of like a new thing that’s, uh, coming to the market where if you’re working for a SMB shop itself, right? Smaller, medium business itself, where, uh, they don’t really need like a, like a full-time ciso. But need somebody with a mindset of security. Maybe somebody coming from a technical program manager background, trying to see, okay, if I want to ensure I can secure my organization, secure my assets, secure my data, like how do I engage, like somebody with a, a decent security background, which is not full-time, which is not 24 5, for example, or maybe like nine to five, and it’s, it’s more of an engagement where you bring somebody, for a short period of time where that individual looks at your, your current footprint, right? Does like a security assessment and try to see, okay, here you are. This is the journey that you need to follow. If you want to be there to meet your regulatory obligations, to meet. Reputational aspects or, or something of that sort. Right? And not every organization needs to go from one to five, for example, right? If five is the, the, the, the Nirvana, right? So you, you’ll probably be good at coming at level three, right? And level three doesn’t mean like it needs to be done for every single aspect, right? You can say, for my application security, I might be at a level three, or my edr, I might be at a level two. But coming to a level where you can at least say, okay, this is my. Uh, my, my intent, or this is my end goal itself and what is my journey on that one? So you can actually put like a program together, how to use scale, your application security program or your cloud security or container security, your, your end endpoint itself for your phishing. So it’s, it’s really defined, uh, that individual comes, does the assessment and puts a roadmap together. And sometime it also involves getting the right set of solution with the organization currently does not have right? And sometimes it means you already are, are implementing some solutions, but it’s not configured properly according to the industry best practices. And also some of the fractional CSO so would come with like a heavy understanding of the GRCs side of the world as well. Right? You understand the compliance, you understand the, the regulations. Maybe it’s uh, as simple as doing like a Nest 853, for example, to. To achieve that particular state in say, X number of quarters or maybe x number of years. But that, that individual will come with a mindset or exposure in, in, in the technical side as well, in the compliance side, maybe the privacy side, and try to educate and work with, uh, individuals within, uh, the SMB shops mostly.

[00:28:58] Andy Schneider: I see that trend from, however you call it, like, uh, CSO on demand, uh, virtual cso, fractional cso. Um, is there. What I, what I see with many that, that, that have that role is that it’s, it’s difficult, so it’s good for the advisory part and really helping the company or achieving a certain, a certain level of security. Is there a difference from a responsibility, accountability part? Because as a CSO usually you are like the one, you get fired if something else goes wrong, as a fractional cso, this is, you might lose, uh, of course, that job part, but is there a difference? Do you feel that difference or would you say there is no real difference between, let’s say an operational internal CSO or a fractional cso?

[00:29:48] Aruneesh Salhotra: So, so to answer your question, I think I’ll answer it more of yes and no. No, meaning that if there is a breach in an organization, let’s say after, uh, an assessment and remediation report is, is completed there, there is no exposure for the fractional CISO Whereas if it’s a resident, uh, CISO within the organization, your name is out there, somebody in the C-suite is definitely on the chopping block. But in case of fractional ciso, the the, the engagement is done and you always have this particular thing that, this was my recommendation that I provided to the company. And then you’re walking out the door, right? From a yes perspective, I would say yes, there is a reputational risk involved in that one. Let’s say you do like a cloud assessment for an organization and one week after that one there is a breach in the organization. Definitely, uh, the company can actually quote you that we hired this particular individual, supposedly, uh, a security leader, but, uh, there the, all these particular gaps. So you definitely will not be able to as successful as you want to be.

[00:30:57] Andy Schneider: So we come closely to an end. So let’s come to the last part, some rapid fire questions. So what’s one tool you can’t live without?

[00:31:07] Aruneesh Salhotra: can’t live without is like your cmdb, a golden source of truth.

[00:31:11] Andy Schneider: Very good. What’s the most important habit an IT or security leader can have

[00:31:16] Aruneesh Salhotra: Be inquisitive all the time and question every decision, which may not have any implement implications to budgetary line.

[00:31:24] Andy Schneider: Who do you look up in the space?

[00:31:26] Aruneesh Salhotra: I’ll look up to many individuals. I look up to my security engineers or, or my peers or, or some organization, but my golden standard is definitely what Netflix is doing.

[00:31:38] Andy Schneider: What’s the one tip you would offer listeners to increase their cybersecurity?

[00:31:43] Aruneesh Salhotra: Uh, definitely look at your, uh, asset inventory, make sure, uh, it’s a hundred percent, it’s accurate. It’s uh, like we mentioned, it should be automatable and you should always drive towards automating everything that you have. And one thing that we didn’t cover, um, and I probably want to bring that one, is risk-based prioritization, right? Every prioritization that you are happening with, say, 10,000 of, of these issues, you just shortly look at prioritization, your risk based on your business context. What’s happening in, in, in the dark web have like a feed coming into your organization, which say, I shouldn’t be even, even need to fix any of this from day one. Right? Your feed like CSA ca or epss, is definitely driving. Uh, Towards that one, but having like understanding of what’s happening out there is, is very, very important.

[00:32:34] Andy Schneider: I love that. Um, so in case someone wants to connect with you or follow you, where’s the best place? Twitter, LinkedIn. Where can they find you?

[00:32:42] Aruneesh Salhotra: Uh, definitely on LinkedIn.

[00:32:44] Andy Schneider: Definitely on LinkedIn. So that’s a wrap for today. Thanks so much for tuning in. If you found value in what you’ve heard today, please subscribe or write us a and I hope to see you next time to code to cloud.