- Cloud Control
- Posts
- Nate Lee on Shifting Left to Outsmart Threats
Nate Lee on Shifting Left to Outsmart Threats
Nate Lee on Shifting Left to Outsmart Threats
Hey there đź‘‹
If you’re anything like me, then you’re probably constantly thinking of the future of cloud security and the role of AI, and how to create a robust security culture within your teams. Thankfully for you (and me), this week's edition of Cloud Control is with Nate Lee, CISO & Principal at Cloudsec.ai, who dives into it all.
Nate started in the early days as the tech-enthusiast in a non-tech world and found himself eventually leading the charge at Cloudsec.ai. His perspectives on blending technology, culture, and processes for a solid security strategy are a must-read - why? Because it’s like having a blueprint to navigate how you secure your AI systems, understanding common missteps in cloud security and how to avoid them, and harnessing AI to future-proof your security strategies. Nate discusses these topics and more, providing actionable advice and insights that can change the way you handle cloud security.
Jump into the full interview and find out how to kick your security strategy up a notch, create a culture that puts security first, and keep up with the breakneck speed of cloud tech 👇
P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.
Nate Lee, CISO and Principal at Cloudsec.ai
Question 1 đź’
Before we dive into the deep end of cloud security, let's start with your background. You've been in the industry from engineer to CISO, and now leading Cloudsec.ai. What sparked your passion for security, and what keeps you motivated and interested today?
Answer 1 🎯
I’m not originally from the Bay Area. Where I grew up, I was the tech person surrounded by people who looked at tech as a curious obsession of the socially awkward.
Before I’d ever heard of terms like threat modeling or secure-by-design, thinking about how systems could be abused or broken was just another part of how I would think about technical problems. Once you have an idea about how they can be broken, the next logical step is to spend time to work out how to prevent that from happening.
This is going to sound a bit cliché, but from the perspective of the tech scene, when I moved to San Francisco, it was like Dorothy stepping out of the house and seeing everything in color for the first time. I was suddenly surrounded by people everywhere pushing the boundaries of how software could be built and run. There’s a culture of always questioning why things are the way they are that resonates with me to this day and is what led me to fully focus on the security side of technology. These days, I find it tremendously motivating to be in a position to work across multiple organizations with security leaders to develop and improve their programs.
This is where building a culture that enables people is invaluable. You want them to know enough to discern something that could go wrong, whether that’s a phishing email, a log entry or a new authorization flow. You then need them to feel comfortable enough with the security team that they want to reach out for help with questions because they know they won’t be judged for their lack of domain knowledge.
Question 2 đź’
You've been everywhere from the engineering trenches to leading the charge as CISO at multiple organizations, big and small. When you're at the helm, how do you weave together tech, culture, and processes into one solid security strategy?
Answer 2 🎯
This question really dives into the core of what the role entails and why it’s so interesting. You can’t be solely a technologist and succeed at the organizational level. Conversely, it’s extremely difficult to do the job if you don’t have an understanding of the systems you’re working to secure.
Culture for me is always the starting point. It’s easily overlooked since it’s less tangible and quantifiable than the technical components and controls but it’s what underlies a strong program. If the technical controls are the bricks in your wall, the security culture you cultivate is the mortar that holds it all together. It’s extremely difficult to build and operate effective technical controls and processes without the right mindset and approach to the problems at the cultural level.
Most people want to be secure and want to do the right thing. They’re not, however, experts in the field so it’s critically important that the security team connects with them in a way that fosters open communication. You can’t make experts out of everyone and technical controls are often not so comprehensive that a human error can’t lead to breach.
This is where building a culture that enables people is invaluable. You want them to know enough to discern something that could go wrong, whether that’s a phishing email, a log entry or a new authorization flow. You then need them to feel comfortable enough with the security team that they want to reach out for help with questions because they know they won’t be judged for their lack of domain knowledge. The only way to have this happen consistently is if the team puts in the time to build relationships and a positive reputation across the company beforehand.
When working with teams, I like to emphasize empathy towards others as a fundamental way to improve security. Organizations have people at the front lines of many different attack vectors and if you don’t have a path for them to provide your team with insight on what they’re seeing, you’re cutting yourself off from a major feed of information.
Tech and process are obviously also critically important but I find that most technical security teams already have the requisite skills to implement. The key to a strong strategy here is ensuring mindfulness about the tradeoffs made with each decision. It could be a project, a control, an additional process or any number of other decisions that we make every day. For example, when you prioritize project A vs. B without really analyzing the business value and need, it’s easy to call it a success when you finish since it probably makes something incrementally better. What needs to be considered is if the decision led to the best possible outcome for the business. If you spent a bunch of time reviewing network ACLs, that’s great and it ostensibly improved security but if your biggest risks were around account takeovers and you don’t have MFA, is it really a success to have spent time on firewall rules?
It’s easy to improve security in a vacuum - there’s the old adage that you can unplug a server to make it really secure. Context is everything when defining a strategy and you need to ensure your strategy and plans align with the business and its goals.
Question 3 đź’
We all love the thrill of pushing out new features and growing fast, especially in the SaaS game. How do you keep pushing the boundaries of innovation while making sure security guardrails are in place?
Answer 3 🎯
This is a great question and one for which I don’t think there’s a single answer. Each business is going to be different from the perspective of risk appetite, engineering flows, priorities, etc. Smaller companies are going to be more willing to take chances to get features out and gain traction before the money runs out. As you grow however, you have more to lose from a breach and hopefully, you have more resources to apply to the problem so there’s also a transitionary period between the phases that’s also an interesting problem to work through.
The “paved road” approach championed by the Netflix team is a great mindset to approach the problem with. Nobody wants to be insecure or build insecure software, but they have a job to do, and that tends to be measured by velocity and by proxy, the ability to release features. If you can build the tooling that meets the engineers where they are and provides a simple way to solve a security problem, they’re generally happy to use it.
When the security team ends up as a chokepoint in the development process, you want to step back and look at the problem from the standpoint of how you can build functionality with a clear and easy path to eliminate the problem from occurring in the first place. This could be tooling in their IDE, libraries or frameworks for logging or authorization or anything else that offloads complex work to easy-to-use shared services with secure defaults.
Question 4 đź’
You're big on "Shifting Left" across the business landscape. Could you walk us through how this plays out in real life at Cloudsec.ai, especially in getting security and engineering to work collaboratively and towards a common goal?
Answer 4 🎯
This is an area where there’s often low hanging fruit for security teams to make a huge impact and it’s where we help a lot of clients address security issues in a way that keeps developer velocity high. The general principle is that the sooner you catch or ideally, prevent problems from occurring, the cheaper it is to remediate.
This could be scanners that check code for vulnerabilities and secrets within the developers IDE so they can fix it before it ever gets merged in, automated dependency updates to make ongoing maintenance something that happens by default or doing threat modeling as part of the initial design to account for issues before you start to build. In all those cases, the cost to fix the issues before they’re released to production vs. the cost of dealing with them when you find them after the fact can be an order of magnitude greater so making the effort to ensure that security is a core part of your development process really pays dividends.
The key to success is ensuring the security team works closely with the engineering team and actively solicits feedback, especially negative feedback. Teams working on the controls, systems and tools that affect the development process should be developers themselves with an innate understanding of the process. This enables them to actively collaborate and build trust by being responsive to developer concerns in a way that’s difficult to do if you haven’t lived through it yourself.
Question 5 đź’
AI is reshaping every tech corner, including security. From your vantage point, how is AI transforming cloud security practices, and what's one AI application you find particularly game-changing?
Answer 5 🎯
We’ve only seen the smallest fraction of the impact that the coming decade will bring to both attackers and defenders. Initially, the impact will be increased offensive capabilities as attackers automate a lot of the research that goes into targeting individuals - creating whole campaigns with custom tailored, grammatically correct phishing emails and as we saw recently, video deep fakes of executives. This will put a huge emphasis on defenders to rethink how identities are managed and what trust means in the context of a world where you can’t necessarily believe what you see.
We’ve only seen the smallest fraction of the impact that the coming decade will bring to both attackers and defenders. Initially, the impact will be increased offensive capabilities as attackers automate a lot of the research that goes into targeting individuals - creating whole campaigns with custom tailored, grammatically correct phishing emails and as we saw recently, video deep fakes of executives. This will put a huge emphasis on defenders to rethink how identities are managed and what trust means in the context of a world where you can’t necessarily believe what you see.
On the defender side, we’ll see much, much more competent event correlation and response capabilities from tools that leverage the power of LLMs. Right now the token windows are too small, the cost of inference is too high and the agents aren’t reliable enough. Once we start seeing advances like lean models specifically trained on logs and threat feeds for attack detection, agents that consistently do what you expect and models that can update vulnerable dependencies automatically, even across major versions with breaking changes, the tables will turn decisively in favor of the defenders. They’ll be able to feed the tools with knowledge of their systems to leverage traffic flows, vulnerabilities, regular patterns, etc., responding in real time.
It’s quite an exciting time.
Read the Full Q&A on Gomboc.ai
What’s New at Gomboc
In the magical land of Silicon Valley, where dreams and code converge, a tale is about to unfold…Imagine a sunny day in the Valley, with Kubernetes on the horizon, ready to set sail into production waters. But, as fate would have it, chaos ensues, and our beloved character, Streamline Willie, finds himself in the midst of a cloud conundrum 🚢💻
Watch Mickey as he goes on a rollercoaster of tech shenanigans, only to be saved by Gomboc đź’Ş
Latest AWS and Azure Updates You Don’t Want to Miss
Top Articles and Resources of the Week
Articles
Resources
Federal Cyber Defense Skilling Academy: CISA’s Cyber Defense Skilling Academy provides federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program.‍
The Workforce Framework for Cybersecurity (NICE Framework): Learn more about the NICE Framework Categories, Work Roles, Competencies, and Task, Knowledge, and Skill (TKS) statements as well as the relationships between those elements in this downloadable PDF.‍
Workforce Management Guidebook - Cybersecurity is Everyone's Job: A publication that talks about cybersecurity from every business function and aspect of an organization’s operation. It is written for a general audience who may not be knowledgeable about cybersecurity and can be read as a complete guide or by each business function as standalone guides.
7 Popular Cloud Security Certifications for 2024: This article provides a comprehensive overview of the top cloud security certifications for 2024, essential for professionals seeking to enhance their skills and career prospects in the rapidly evolving cloud security landscape.
Cybrary.it: A platform for cybersecurity professionals at all levels, featuring free courses, certification training, and hands-on virtual labs designed to prepare users for the latest threats and vulnerabilities, making it a valuable resource for anyone looking to start or advance their cybersecurity career.