CISO advice - building a comprehensive secrets management program
Jason Haddix, CISO of BuddoBot and former CISO/Head of Security at UbiSoft, emphasizes the importance of a comprehensive secrets management program and shares his 4-step plan for detection, prevention, response, and education.
promise this is not like a plug for for you guys because you work at a company that deals with Secrets but one thing I learned through lapsis is how important a Secrets Management program is and it's one of these things like I said I've I learned a lot from that that breach and I feel like a lot of people are only addressing certain parts of a seek of a comprehensive Secrets Management program and so what I would say if you're an organization and you want to I mean you want to avoid you know kind of the lapse of style you know attackers and you know kind of how they pivot because I only told the external internal story there's a whole other story about what they did when they got into the network which involves a lot of Secrets management components and so uh the way I've broken down Secrets Management Programs now that I I build places and I consult my other CSO friends is is in four phases and if you're a security practitioner or you're a leader or whatever like I would suggest trying to emulate this because it's it's been kind of passed to those 40 seatas he says I talk to you so in a Secrets management strategy it's not just about detecting and preventing there's four areas there's detect prevent respond and educate inside of a comprehensive Secrets Management program and so the first area is detect which is basically you're bound to at this moment in time and all of your repos and all of your slack and all of your in all of your documentation places you're bound to have hard-coded secrets no company is immune from it it happens everywhere and so you have to find a technology that can detect where they are latently are right now and so for us we used a couple tools I know that get Guardian does stuff like that and so um you have to have a detection mechanism and you have to build it into we built it into our red team our red team's mandate is to help us scan for Secrets everywhere and then we built it into our build pipelines and we use you know regex for custom secrets too that were only you know um that were only ours right because like you know a lot of the tools out there today have regex for certain types of secret certificates usernames and passwords API keys but we had some custom stuff too that we had to build ourselves so that's part of the detect Branch then there's prevent which you don't you want you know the detectives to stop the bleeding kind of and the prevent is to you know help you build for the future and so uh really we found the most efficient thing is pre-commit hooks pre-commit hooks in the development life cycle uh to stop developers from committing Secrets anymore and in your pre-commit hook applying a pop-up that basically says Hey either command line warning or a web pop-up if you're using the web components that says hey our preferred method of storing Secrets is this and so we went with you know Vault and so that's in the respond category is you got to give them some way to do it correctly you can't just block them from doing it if you don't give them a correct way to do it so we went with Vault and then our you know our level up on top of having you know a great policy for vaulting secrets was also rotating them automatically with the vaulting technology and so that's in our respawn branch and then the last is educate and we had to go on a tear about educating all developers and employees on not sharing Secrets verbatim in chat channels in documents and anywhere we built a custom platform to share user-based secrets we educated people on password manage and corporate password managers and and those are like the four areas that we had to build a comprehensive program about and so it's going to become like it's not on that CSO mind map right now right like that I talked about earlier right but it's it's a big big thing that's coming down the pipe that people are not addressing and they need to address because when you get breached a lot of times the ttps of the attackers especially ones like lapsis are to move around your network silently and not trip any of your EDR or any of your internal controls they are literally just collecting documentation and credentials until they feel like they have enough that they can stream breaks so fast that your sock can't even detect them or do anything with many accounts that they've gathered and to achieve their objective and it's just not possible um do that so that the way that you know kind of the vaccine is having the secret Management program so they can't pivot and that your other tools have a better chance of detecting them they have to resort to different things like installing software and stuff like that and you can catch them you know doing that with EDR and you know nips and stuff like that so that was one of the things I learned at Ubisoft we built that program as very successful people you know that I used to work with are still there using that program today so there's also we couldn't have paid for a better I know I know I was thinking about it I'm like people are going to think that uh they paid me no no this is absolutely a sound sound CSO advice I just you know if people are out there want to know like where you should invest in your program that says area you should invest in so