Security@ 2018: Sumo Logic’s CSO On Transparency and Using Hacker-Powered Pen Tests for Better Security and Complete Compliance
George Gerchow isn’t afraid to tell it like it is. As the CSO of Sumo Logic, he’s responsible for securing their cloud-native, machine data analytics platform at a level that builds unbreakable trust with their more than 1,600 global customers. The “global” part of that descriptor also means Gerchow has to be hyper-aware of the constantly changing laws and regulations related to cybersecurity and privacy, not the least of which is GDPR.
Those two things, security and privacy, are rapidly merging into a single domain, which also brings more pressure and more focus on the role of the CSO. It’s not an easy job, but it’s one that Gerchow approaches with vigor and a realization that a security apparatus must change with the times.
At Security@ 2018, held in San Francisco in late October, Gerchow took the stage to share how Sumo Logic works with HackerOne to take a decidedly modern approach to security, using bug bounties as a tool in the arsenal and transparency as the common thread. Transparency, according to Gerchow, means that organizations must admit not only that bugs will always exist, but that the best ways to reduce vulnerabilities is to share learnings and best practices with the broader community.
Sumo Logic definitely walks the walk with Gerchow as their security lead. He listed off the security “firsts” achieved by Sumo Logic in their push to shore up their security, as well as the rigor they’ve had to put on security to maintain the certifications critical to their organization and customers, like PCI/DSS, HIPPA-HITECH, CSA Star, ISO 27001, and others.
While getting those certifications the first time was tough, Gerchow explained that continuing to achieve them year after year takes diligence. Pen testing, a staple of compliance certifications, had long been an area of concern for Sumo Logic, according to Gerchow. Just like everyone else, he ran pen tests to check “a compliance checkbox”, but they didn’t really offer anything else. What’s more, “they never really found anything,” he said, and that was the problem.
“We wanted people to break (things),” Gerchow added. “We want someone to come in and show us where we could be better.”
So Gerchow put hackers and pen tests together and started using them to improve his pen tests and work with their auditor to achieve their robust compliance requirements. He turned to HackerOne, running multiple hacker-powered penetration tests, or HackerOne Challenges. Challenges differ from standard pen tests in that crowdsourcing brings more security professionals to the test, which also brings more diverse skills, giving you more eyes to find more vulnerabilities for the price.
In doing so, Gerchow built a modern bug bounty program that takes a DevSecOps approach. The goal is to foster a collaborative community for developers, third-party auditors, and hackers to interact and share information, create transparency, and use compliance as yet another way to strengthen Sumo Logic’s security posture. It now means that hacker-powered pen tests are more than just a checkbox.
The results speak for themselves as the Challenges run by Gerchow and team uncovered multiple high and critical impact bugs. “This is value that we never got from a pen test,” he added. “Traditional pen tests are not enough for modern day security.”
Gerchow brought it all back to transparency. He encouraged continued sharing between highly regulated industries like finance, government, and healthcare, and pointed to how they are all starting to take advantage of hacker-powered security in more public ways. It’s a radical shift from the “bury your head in the sand” approach to security of years past, as he put it, but someone has to take the lead.
For now, that vocal leader and proponent of transparency is Gerchow. But he likes the challenge, and he’s looking for more.
Stay tuned for all the Security@ sessions to be posted in their entirety, including Gerchow’s talk. To learn more about HackerOne Challenge and how it can be leveraged in your organization for better security and compliance, contact us today.