I feel like I’m channeling my inner Sy Sperling when I say, “Not only do I work at Nudge Security, but I’m also a client”...but it’s true. I feel like I would’ve found my way back working with this group of fine folks at some point regardless, but my experience using early versions of this product absolutely influenced my decision to join the team and help shape the future of the product.
Before I get into my experience using Nudge Security, I’ll explain a bit about why I’m here talking to you. My background is somewhat varied, but has always centered around security and IT, either in direct operational roles or working for security/IT vendors as an expert on the use of their products. Regardless of the position itself, my goal has always been to help solve real security problems.
One of my more recent gigs was on the user side, building and maintaining a security operations center for a very large, very active environment that had, in recent history, experienced some growing pains with their security presence. (Not talking trash, by the way—they were experiencing some very normal, non-exotic, almost predictable challenges caused by evolution in the organization.) This resulted in some gaps in their security stack, and that’s where I came in to try and help out.
One of the challenges was—you guessed it—SaaS application sprawl gone awry. Due to several changes over the years, many acquisitions of new teams, and little to no enforcement on standardization, I discovered a veritable “wild west” as far as what applications were in use. There were many instances of several different cloud providers, multiple chat apps used by various groups, several different ways to store and access files, and even several instances of apps and their direct knockoffs being used actively by multiple teams. To their credit, getting a new application added to the mix required a comically complex approval process, but once you were in, you were in.
All of this varied SaaS application sprawl presented valid and pressing security issues, but the problems surrounding the unknown cloud infrastructure use were the most daunting to my team. Our main concern was that there was no centralized management of the infrastructure, no real policy for using what was currently out there, and many teams had zero restrictions on the types of instances that could be created. We needed to get a handle on every cloud account in use before we could begin to start drafting policies on who could create what.
To stop the bleeding, I asked the finance department to get my approval on any new invoices from cloud providers, but I still had a mess on my hands with the current “estate” of cloud assets. Because there was no single source for asset management, the only way to ascertain what cloud infrastructure was currently in my purview was to create a spreadsheet with all of the accounts I knew of and, to find the rest, interview the teams individually. This process was grueling, inefficient, and we didn’t find anywhere close to a comprehensive inventory of cloud assets.
As if my thoughts were bugged, my good friend Russ reached out to catch up and let me know of a project that he was working on—a solution to help identify and help manage SaaS sprawl. He said that, without agents, without API integrations, and without any custom scripting, his product could identify every single application in use in an environment. Now, I know Russ (and his co-founder, Jaime) very well, and I know what they are capable of—but I was absolutely skeptical of this claim. However, within a few hours of granting access to our mail client, Nudge Security had discovered every app and cloud account in use in our environment.
Regarding the cloud architecture, one of the biggest challenges was that, even when I could glean the account number from an alert generated by our endpoint security solution, I had no idea who the account belonged to and, therefore, nobody to contact about merging accounts or even terminating instances. Meanwhile, Nudge Security provided me with not only every account used to create cloud architecture under this company’s name, but also the account owner, so that we could discuss bringing them “into the fold”. I could also see other granular details, like the domains served out of these various accounts as well as billing amounts, which helped me prioritize my efforts and better understand our external attack surface across the accounts.
Once I made it to the other side of that challenge, I began to look at the aggregate application usage across the environment. With the data Nudge Security provided, most notably the first user and associated accounts, it was very easy to identify who all was using (or had ever used) what. From there, it was just a matter of classifying our applications (which ones were sanctioned for use, which were prohibited, and investigating the unknowns) and then nudging users to correct the behavior. With this comprehensive (and dynamically updated) list of all applications in use, plus automated workflows to engage our users on the security team’s behalf, our workload was cut significantly. Nudge not only reduced the time it took to mitigate the initial application sprawl and shadow IT issues, but also the time required to keep this level of awareness current. This allowed us to expand our security presence and purview without adding headcount.
When I eventually left the organization, I had confidence knowing that the team I was leaving was well-equipped to continue the task of managing cloud-delivered application usage and cutting down on shadow IT and SaaS sprawl.
Later, when I was approached by Russ and Jaime, the co-founders at Nudge, and asked to head up product management, joining many old friends and colleagues to take the product to the next level, the decision was easy. Not only am I unbelievably excited to work with such a high-speed team of wizards once again, I am a true believer in the efficacy, results, and value of what the solution provides.
Looking at the attack landscape, we’re continuing to see an exponential rise in malicious activity that will quickly (if it hasn’t already) outpace the development of security talent. We feel that the answer is in automation of historically manual tasks, as well as truly partnering with employees in order to shape their behavior into a more security-conscious approach to application management.
As head of product management at Nudge Security, I’m continuing my insatiable quest to solve these real, pressing problems for my peers in the security community and build the products that continue to accelerate our ability to defend against modern threats. I can’t imagine a better group of folks to team up with, and I’m thrilled to take these big challenges on together.
Please reach out at any time if you have any questions about what we’re doing at Nudge or if you just want to chat about or security. Email me or find me on LinkedIn.