Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/9/2017
10:30 AM
Amit Yoran
Amit Yoran
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Securing Todays 'Elastic Attack Surface'

The foundation of good cybersecurity is knowing your network. But as organizations embrace new technologies, that simple task has gotten incredibly difficult.

Security pros today feel overwhelmed by the current cyberthreat environment and the deluge of security solutions on the market. Given the rapid adoption of cloud, BYOD, IoT and DevOps, many lack confidence in their ability to accurately assess exposure and risk. What the world needs is a modern approach to understanding threats and exposures across the entire enterprise, based on visibility and driving understanding. I call that the "elastic attack surface."

Dynamic and borderless
The modern enterprise environment is dynamic and borderless with virtually unlimited connectivity. Employees bring personal devices to work, contractors use their tools on the corporate network, IoT devices and infrastructure abound, people connect to new cloud instances daily, IT teams spin up containers and manage on-site and legacy architectures. The result is an elastic attack surface, and it is constantly changing in consequential ways, creating gaps in security coverage and creating exposure.

There are six major components of today’s elastic attack surface:

1. Traditional assets: The tried and true assets within the corporate enterprise - such as servers and desktops - still exist but with a dynamic interconnectedness within the environment that results in an abundance of software changes and updates.

2. Cloud instances: Between commercial offerings and organizations’ own software, the idea of a traditional network perimeter is gone forever. Most enterprises are connected to dozens of off-site server environments, making it harder to accurately assess exposure and risk.

3. Mobile/BYOD: It is now expected that employees, contractors, partners and others have access to your network when they bring their personal devices to work. Laptops, tablets, smartphones, wearables, and other devices demand connectivity, and even help employees do their jobs more efficiently.

4. IoT devices: Devices such as consumer appliances, conference room utilities, cars parked in office lots, green-building technologies, and physical security systems are all connected to your network. These devices are growing in popularity and add scale and complexity to the corporate network.

5. DevOps/Containers: As organizations adopt DevOps practices to deliver applications and services faster, ownership of IT assets changes and security teams must work directly with developers. The shift in how we build software and the use of short-lived assets, like containers, help organizations increase agility, but they also create significant new exposure along the way.

6. Web applications: Vulnerabilities have become more common in self-supported code like web applications as enterprises look for new and innovative ways to improve business operations. Delivering custom applications to employees, customers, and partners can increase revenue, strengthen customer relationships, and improve efficiency, but it also forces the organization to take responsibility for finding flaws in its own code.

Securing Elastic IT
Security teams who want to see and protect the assets in their elastic attack surface need a modern approach to understanding their asset base, an approach that gives them visibility into what exists and how it is exposed, and insight to address the risks that matters most. Without this modern approach, businesses will never be able to answer the two most fundamental questions in security: How exposed am I? And what can I do today to reduce risk?

The process starts with a deep knowledge of all of your systems and their exposures. This knowledge is critical for security teams that are trying to stay ahead of evolving threats.

Next, organizations need to understand how each of these assets maps to the business, and which ones are most critical. Security is not an island. Smart CISOs must understand how their decisions affect the overall mission of the organizations, and adjust their plans accordingly.

This in-depth understanding of the environment is the foundation on which you can prioritize improvements to security hygiene and develop a security program based on risk. The basic blocking and tackling of security might not be sexy or flashy, but at a time when more than 85% of all successful data breaches are the result of an attacker exploiting a known, unpatched vulnerability, it is critical to your security program and mission success.

Related Content:

Amit Yoran is chairman and CEO of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
3/15/2017 | 2:26:27 PM
What about the human factor as a threat vector?
This list, though very comprehensive, is missing the main attack vector of today cyber reality: us.  We are the link to what is coveted in many of the cyberattacks today: sensistive data. Whether in structured systems - where the assets inventory and risk classification discussed in this article can help- or as unstructured data which resides in files, emails and cloud file share apps. This is why identity management is one of the fastest growing security category and why behavioral analytics will start picking up as a detection tool for cyber attacks.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.