Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/9/2017
10:30 AM
Amit Yoran
Amit Yoran
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Securing Todays 'Elastic Attack Surface'

The foundation of good cybersecurity is knowing your network. But as organizations embrace new technologies, that simple task has gotten incredibly difficult.

Security pros today feel overwhelmed by the current cyberthreat environment and the deluge of security solutions on the market. Given the rapid adoption of cloud, BYOD, IoT and DevOps, many lack confidence in their ability to accurately assess exposure and risk. What the world needs is a modern approach to understanding threats and exposures across the entire enterprise, based on visibility and driving understanding. I call that the "elastic attack surface."

Dynamic and borderless
The modern enterprise environment is dynamic and borderless with virtually unlimited connectivity. Employees bring personal devices to work, contractors use their tools on the corporate network, IoT devices and infrastructure abound, people connect to new cloud instances daily, IT teams spin up containers and manage on-site and legacy architectures. The result is an elastic attack surface, and it is constantly changing in consequential ways, creating gaps in security coverage and creating exposure.

There are six major components of today’s elastic attack surface:

1. Traditional assets: The tried and true assets within the corporate enterprise - such as servers and desktops - still exist but with a dynamic interconnectedness within the environment that results in an abundance of software changes and updates.

2. Cloud instances: Between commercial offerings and organizations’ own software, the idea of a traditional network perimeter is gone forever. Most enterprises are connected to dozens of off-site server environments, making it harder to accurately assess exposure and risk.

3. Mobile/BYOD: It is now expected that employees, contractors, partners and others have access to your network when they bring their personal devices to work. Laptops, tablets, smartphones, wearables, and other devices demand connectivity, and even help employees do their jobs more efficiently.

4. IoT devices: Devices such as consumer appliances, conference room utilities, cars parked in office lots, green-building technologies, and physical security systems are all connected to your network. These devices are growing in popularity and add scale and complexity to the corporate network.

5. DevOps/Containers: As organizations adopt DevOps practices to deliver applications and services faster, ownership of IT assets changes and security teams must work directly with developers. The shift in how we build software and the use of short-lived assets, like containers, help organizations increase agility, but they also create significant new exposure along the way.

6. Web applications: Vulnerabilities have become more common in self-supported code like web applications as enterprises look for new and innovative ways to improve business operations. Delivering custom applications to employees, customers, and partners can increase revenue, strengthen customer relationships, and improve efficiency, but it also forces the organization to take responsibility for finding flaws in its own code.

Securing Elastic IT
Security teams who want to see and protect the assets in their elastic attack surface need a modern approach to understanding their asset base, an approach that gives them visibility into what exists and how it is exposed, and insight to address the risks that matters most. Without this modern approach, businesses will never be able to answer the two most fundamental questions in security: How exposed am I? And what can I do today to reduce risk?

The process starts with a deep knowledge of all of your systems and their exposures. This knowledge is critical for security teams that are trying to stay ahead of evolving threats.

Next, organizations need to understand how each of these assets maps to the business, and which ones are most critical. Security is not an island. Smart CISOs must understand how their decisions affect the overall mission of the organizations, and adjust their plans accordingly.

This in-depth understanding of the environment is the foundation on which you can prioritize improvements to security hygiene and develop a security program based on risk. The basic blocking and tackling of security might not be sexy or flashy, but at a time when more than 85% of all successful data breaches are the result of an attacker exploiting a known, unpatched vulnerability, it is critical to your security program and mission success.

Related Content:

Amit Yoran is chairman and CEO of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
3/15/2017 | 2:26:27 PM
What about the human factor as a threat vector?
This list, though very comprehensive, is missing the main attack vector of today cyber reality: us.  We are the link to what is coveted in many of the cyberattacks today: sensistive data. Whether in structured systems - where the assets inventory and risk classification discussed in this article can help- or as unstructured data which resides in files, emails and cloud file share apps. This is why identity management is one of the fastest growing security category and why behavioral analytics will start picking up as a detection tool for cyber attacks.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.
CVE-2019-12830
PUBLISHED: 2019-06-15
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.