Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/9/2017
10:30 AM
Amit Yoran
Amit Yoran
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Securing Today’s 'Elastic Attack Surface'

The foundation of good cybersecurity is knowing your network. But as organizations embrace new technologies, that simple task has gotten incredibly difficult.

Security pros today feel overwhelmed by the current cyberthreat environment and the deluge of security solutions on the market. Given the rapid adoption of cloud, BYOD, IoT and DevOps, many lack confidence in their ability to accurately assess exposure and risk. What the world needs is a modern approach to understanding threats and exposures across the entire enterprise, based on visibility and driving understanding. I call that the "elastic attack surface."

Dynamic and borderless
The modern enterprise environment is dynamic and borderless with virtually unlimited connectivity. Employees bring personal devices to work, contractors use their tools on the corporate network, IoT devices and infrastructure abound, people connect to new cloud instances daily, IT teams spin up containers and manage on-site and legacy architectures. The result is an elastic attack surface, and it is constantly changing in consequential ways, creating gaps in security coverage and creating exposure.

There are six major components of today’s elastic attack surface:

1. Traditional assets: The tried and true assets within the corporate enterprise - such as servers and desktops - still exist but with a dynamic interconnectedness within the environment that results in an abundance of software changes and updates.

2. Cloud instances: Between commercial offerings and organizations’ own software, the idea of a traditional network perimeter is gone forever. Most enterprises are connected to dozens of off-site server environments, making it harder to accurately assess exposure and risk.

3. Mobile/BYOD: It is now expected that employees, contractors, partners and others have access to your network when they bring their personal devices to work. Laptops, tablets, smartphones, wearables, and other devices demand connectivity, and even help employees do their jobs more efficiently.

4. IoT devices: Devices such as consumer appliances, conference room utilities, cars parked in office lots, green-building technologies, and physical security systems are all connected to your network. These devices are growing in popularity and add scale and complexity to the corporate network.

5. DevOps/Containers: As organizations adopt DevOps practices to deliver applications and services faster, ownership of IT assets changes and security teams must work directly with developers. The shift in how we build software and the use of short-lived assets, like containers, help organizations increase agility, but they also create significant new exposure along the way.

6. Web applications: Vulnerabilities have become more common in self-supported code like web applications as enterprises look for new and innovative ways to improve business operations. Delivering custom applications to employees, customers, and partners can increase revenue, strengthen customer relationships, and improve efficiency, but it also forces the organization to take responsibility for finding flaws in its own code.

Securing Elastic IT
Security teams who want to see and protect the assets in their elastic attack surface need a modern approach to understanding their asset base, an approach that gives them visibility into what exists and how it is exposed, and insight to address the risks that matters most. Without this modern approach, businesses will never be able to answer the two most fundamental questions in security: How exposed am I? And what can I do today to reduce risk?

The process starts with a deep knowledge of all of your systems and their exposures. This knowledge is critical for security teams that are trying to stay ahead of evolving threats.

Next, organizations need to understand how each of these assets maps to the business, and which ones are most critical. Security is not an island. Smart CISOs must understand how their decisions affect the overall mission of the organizations, and adjust their plans accordingly.

This in-depth understanding of the environment is the foundation on which you can prioritize improvements to security hygiene and develop a security program based on risk. The basic blocking and tackling of security might not be sexy or flashy, but at a time when more than 85% of all successful data breaches are the result of an attacker exploiting a known, unpatched vulnerability, it is critical to your security program and mission success.

Related Content:

Amit Yoran is chairman and CEO of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
3/15/2017 | 2:26:27 PM
What about the human factor as a threat vector?
This list, though very comprehensive, is missing the main attack vector of today cyber reality: us.  We are the link to what is coveted in many of the cyberattacks today: sensistive data. Whether in structured systems - where the assets inventory and risk classification discussed in this article can help- or as unstructured data which resides in files, emails and cloud file share apps. This is why identity management is one of the fastest growing security category and why behavioral analytics will start picking up as a detection tool for cyber attacks.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27235
PUBLISHED: 2021-04-13
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the description parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-27236
PUBLISHED: 2021-04-13
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-13566
PUBLISHED: 2021-04-13
SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In admin/edit_group.php, when the POST parameter action is “Delete�, the POST ...
CVE-2020-13568
PUBLISHED: 2021-04-13
SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability in admin/edit_group.php, when the POST parameter action is “Submit�, the POST p...
CVE-2020-27227
PUBLISHED: 2021-04-13
An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameter to trigger this vulnerability, potentially allowing e...