Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/9/2017
10:30 AM
Amit Yoran
Amit Yoran
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Securing Today’s 'Elastic Attack Surface'

The foundation of good cybersecurity is knowing your network. But as organizations embrace new technologies, that simple task has gotten incredibly difficult.

Security pros today feel overwhelmed by the current cyberthreat environment and the deluge of security solutions on the market. Given the rapid adoption of cloud, BYOD, IoT and DevOps, many lack confidence in their ability to accurately assess exposure and risk. What the world needs is a modern approach to understanding threats and exposures across the entire enterprise, based on visibility and driving understanding. I call that the "elastic attack surface."

Dynamic and borderless
The modern enterprise environment is dynamic and borderless with virtually unlimited connectivity. Employees bring personal devices to work, contractors use their tools on the corporate network, IoT devices and infrastructure abound, people connect to new cloud instances daily, IT teams spin up containers and manage on-site and legacy architectures. The result is an elastic attack surface, and it is constantly changing in consequential ways, creating gaps in security coverage and creating exposure.

There are six major components of today’s elastic attack surface:

1. Traditional assets: The tried and true assets within the corporate enterprise - such as servers and desktops - still exist but with a dynamic interconnectedness within the environment that results in an abundance of software changes and updates.

2. Cloud instances: Between commercial offerings and organizations’ own software, the idea of a traditional network perimeter is gone forever. Most enterprises are connected to dozens of off-site server environments, making it harder to accurately assess exposure and risk.

3. Mobile/BYOD: It is now expected that employees, contractors, partners and others have access to your network when they bring their personal devices to work. Laptops, tablets, smartphones, wearables, and other devices demand connectivity, and even help employees do their jobs more efficiently.

4. IoT devices: Devices such as consumer appliances, conference room utilities, cars parked in office lots, green-building technologies, and physical security systems are all connected to your network. These devices are growing in popularity and add scale and complexity to the corporate network.

5. DevOps/Containers: As organizations adopt DevOps practices to deliver applications and services faster, ownership of IT assets changes and security teams must work directly with developers. The shift in how we build software and the use of short-lived assets, like containers, help organizations increase agility, but they also create significant new exposure along the way.

6. Web applications: Vulnerabilities have become more common in self-supported code like web applications as enterprises look for new and innovative ways to improve business operations. Delivering custom applications to employees, customers, and partners can increase revenue, strengthen customer relationships, and improve efficiency, but it also forces the organization to take responsibility for finding flaws in its own code.

Securing Elastic IT
Security teams who want to see and protect the assets in their elastic attack surface need a modern approach to understanding their asset base, an approach that gives them visibility into what exists and how it is exposed, and insight to address the risks that matters most. Without this modern approach, businesses will never be able to answer the two most fundamental questions in security: How exposed am I? And what can I do today to reduce risk?

The process starts with a deep knowledge of all of your systems and their exposures. This knowledge is critical for security teams that are trying to stay ahead of evolving threats.

Next, organizations need to understand how each of these assets maps to the business, and which ones are most critical. Security is not an island. Smart CISOs must understand how their decisions affect the overall mission of the organizations, and adjust their plans accordingly.

This in-depth understanding of the environment is the foundation on which you can prioritize improvements to security hygiene and develop a security program based on risk. The basic blocking and tackling of security might not be sexy or flashy, but at a time when more than 85% of all successful data breaches are the result of an attacker exploiting a known, unpatched vulnerability, it is critical to your security program and mission success.

Related Content:

Amit Yoran is chairman and CEO of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
3/15/2017 | 2:26:27 PM
What about the human factor as a threat vector?
This list, though very comprehensive, is missing the main attack vector of today cyber reality: us.  We are the link to what is coveted in many of the cyberattacks today: sensistive data. Whether in structured systems - where the assets inventory and risk classification discussed in this article can help- or as unstructured data which resides in files, emails and cloud file share apps. This is why identity management is one of the fastest growing security category and why behavioral analytics will start picking up as a detection tool for cyber attacks.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14345
PUBLISHED: 2019-11-15
TemaTres 3.0 allows remote unprivileged users to create an administrator account
CVE-2019-14343
PUBLISHED: 2019-11-15
TemaTres 3.0 has stored XSS via the value parameter to the vocab/admin.php?vocabulario_id=list URI.
CVE-2019-14869
PUBLISHED: 2019-11-15
A flaw was found in all versions of ghostscript 9.x before 9.28, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could esc...
CVE-2019-18987
PUBLISHED: 2019-11-15
An issue was discovered in the AbuseFilter extension through 1.34 for MediaWiki. Once a specific abuse filter has (accidentally or otherwise) been made public, its previous versions can be exposed, thus potentially disclosing private or sensitive information within the filter's definition.
CVE-2019-18986
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.