Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Kirsten Bay
Kirsten Bay
Connect Directly
E-Mail vvv

Why Enterprise Security Needs a New Focus

The WannaCry ransomware attack shows patching and perimeter defenses aren't enough. Enterprises should combine preventative measures with threat detection tactics.

WannaCry appeared to be the catastrophic global cybersecurity breach we've long been expecting, but despite the damage caused, the full possible magnitude of the threat was never realized.

True, the ransomware worm infected 200,000 computers in over 150 countries — causing issues for organizations as diverse as FedEx, the UK's National Health Service, and Russia's interior ministry — but it could have been so much worse without the almost accidental triggering of the kill switch.

The most disturbing aspect of WannaCry was the speed with which it spread, and the failure that allowed this to happen was human and organizational in addition to technological. Despite Europol director Rob Wainwright's advice for enterprises to "patch before Monday," the rapid proliferation of the ransomware illustrates why patching — and any solution that focuses on defending network perimeters — isn't enough to combat the threat from cybercriminals.

Why are patching and perimeter defenses no longer enough, and how should enterprises refocus their approach to prevent future attacks from spreading so quickly?

Patching: Mission Impossible
In the wake of WannaCry, many wondered why so many organizations failed to update systems with the MS17–010 patch, which was released by Microsoft two months before the attack to resolve vulnerabilities exploited by the attackers. While maintaining patch cycles is a well-acknowledged element of basic network hygiene, any CISO responsible for vast and highly complex environments knows keeping up to date with a seemingly endless stream of patches is easier said than done.

Attempts have long been made to streamline patching, with CISOs instituting auto-patching standard operating practices on their workstations, and Microsoft introduced "Patch Tuesday" to provide regularity. In reality, however, updates are frequently released outside of the standard cycle. With enterprise environments encompassing an ever-growing ecosystem of vendors, installing updates in a timely manner is problematic, especially when patches are delayed, as with Microsoft's February updates.

Patches can cause glitches, for instance. MS16-072, released last year, created problems with user group policies and had the unfortunate impact of hiding application shortcuts and network printers. The "Recall Thursday" phenomenon, where Microsoft fell into a pattern of withdrawing patches as soon as they were released, encourages CISOs to wait until issues are ironed out before making updates, or only install patches they view as essential. With the rise of all-or-nothing updates, CISOs often choose not to patch in order to minimize business disruption.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

No matter how rigorous enterprises are about software updates, machines can always slip through the net, perhaps because they sit low in the stack or aren't seen as business critical. In many organizations, outdated but functional systems operate behind the scenes. A recent study indicates 6% of companies have more than half of their computers running on out-of-date operating systems, while 24% have over half running out-of-date browsers. It was precisely these types of systems the WannaCry ransomware was designed to target.

Edgeless Networks: Mission Creep
In addition to software updates, CISOs have another, even more challenging ticket to deal with. As IT departments spread their remit from desks and traditional office equipment to bring-your-own-device, mobile, and Internet of Things technologies, CISOs have been subject to an element of mission creep.

We now operate in a world of edgeless networks, where as many employees work outside of the firewall — on laptops, tablets, and smartphones — as within it. Even though over 60% use two or more mobile devices for work, less than 30% of these have security functionality installed, providing countless points where cybercriminals can ride traffic into the network.

Focus Shift from Prevention to Detection
The rise in edgeless networks has made fully protecting network perimeters virtually impossible, and segmenting networks can only limit the spread of attacks rather than stopping them altogether. Enterprises must take a multilayered, defense-in-depth approach to cybersecurity. This includes shifting the focus away from prevention-based models, such as the Kill Chain, that were designed to keep attackers out of a network but are limited in the post-compromise phase of a breach.

With 90% of US business hacked in the last year, and 97% of UK businesses suffering data breaches in the last five years, the question is no longer whether enterprises are vulnerable, but where they may have fallen victim already. Rather than focusing all of their attention on trying to keep attackers out of ever-more-vulnerable networks, enterprises should combine preventative measures with threat detection tactics. One can recognize the individual components that make up a cyber attack by understanding the adversary and identifying indicators of compromise.

WannaCry shows it's not just machines that need updating, but, rather, the entire approach to enterprise security requires a rethink. In a world where increasing complexity and edgeless networks invalidate perimeter-based protection and make updating individual devices unrealistic, enterprises must shift their focus toward a detection-first approach, combining threat detection with prevention in a multilayered strategy.    

Related Content:

As President and CEO of security firm Cyber adAPT, Kirsten Bay leverages more than 25 years of experience of risk intelligence, information management, and policy expertise. Her career has seen her sit on a US congressional committee; assist in developing policies for the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/2/2017 | 11:32:14 AM
Re: Kick Microsoft off your network
"Kick MSFT Out"


that's not a workable response:   much software that is essential to its users depends on the MSFT API


still, it's important to think about this problem:

What has happened:   a non-secure o/s has been placed into massive use in a network environment in which messages are generally not authenticated and message formats that carry macros and scripts have been incorporated into general use in this non-secure environment

if you wanted to design a system to facilitate hacking you could not do a better job.

the response cannot be immediate termination of the offending components; rather the offending components need to be re-configured into a protected environment such that attack messages cannot get at them

this means moving all vulnerable o/s and apps into protected intranets that do not have open-net access.   this will create some additional difficulty as it will block essential communication.   to correct this it will be necessary to build and deploy some heavy-duty filters that can require PGP signatures on all inbound messages.

this would be a start

it will need refinement;    most likely quarantine of messages of a questionable nature.
User Rank: Ninja
6/30/2017 | 4:59:57 PM
Re: Kick Microsoft off your network
True, Anthem got hit big in $$.  I suspect their compromise points more to not conforming to "Security 101" best practices, however, than it does their end-user architecture.  Again, no lover of Windows here, but I know how these big Corps love to hold on to the familiar.  Looking deeper, however, Anthem uses *NIX on the backend (Red Hat Enterprise Linux, AIX and Solaris, I believe) and are also utilizing IBM cloud.  They have a lot of Java-based code so they could well arm developers with Ubuntu systems using Eclipse for development.  One could argue Anthem could well move off Windows for their end-users since I find it hard to believe their Windows-based web servers couldn't be migrated to *NIX unless they are stuck on some ISS/.NET dependent apps (which I've see ported to NET Core).

Anyway, yeah, with hits that huge you could definitely start putting together presentations to future clients that highlight how detrimental using Windows in your environment could really be :-)  But let's also not forget the "Security 101" best practices, too.  I mean, if I keep throwing you a gun with no safety, I have to expect you to shoot yourself in the foot at least once...  
User Rank: Strategist
6/30/2017 | 4:45:04 PM
Re: Kick Microsoft off your network
Well, Anthem spent nearly a half billion dollars because someone clicked a phishing email.
User Rank: Ninja
6/30/2017 | 4:42:19 PM
Re: Kick Microsoft off your network
As a *NIX nerd, you're not going to hear an argument here.  But if you're planning out IT at a new company, you'll have to be prepared to show data that demonstrates savings using FOSS in place of a Windows-based desktop ecosystem.  That is, weigh the cost of assumed eventual exploits on company Windows computers (cost being security staff, RCA effort and change implementation) against the cost of FOSS internal support, training end users, etc.  I could flesh out a FOSS-based IT solution for most companies, but then I'd need to assure the stakeholders that we have interoperability with vendors, etc. as well as a platform (Ubuntu, for instance) that is easy to use and can supply all the needs of the company.  I think that's the major hurdle right there.
User Rank: Strategist
6/30/2017 | 3:04:42 PM
Kick Microsoft off your network
The fundamental "new focus" needed by enterprise security is to recognize the perimeter is failing because of Windows problems.  The fact is that we have seen for months (and more) that Windows is attacked more often and more successsfully.  The terrible attacks of recent weeks show this.  And what's more, a compromised Windows computer is an attack vector for the rest of your network.

Windows has a permission configuration that makes a successful phishing attack much more dangerous than it is on other platforms. Under Windows, many pieces of malware of more types can more aggressively attack within your firewall than you would find on other systems.

There are very few applications left that actually need Windows.  Are they worth the information security risk?
User Rank: Ninja
6/30/2017 | 10:34:45 AM
Re: Band-aids and Whac-a-Mole
Totally agree.  PGP and encryption in general should be a requirement in every workplace and yet only us developers and InfoSec pros seem to use it by default.  When you encrypt/decrypt, sign and md5sum (oops, dated myself) all day long you begin to wonder what everyone else is complaining about.  Viruses?  Worms?  Really?  Why aren't you encrypting, signing and verifying?  What do you mean "What is PGP?"

I try to educate as much as I can but we do need to see what we have taken for granted for decades in the *NIX environment and as FOSS developers brought to everyone in a digestible way.  The way average users fire up Windows and Word without thinking is how integrated encryption should be accessed as well.  No need to think about, still reaping the benefits; ease-of-use. 
User Rank: Ninja
6/30/2017 | 7:38:30 AM
Band-aids and Whac-a-Mole
it's no use to keep putting band-aids on this mess.    it's like playing Whac-a-Mole: it goes on-and-on and you can't win.

a lot of critical software today runs on a very insecure o/s.     on a short term/immediate basis these vulnerable o/s systems should be positioned in protected intranets such that they do not have open-net access.

some heavy-duty filter systems will need to be developed to control data that is passed from one intranet to another.

it would be best to prohibit executable documents.

any document that contains scripts or macros should be regarded as an executable program -- just as dangerous as a binary .exe file


Computer Hackers leverage a general lack of authentication in order to impersonate legitimate traffic.   This, combined with the use of insecure operating software -- is a recipie for disaster -- and -- you have an on-going disaster on your hands.

the means of stopping this has been available since Zimmerman released PGP back in the 90s

Authentication should be incorporated into the filterboxes for all message traffic.

fussing over biometics, 2FA, A/V, and bad passwords ain't gonna get you noplace.
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-30
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
PUBLISHED: 2020-11-30
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
PUBLISHED: 2020-11-30
An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi-bin/csp?cspid=&csppage=cgi_PgOverview&csplang=en is visit...
PUBLISHED: 2020-11-30
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...