Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/9/2017
10:30 AM
Amit Yoran
Amit Yoran
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Securing Today’s 'Elastic Attack Surface'

The foundation of good cybersecurity is knowing your network. But as organizations embrace new technologies, that simple task has gotten incredibly difficult.

Security pros today feel overwhelmed by the current cyberthreat environment and the deluge of security solutions on the market. Given the rapid adoption of cloud, BYOD, IoT and DevOps, many lack confidence in their ability to accurately assess exposure and risk. What the world needs is a modern approach to understanding threats and exposures across the entire enterprise, based on visibility and driving understanding. I call that the "elastic attack surface."

Dynamic and borderless
The modern enterprise environment is dynamic and borderless with virtually unlimited connectivity. Employees bring personal devices to work, contractors use their tools on the corporate network, IoT devices and infrastructure abound, people connect to new cloud instances daily, IT teams spin up containers and manage on-site and legacy architectures. The result is an elastic attack surface, and it is constantly changing in consequential ways, creating gaps in security coverage and creating exposure.

There are six major components of today’s elastic attack surface:

1. Traditional assets: The tried and true assets within the corporate enterprise - such as servers and desktops - still exist but with a dynamic interconnectedness within the environment that results in an abundance of software changes and updates.

2. Cloud instances: Between commercial offerings and organizations’ own software, the idea of a traditional network perimeter is gone forever. Most enterprises are connected to dozens of off-site server environments, making it harder to accurately assess exposure and risk.

3. Mobile/BYOD: It is now expected that employees, contractors, partners and others have access to your network when they bring their personal devices to work. Laptops, tablets, smartphones, wearables, and other devices demand connectivity, and even help employees do their jobs more efficiently.

4. IoT devices: Devices such as consumer appliances, conference room utilities, cars parked in office lots, green-building technologies, and physical security systems are all connected to your network. These devices are growing in popularity and add scale and complexity to the corporate network.

5. DevOps/Containers: As organizations adopt DevOps practices to deliver applications and services faster, ownership of IT assets changes and security teams must work directly with developers. The shift in how we build software and the use of short-lived assets, like containers, help organizations increase agility, but they also create significant new exposure along the way.

6. Web applications: Vulnerabilities have become more common in self-supported code like web applications as enterprises look for new and innovative ways to improve business operations. Delivering custom applications to employees, customers, and partners can increase revenue, strengthen customer relationships, and improve efficiency, but it also forces the organization to take responsibility for finding flaws in its own code.

Securing Elastic IT
Security teams who want to see and protect the assets in their elastic attack surface need a modern approach to understanding their asset base, an approach that gives them visibility into what exists and how it is exposed, and insight to address the risks that matters most. Without this modern approach, businesses will never be able to answer the two most fundamental questions in security: How exposed am I? And what can I do today to reduce risk?

The process starts with a deep knowledge of all of your systems and their exposures. This knowledge is critical for security teams that are trying to stay ahead of evolving threats.

Next, organizations need to understand how each of these assets maps to the business, and which ones are most critical. Security is not an island. Smart CISOs must understand how their decisions affect the overall mission of the organizations, and adjust their plans accordingly.

This in-depth understanding of the environment is the foundation on which you can prioritize improvements to security hygiene and develop a security program based on risk. The basic blocking and tackling of security might not be sexy or flashy, but at a time when more than 85% of all successful data breaches are the result of an attacker exploiting a known, unpatched vulnerability, it is critical to your security program and mission success.

Related Content:

Amit Yoran is chairman and CEO of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
3/15/2017 | 2:26:27 PM
What about the human factor as a threat vector?
This list, though very comprehensive, is missing the main attack vector of today cyber reality: us.  We are the link to what is coveted in many of the cyberattacks today: sensistive data. Whether in structured systems - where the assets inventory and risk classification discussed in this article can help- or as unstructured data which resides in files, emails and cloud file share apps. This is why identity management is one of the fastest growing security category and why behavioral analytics will start picking up as a detection tool for cyber attacks.
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.