One of the common misconceptions about cybersecurity is that serious incidents always involve highly innovative and sophisticated technologies never seen or heard of before. In reality, most attacks do not look like Stuxnet. Instead security professionals focus heavily on fighting security battles that are known, and long thought to have been won. Some of the best-known security incidents in recent years show how wide-spread this pattern is:
• In June 2018, marketing firm Exactis leaked personal information of 340M adults. This breach was discovered via a simple query for ElasticSearch databases visible on publicly accessible servers with American IP addresses
• Earlier that June, a security researcher found a file on the Internet, which could have been used by criminals to access sensitive DNA records of 92M+ of MyHeritage users. Unlike passwords, these highly personal data records cannot be changed by a click
• In December 2017, an unprotected instance of a MongoDB database exposed the entire California voter population to the internet. A similar misconfiguration caused Verifications IO enterprise e-mail validation service to expose up to 2B records last March
• In November 2017, it was announced that cyber criminals leveraged developers’ credentials left on Uber’s GitHub account to access 57M records of Uber customers and 600K drivers that were stored on AWS
• And let’s not forget the mighty Equifax breach which resulted in the leak of 145M SSN records, the consequence of an unpatched Apache server
Analyzing these and other breaches, it is apparent that no overly sophisticated threats blasted through the companies’ security postures. So is it the guards who are simply negligible? No, as I am certain that these companies and others who suffered from similar fates care deeply about their customers’ data and spend considerable resources to improve their security stance.
"CISOs need to find ways to integrate security measures with minimal disruption to operations"
Moreover, cybersecurity as an industry seems to be in a better place than ever before: we see more security positions in the job market, larger budget allocation to the security department in the org, and better tools to prevent, detect, and respond to security threats. There is also a more profound understanding of the importance of security with better regulation, more board openness, and broader customer awareness. Yet, security incidents are increasing, both in terms of magnitude and impact on the bottom line with the average cost of a data breach in the U.S. reaching nearly $8M in 2018. So why are breaches that could have been prevented – at least on paper – still happening? In short, it’s because the IT environment is ever changing, in turn leaving security teams at a disadvantage when it comes to observability. Simply put, it is extremely difficult to protect what we cannot see.
How did we get here? Until several years ago, the technology environment in the org was rather clear. All end-user compute resources were PC desktops, all corporate and production servers were locked inside the company datacenter, and developers used well-defined software stacks built in monoliths or N-tier model applications. Today’s reality is dramatically different: users can log in from different locations around the world. Moreover, they can use any device, which is very frequently privately owned, and consume services of dozens of third-party SaaS providers. Hundreds if not thousands of IoT devices are connected to the company network. Production compute exists in multiple shared and private cloud environments, decoupled into microservices and distributed across the globe. To make matters even more dynamic for the security professional, the development tools and methods are continually changing to enable engineers to move fast and stay agile.
In this environment, complicated as it is, one thing remains clear to CISOs today: they cannot and should not prevent the business from innovating. And while security is receiving more attention and budgeting from management teams and company boards of directors, resources are finite. What is not finite is the blind spots that are challenging CISOs. Those are everywhere in the fast-paced, technologically-rich environment in which CISOs operate (for example, companies today are using hundreds of unique apps to enhance productivity ). And while tools and data are in abundance, it is ever challenging for the CISO to have full visibility and act on the findings, as evident in the 2019 Oracle/KPMG Cloud Threat Report that found that only a handful of CISOs collect, analyze and respond to 75% or more of their security event telemetry.
So what can security teams do to adapt to the new paradigm, and get “out of the darkness?” There are many types of solutions that return the control to the security teams. Here are a few:
• “Next GenSIEM”– With the excess of information flowing through the organization information assets and security products, it is difficult for security teams to clean, analyze, prioritize, and respond to these events using some of the existing Security Incident and Event Management (SIEM) solutions. Therefore, more robust and automation-focused Security Event Management solutions are needed to sort through the data noise
• DevSecOps solutions geared for new architecture– CISOs need to find ways to integrate security measures with minimal disruption to operations. Yet, it is inevitable that security is playing catch-up with new technologies. While timing is tremendously important in introducing new security solutions, infrastructure will always move at least one step faster than security. Therefore, the security team must be equipped with the right tools for east to west traffic visibility, policy creation, and enforcement in technologies used in company production environments, which include multi-cloud, containers, serverless, etc. In today’s world, this includes securing source control repositories, container registries, the CI/CD pipeline, API management, orchestration and release automation, to name a few
• Enterprise device management– Computer devices used within an organization are rapidly evolving: Developers are spinning new machines, DevOps teams are creating new environments, and new connected devices are used for different use cases throughout the company. Such asset inventory chaos creates an unprecedented attack surface, with many new endpoints, installed technologies, and asset locations that are often not visible to the security teams. This results in a growing challenge to protect the external and internal parts of the org. To be effective, CISOs require a new type of asset management that can provide them with much needed visibility and control over computer resources
To conclude, CISOs today are operating in an environment that keeps changing around them, making it increasingly challenging to collect the right information and act on it. Therefore, CISOs need to equip themselves for success - through the noise and distractions- with tools and technologies that empower them. When a security team gains enhanced visibility into the larger perimeter, they are more efficient, and can see the wood for the trees.