Global spending on cybersecurity products and services are predicted to exceed $1 trillion during the period of five years, between 2017 to 2021 with different analysts predicting the Compound Annual Growth Rate (CAGR) at anywhere between 8 to 15 per cent. It is not surprising to see this growth in spend, which is primarily driven by the evolving sophistication and volume of attacks as well as the surmounting costs of a successful data breach.
And yet, data breaches continue. The sad news is that about 80 per cent of data breaches can be prevented with basic actions; such as vulnerability assessments, patching, and proper configurations. The specific reasons vary; but include staffing and resource issues, lack of expertise to optimise complex, multi-vendor security systems, and a host of other reasons. Whatever the specific cause, the common theme is that security lagged either internal IT change or changes in the external threat landscape. The phenomenon is well known in technology spheres - from things like configuration drift as applications and platforms change without reorganisation; to Cloud drift as new serverless resources evolve to suite point-issues but are not accounted for in overall infrastructure growth estimates. Because of this, we’re looking at a new form of drift centred primarily on changes that impact cybersecurity – essentially a security drift.
IT and security teams face a double whammy.
On the one hand security teams have to continuously address evolving threats and adversarial sophistication and on the other IT teams are continuously adapting to change and making alterations to environments that can create security drift, some addressed, and some invisible. At the end of the spectrum are high-visibility changes revolving around hot topics like Information Technology and Operational Technology (IT/OT) convergence – and these usually (though not always) get concurrent attention from cybersecurity teams. At the other end of the security drift spectrum, it’s day-to-day maintenance operations; which may not get the deserved attention from security teams. These include routine activities such as software updates for new features, bug fixes and vulnerability patching, and the upgrade or replacing of commodity software that doesn’t require major planning. No matter if the changes are happening to new systems going into production, or existing systems in production, the drift is created as the changes are made without security oversight or with insufficient security oversight.
Unfortunately, there are many examples, of security drift situations where routine software updates and IT changes introduce vulnerabilities that require discovery and patching:
A high tech company that had a robust (or so they thought) A/V solution allowed for a three week patch drift for 2 per cent of its systems. This was because some systems required testing before patching (due to OS and application concerns) and others were delayed due to operational constraints. The company was hit by a worm that propagated to almost all of the unpatched systems, close to 3,000 machines. The consequence was a denial of service from within that disrupted business and hampered remediation and restoration of the company’s IT systems.
A multinational outsourcing company deployed FTP servers for the purpose of dedicated file sharing with their customer. Their procedure for on-boarding a new customer was to clone an existing service, change the default credentials, exclude the new system from DNS, and test the new system within a week of deployment. Unfortunately, in one case the lag between deploying and testing was enough for a hacker to find a system that was inadvertently left with default credentials and penetrate the customer’s data at great cost to the outsourcing company. The security drift created by the new instance created the opening that an adversary needed to initiate and successfully complete an attack.
These examples are significant in size and impact, but it’s the small examples of security drift that are the true silent killers, the proverbial loss of a nail in a horseshoe that loses the kingdom. For example, a Web Application Firewall that was misconfigured and placed into learning mode (monitoring only) and a case in which IT changed the name of a server that had restricted access. The name-change inadvertently made the server accessible to everyone. Luckily, this was detected before any damage was incurred and the rule that enforces the access policy was updated.
There is one thing that links all of these incidents together. Security drift is the consequence of change; and security operations are either unaware of the change or its significance. In some cases, it will create manageable risk and in other cases the risk demands immediate attention; but in all cases the drift exists and puts the organisation at risk. This lack of insight makes security drift the silent killer.
Avoiding the silent killer.
The traditional practice for identifying and dealing with security drift is a combination of IT procedures and policies, vulnerability management systems, and pen testing. The severity of a vulnerability is a poor indicator of risk on its own, as there may be compensating controls or restrictions that can lower the overall risk of a vulnerability (or raise risk due to a lack of these controls). Understanding the vulnerability’s method of exploitation in context with the subjected devices and applications and their place in the network relative to the company’s “crown jewels” provides a significantly better indication of risk. This is how pen testing complements vulnerability scanning – by showing which vulnerabilities are exploitable in spite of compensating controls. Though, pen testing is still not a complete cure for these issues, as while vulnerability scanning provides near-real-time results; pen testing does not.
A new paradigm of security validation is becoming widely available for the security Blue Team, one that automates security validation in production environments. Complementing periodic pen testing by filling in the void between tests, continuous security validation becomes a powerful way to reduce the impact of security drift by detecting and identifying instances of drift in near-real-time. Continuous security validation with Breach and Attack Simulation platforms can match the rate of internal and external change with the ability of the organisation to detect changes which create weaknesses and gaps to help manage security drift better. Don’t let the silent killer getya’.
Avihai Ben-Yossef, co-founder and CTO, Cymulate