Today’s chief information officers (CIOs) face a daunting challenge: balancing the innovative work of digital transformation with the requirement to protect their organization from sophisticated and potentially damaging cyberattacks. The current cybersecurity threat environment is exerting a lot of pressure on CIOs to manage risk by countering cyber threats with a combination of workforce skills and a portfolio of cybersecurity tools.
Responsible for overseeing all information technology in an organization, CIOs need to provide the IT guidance and resources an organization needs for supporting its mission and hitting its financial goals.
Increasingly, that work involves digital transformation. That phrase can mean different things to different people, but it boils down to applying digital technology in innovative ways to launch new products and services or to significantly improve old ones.
Almost always, digital transformation leads to a bigger, more distributed and more varied IT infrastructure. To deliver better, faster, high-value products and services inevitably requires more cloud services, more use of data, artificial intelligence (AI) and machine learning (ML) operationalized by new applications that distribute the organization’s digital footprint across a more distributed workforce through mobile devices and new application architectures, which likely involve application programming interfaces (APIs) and microservices instead of the monolithic applications developed a decade or two ago.
Understanding IT attack surfaces vs. attack vectors
In IT security terms, this more expansive IT infrastructure expands a company’s attack surface. As defined by the Open Web Application Security Project or OWASP, an attack surface encompasses “all of the different points where an attacker could get into a system, and where they could get data out.”
Protecting complex attack surfaces is difficult and often requires cyber tools that have complementary capabilities. Good cyber hygiene, effective configuration management that enforces cybersecurity policies, and continuous monitoring of cyber tool health form an organization’s assessment of cyber-readiness.
Fifteen years ago, when most IT systems were on premises and protected by a network firewall, the attack surface was comparatively small. Today, when organizations rely on hundreds of cloud services and employees are working remotely, the attack surface is significantly larger. Every employee device on a home network is a potential attack vector that could lead to the compromise of mission-critical IT resources.
CIOs are responsible for keeping this distributed infrastructure secure. And they need to be thinking not only about external threats breaking through firewalls, but also software vulnerabilities in applications that form non-linear threats like SolarWinds and WannaCry.
Log4J vulnerability and today’s attack surface
That’s the lesson from the recently discovered Log4j vulnerability. Today’s applications include hundreds or thousands of software components and services. A vulnerability in any of those components and services can jeopardize the security of the entire application and the organization that’s running it. Having tools capable of adapting to emergent threats saves time, reduces risk, and increases an organization’s cyber-readiness.
For example, many widely used versions of open-source logging utility include a bug that allows attackers to submit a string to the logger’s Java Naming and Directory Interface, allowing the unauthorized user to run code within the application with elevated privileges. This critical vulnerability exploit can be used to spread ransomware, exfiltrate data, shut down systems, and more.
The Log4J vulnerability, which received a 10 out of 10 rating for criticality by NIST, is frequently a key component found in web and application software, including about 4% of the most popular Java component repositories. The Log4j software artifact is found in applications, including leading commercial applications, as well as many home-grown applications developed internally. Thus, Log4j vulnerability is now a part of the organization’s attack surface. The Log4j vulnerability has already enabled attackers to install coin mining software on corporate networks, launch new forms of ransomware attacks, and infiltrate the Belgium Defense Ministry.
Log4j is a reminder of the major challenge CIOs face: selecting, deploying, and managing vast, complex IT architectures while identifying and mitigating all the threats in the attack surface of those architectures, no matter how complex or unfamiliar the threat may be while managing cyber readiness, reducing risk, and containing costs within a fixed budget.
Whatever the attack surface looks like today, it’s destined to keep changing. In 2015, 30% of corporate data was in the cloud. By 2020, that percentage was 50%. The data suggests that migrations of applications, services, and data into the cloud will continue. These cloud migrations as well as other digital transformation efforts will contribute to an expanding attack surface with increasing complexity.
But if change outpaces security oversight, organizations will suffer. They’ll fall victim to ransomware attacks, data exfiltration, business email compromise (BEC) attacks, and more. Operations might be disrupted. A company might end up paying tens of millions of dollars in ransom, and then tens of millions more to the U.S. Federal Trade Commission (FTC) if the attack results in the exposure of confidential consumer data.
This is the balancing act for CIOs: drive change while adapting to a continuously evolving attack surface to protect the company’s IT infrastructure.
It’s not easy.
Reducing the IT attack surface in the age of digital transformation
CIOs need a combination of tools, processes, and people for addressing these threats. Those tools and processes have some common requirements.
Any strategy for securing the attack surface should account for the attack surface’s ever-changing nature. You cannot protect what you cannot see, thus CIOs can no longer rely on monthly or even weekly reporting to understand vulnerabilities and mitigate threats. Attack surface management requires access to real-time data and the ability to pivot from detect to respond at the speed of threats. Vulnerabilities can appear the moment a compromised endpoint connects to the network, or an obsolete software component is reinstalled from a backup. Cyber readiness should factor in current and approved software.
As much as possible, tools for monitoring endpoints and networks should provide real-time intelligence and support real-time investigations. Discovering that a system was compromised two weeks ago gives attackers too much of a head start. By then, ransomware could have spread across data centers and locations, or critical data may have been discovered and exfiltrated.
Easy to learn and easy to use
CIOs should choose tools that deliver critical cyber capabilities while requiring a minimal learning curve. If new teams must secure new applications or services, give them tools that are not overly complex. Let them focus on the work they are doing instead of focusing on how to maintain complex or unwieldy tools. Talent and technology are key enablers to an organization’s ability to accelerate response actions to emergent threats. This agility is critical as the cyber threat environment becomes more volatile, uncertain, complex, or ambiguous. As mentioned above, precise and lethal action that is late achieves the same result as not acting at all. Speed is a necessary component for the effective employment of cyber capabilities.
Another consideration: CIOs should choose tools that make it easier for security and operations teams to work together while responding to new threats. Log4j won’t be the last serious vulnerability that appears in source code. Security and operations teams need tools that let them pivot quickly to address whatever security threat is most urgent.
Choose tools that provide the broadest possible coverage of endpoints and other IT assets. Unfortunately, most vulnerability assessment and endpoint management systems overlook a significant percentage of endpoints—up to 20% in many cases. When IT can’t see endpoints, they can’t monitor and discover indications of compromise, nor can they include them on automated patch schedules. This contributes to poor cyber hygiene, endpoint configuration variance, and unhealthy tools that fail at the point and time of need. Endpoint visibility becomes the table stakes for an effective approach to managing a complex attack surface.
The attack surface includes all endpoints and systems connected to the organization’s network. CIOs should make sure they can see the full attack surface, not just parts of it.
Centralization and automation
If possible, CIOs should choose tools that interoperate so that data can be visible, accessible, understandable, and tasks can be automated across different computer security functional areas, such as threat detection and patch management.
Taking a “combined arms” approach and using multiple tools that work well together makes it easier to develop streamlined processes for security tasks. Automation becomes easier, too. The ability to pivot within a common platform can be instrumental to Security Operations Center (SOC) analysts because they won’t lose time switching between one toolset and another to investigate incidents and mitigate threats.
Teams and talent
Tools are not the only part of a successful threat mitigation strategy. CIOs need a thinking workforce with the knowledge, skills, and abilities (KSA) to complete tasks within tight cycles that accelerate transitions from detect to respond to recover. This approach leverages tool capabilities to enhance organizational processes by synchronizing capabilities and processes to best protect the organization’s evolving attack surface.
For example, organizations can use Red Teams and penetration testing against every part of their evolving IT infrastructure to discover new vulnerabilities before attackers do. The results from these exercises can then harden attack surfaces, while informing organizational learning processes. These “sets and reps” are invaluable learning opportunities that increase KSA readiness of the cyber workforce.
Security and application development teams can include security subject matter experts in the design and planning phases of digital transformation projects, so that security is built into new products and services, rather than tacked on as an afterthought.
CIOs should adopt a Zero Trust strategy to reduce access to the attack surface and to prevent attackers from easily traversing the network. In a Zero Trust model, no user, process, or device is trusted without some form of interrogation. In other words, access to a network service or resource is not granted without examining device compliance, a user’s roles, and successful authentication. In effect, everyone and everything is denied access, except for those users, devices, and processes that are authorized based on the organization’s mission.
By closing unnecessary ports, IP addresses, and protocols, IT organizations reduce the size of their attack surfaces while increasing the difficulty for attackers to penetrate and move laterally across a network, searching for valuable data or spreading ransomware.
By leveraging Zero Trust security principles by default for digital transformation initiatives, CIOs can reduce attack surfaces and ensure that their new IT services and infrastructure are resilient and ready to enable digital business operations.
Digital transformation is never done. To survive and to thrive, organizations must continue innovating, launching new products and services and optimizing old ones. As a result, every organization’s attack surface will continue to change and, likely, grow.
CIOs need the tools, processes and trained personnel to keep up with these changes and attackers’ evolving threats, so that the organization’s IT infrastructure always remains secure.
In another blog post, I’ll discuss the benefits of CIOs adopting a kill-chain analysis framework for managing threats to the attack surface.