Cybersecurity and the Pareto Principle: The future of zero-day preparedness
We are excited to bring Transform 2022 back live on July 19th and practically from July 20th to 28th. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!
It is a 40-year sequel to the movie “War Games”. The scene begins as everyone prepares for the Christmas holidays, and the naughty Minecraft gamers community discovers an amazing discovery: a system software exploitation in the Java open source logging library that is built into the core component of most Internet workloads. The vulnerability is easy to exploit and allows remote code execution, leaving IT and security teams around the world in trouble. Instead of science fiction, this was a reality as thousands of security teams around the world worked during the holidays to determine the extent of their dependence on Log4j and quickly put together corrections for initial detection and permutations thereafter.
Log4Shell has taught us about enterprise security priorities and what “preparedness” in the security industry will mean in the future. Log4Shell provides a lesson on the optimal tool security teams should focus on, with teams struggling in key fundamental areas of security readiness and software asset management.
As attack areas continue to grow, organizations need to become better at prioritizing tools for their ability to pass through an entire fleet of assets. The priority of security teams should not be to detect zero days. Instead, the security team’s priority should be to set up the tools and management needed to quickly understand their exposure to a new threat and organize responses.
Pareto principle in cyber security
The Pareto principle says that approximately 80% of the consequences come from 20% of the causes (it differs significantly from the Pareto efficiency which describes in detail the efficient allocation of preferences and resources). This refers to the cyber security of the company: the unsung 20% of our tool that brings over 80% of the value. This is, of course, software asset management.
Log4Shell has been a ubiquitous problem in one of the most widespread open source libraries for years, and has remained unnoticed for millions of hours spent checking code and traditional application security testing. It is good to bet that there are other similar vulnerabilities. The priority of your team and resources should be to be the most prepared to configure and respond to these as yet undiscovered threats.
Software asset management provides teams with the strongest basis for assessing internal past, present, and future security risks. Appropriate software asset management tools give your team deep visibility into your IT ecosystem, allowing organizations to gain a unique insight into processes and quickly assess the applicability of new risks as they arise.
Finding zero days is usually left out of a security administrator’s job description, and with good reason. The focus should be on preparing for new critical vulnerabilities – and yes, that means detection but, more importantly, remediation. When assessing your team’s resources and expertise, you want to optimize for speed and readiness to tackle these new CVEs.
Using Log4Shell as a case study, let’s further break the gaps in security thinking and re-emphasize the essential scope of the security team in the enterprise organization.
The Future of Preparedness: Software Asset Management
Log4Shell was a wake-up call. The vulnerability has gone unnoticed in an extremely widespread open source tool in the last decade. For most teams, this was another lesson learned that the future of enterprise security should focus on optimizing for speed and visibility within your own fleet. With a large-scale asset management software solution, an organization can move from being back-to-front when dealing with new threats such as Log4Shell.
It’s a classic phrase: You can’t protect what you don’t know. In the case of Log4Shell, the first few weeks revealed deep sore points around the simple act of navigating your own IT ecosystem. The right tool gives your team a range of impact in minutes or hours, not the days or weeks it took teams to inventory Log4j instances in Java applications. It sounds simple enough – getting a list of all instances of Log4j or Java processes running on your laptops, servers and containers – but we all know colleagues and organizations that have struggled (and may continue to struggle) with this simple act of inventory.
Log4Shell highlighted these shortcomings in the company’s current approach to security and encouraged us to get back to basics. A good organization recognizes its strengths, and even better its limitations. As organizations grow and increase their resources, the best way to continuously secure your environment after initial implementation is to speed up the way you can implement published fixes and upgrades. This is a key advantage of software asset management on a large scale and the reason why these 20% of our tools offer so much in a way to enable teams. It removes the barrier to action and the barrier to understanding.
Map of the castle
There is a good reason why inventory and software asset management is the second most important security control, according to the critical security controls of the Center for Internet Security (CIS). “Basic cyber hygiene” is knowing what software works and being able to have instant access to that updated information. It was as if you were a new master for a local baron in the Middle Ages. Your first duty would be to draw the area of the castle that you are in charge of protecting.
Simply put, you should not expect your organization to build unique, customized solutions to new security threats. You are not expected to find zero days or spend your internal budget on troubleshooting for your licensed suppliers. Instead, good enterprise security preparedness is tried, tested, and transparent (one of the main benefits of an open source solution), allowing security teams to quickly assess risk and implement fixes.
Software asset management becomes the first step and, if neglected, becomes the first hurdle on the way to creating an agile and prepared organization that comes first for security. In the first minutes and hours after Log4Shell was discovered, think about the time it took you to fully chart the extent of the impact on your infrastructure. Extending this further, are you sure that there were no cases of missed use and that you really had a clear picture of your processes? Have you struggled to find uber .jar files or shaded .jar files?
The economy of good security
As we leave Log4Shell behind, let’s incorporate these lessons learned for a more prepared future. The allocation of resources by enterprise security teams needs to be more meaningful, as attackers become more sophisticated and continue to have what appear to be unlimited resources. Added value through clear visibility and real-time insight into your entire ecosystem is becoming increasingly important. Remember, the core scope of the security team is to create a secure IT ecosystem, mitigate the exploitation of known vulnerabilities, and monitor for any suspicious activity. With expanded software asset management, practitioners have increased their ability to monitor, patch, and strengthen assets.
This expanded visibility becomes the foundation on which teams build comprehensive security solutions. According to Forrester, the application security market is projected to grow to $ 12.9 billion by 2025. This is holistically great for the security industry as we continue to invest resources in vulnerability research and mitigation before they are exploited. However, from an individual organization’s perspective, it makes sense instead to focus resources on tools that will drive the needle within their organization.
Consider the backlog of patches still waiting to be implemented in production or consider the potential for external cases missed when logging Log4j. As attacks and attack areas continue to grow, organizations need to become better at prioritizing their security tools to create measurable results. This is not the most famous topic, but the incredibly high value added from software asset management strengthens security teams in every function, especially when we look ahead to future threats that arise.
Jeremy Colvin is a product marketing analyst at Uptycs.
DataDecisionMakers
Welcome to the VentureBeat community!
DataDecisionMakers is a place where professionals, including technical people working on data, can share insights and innovations about data.
If you want to read about the latest ideas and the latest information, best practices and the future of data and data technology, join us at DataDecisionMakers.
You might even consider contributing to your own article!
Read more from DataDecisionMakers
Comments are closed.