The rash of high-profile breaches including the SolarWinds attack show that the current approaches to securing IT environments are inadequate to the task, argues Albert Zhichun Li, the Chief Security Scientist at Stellar Cyber in this Security Ledger expert insight.

The recently disclosed breach of FireEye should give everyone pause over both the importance and difficulty of security. This high-profile breach left the vendor with a black eye and some serious questions. The disclosure almost immediately had every security vendor writing blogs and articles about the importance of this or that in accordance to what they sell and market. Opportunity strikes!

At the same time, it is hard not to feel stifled by the seeming futility of security. Here is a company known for expertise in investigating or addressing some of the largest security breaches in the world and now victimized by a successful attack. Perhaps not since the NSA was breached and attackers made off with custom hacking tools did the idea of protecting one’s assets and information seem so bleak. “If the NSA can’t protect their own tools and secrets, how can anyone remain safe?” is a question on the minds of so many.

Security futility? Certainly the odds favor attackers by a huge margin. Attackers have an almost unlimited number of chances to mount a successful attack, but defenders must successfully defend themselves from every one of them. With so many avenues for attack, the cause of effective security seems nearly hopeless.

There’s another way to view these current events. While the task of establishing and maintaining effective security is gigantic, it is not necessarily futile. Security can deflect a majority of attacks or find them early enough to mitigate loss and damage. These high profile breaches should serve as a wake-up call, however. The current approaches most organizations take towards security is not good enough. Something has to change.

The current high-profile breaches demonstrate the current approaches are inadequate—that the way security is currently practiced is insufficient.

Albert Zhichun Li, Stellar Cyber

One important change is to stop compartmentalizing security. Traditionally, organizations view security as segments with different systems, policies, reports and personnel. The desktop or endpoint group has its own charter. The network security team has another. There might also be a cloud team and an applications team. Separate systems, separate efforts.

This security specialization makes sense. Such focus splits up the arduous task of security and divides complexity into more manageable segments. Instead of having to “boil the ocean,” security vendors can concentrate on a particular set of problems and challenges to tackle. Security practitioners can focus on the strategies, policies and procedures to protect certain aspects, such as endpoints, applications or resources in the public cloud.
At the same time, the divisions between security are hampering overall effectiveness. A well regarded historical axiom is, “divided we fall.” And security certainly is divided. Ironically, the segmentation helps security, but it also hampers it.

The current high-profile breaches demonstrate the current approaches are inadequate—that the way security is currently practiced is insufficient. One of these inadequacies is the lack of a unified, holistic approach to security. This is not to say that what we that we need a mega-security tool to perform all aspects of security. Instead, we need to aggregate security data to achieve a deeper, more holistic understanding of potential attack activities.
A combination of depth and breadth are needed to get an edge on attackers. Attackers are not limited to just one segment of infrastructure. What may start at an endpoint, through a web application or in cloud infrastructure will evolve as attackers move sequentially to get to valuable assets. Seeing this entire surface provides necessary context and history. Different systems or sensors will be adept at seeing different elements. These inputs need to be aggregated to provide a forest-for-the-trees perspective.
In addition, depth is necessary for fine tuning and more granular understanding. The combination of depth and breadth brings more completeness and greater fidelity—both are essential in turning the tables on attackers.

Security is a daunting task, and there is always an inherent trade-off between openness and accessibility. The web, digital business and mobility all require some compromise to this trade-off. The challenge then is to make infrastructure and assets as secure as possible. This means security can’t stay still. Security must constantly advance and improve. Yesterday’s tactics and technology need to move forward. This evolution and avoiding the natural ruts that occur are essential for success. It’s difficult but not futile .

(*) Disclosure: This article was sponsored by Stellar Cyber. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

The UK National Cyber Security Centre (NCSC) issued an alert on October 16, 2020, to raise awareness “of a new remote code execution vulnerability (CVE – 2020 – 16952)”, which affects Microsoft’s SharePoint product. According to the alert, “successful exploitation of this vulnerability would allow an attacker to run arbitrary code and to carry out security actions in the context of the local administrator on affected installations of SharePoint server.”

The NCSC recommends applying security updates promptly, “but in this case the NCSC has previously seen a large number of exploitations of SharePoint vulnerabilities…against UK organisations…NCSC is issuing this alert to ensure that system owners are aware of this vulnerability and to ensure remediation actions are taken.”

According to the alert, the vulnerability affects:

  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint server 2019

It is important to note that SharePoint online, which is part of Office 365 is not affected by the vulnerability.

The NCSC “strongly advises that organisations refer to the Microsoft guidance…and ensure the necessary updates are installed in affected SharePoint products. It is also important to keep informed of any possible updated future updates to the guidance…”

Keyboard to the internet

Modern enterprise networks are populated by both people and, increasingly, “things.” But securing the growing population of Internet of Things devices presents unique challenges. In this thought leadership article, Brian Trzupek, the Senior Vice President of Emerging Markets at DigiCert discusses what is needed for effective IoT security.

We’ve seen the IoT come of age over just the past few years, and innovative use cases continue to build momentum. Gartner forecasts that 25 billion connected things will be in use by 2021. However, although the IoT has tremendous potential across many industries, Gartner surveys still show security is the most significant area of technical concern.

When it comes to security, IoT challenges are distinct from the enterprise. Although identity and identification are cornerstones of effective security, IoT and enterprise environments face different challenges. End users are generally involved in enterprise authentication. When trying to use an application or service, they can be present to respond to multifactor authentication challenges. End-users may also have varying sets of roles or access constraints that evolve as their position changes in the organization.

IoT: Insecure by Design


(*) Disclosure: This article was sponsored by DigiCert. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.