The traditional approach to cybersecurity has focused on creating a secure perimeter around an organisation's IT assets and then carefully controlling access. This legacy model is no longer adequate, given today's rapid migration towards cloud computing, software as a service (SaaS), and the boundless mobility offered by constantly-connected mobile devices. The reality is that there’s no longer a well-defined perimeter to defend - our data and devices are everywhere.
Employees bring personal devices to work, contractors use their tools on the corporate network, and people make use of cloud-based resources and services. At the same time, IT teams spin up containers and manage on-site, legacy data centres, industrial control systems (ICS) and traditional desktop computing environments.
The result is an “elastic attack surface,” constantly evolving and creating gaps in security coverage. Given the rapid changes taking place, many security professionals lack confidence in their ability to accurately assess exposure and risk. Detecting the changes and understanding the risks associated with the elastic attack surface is a daunting task. What is needed is an approach to vulnerability management that embraces the elastic attack surface and that enables security teams and chief information security officers (CISOs) to understand the dynamic threat landscape.
There are six major components that together comprise today’s elastic attack surface:
1. Traditional/Critical assets: While assets like servers, workstations and desktops still exist, their exposure to today’s interconnected enterprise, coupled with constant software updates, creates new threats and vulnerabilities. Additionally, operational technologies (OT), like supervisory control and data acquisition (SCADA)/ICS, and connected medical devices like MRI machines, create another attack vector. These types of critical infrastructure are static and isolated systems that were not designed with security in mind, and therefore require a completely different security approach.
2. Cloud instances: Both commercial SaaS offerings and organisations migrating their own software to the cloud have disrupted the traditional network perimeter. Most enterprises are now connected to dozens of off-site server environments, making it harder to accurately assess exposure and risk.
3. Mobile/BYOD: Laptops, tablets, smart phones, wearables, and other devices demand connectivity, and even help employees do their jobs more efficiently. The idea of a static network with devices you can control is long gone. In its place is the new enterprise network — an elastic system of virtually unlimited device connectivity needs.
4. IoT devices: Constant connectivity has reached a peak, with devices such as consumer appliances, conference room utilities, cars parked in office lots and physical security systems now connecting to networks. While these devices are growing in popularity, they also add scale and complexity to the corporate network.
5. DevOps/Containers: DevOps models are allowing organisations to deliver applications and services faster. And while the shift in how we develop and deploy software and the use of short-lived assets, like containers, helps organisations increase agility, it also creates significant new exposure along the way.
6. Web applications: The use of increasingly complex and custom applications creates security blind spots that leave organisations vulnerable. Delivering a variety of applications to employees can improve business relations and increase efficiency, but it also forces the organisation to take responsibility for finding flaws in its own code.
Securing Elastic IT Elastic IT is changing the way organisations approach business operations, making them more efficient and competitive in today’s market. But security teams that want to see and protect their complex IT environments need a new, dynamic approach to understanding and reducing their cyber risk.
If organisations are unable to readjust their security approach to cope with elastic IT environments, then they’ll never be able to answer the two most fundamental security questions: How exposed am I? And what can I do today to reduce risk?
Organisations must have complete, real-time visibility of vulnerabilities and threats across their entire environments, including all virtual and physical assets, whether they be deployed on-premises or in the cloud. This is critical if security teams are to stay ahead of evolving threats.
Organisations also need a clear understanding of how each asset maps to the business, and which ones are most critical. This is key to effectively understand the business impact of a compromised asset. Business relevance, combined with vulnerability virulence and threat data, allows for the effective prioritisation of remediation efforts, ensuring that the most important and critical issues are fixed first.
Finally, there is the issue of effective communication. Security is an integrated part of the organisation. This means security teams must understand their level of risk, and then communicate to business executives and the board how their decisions impact the overall mission of the organisation. Additionally, boards need to be aware of their companies’ cybersecurity posture to meet their fiduciary responsibilities.
Corporate IT environments will continue to evolve and encompass new components and technologies, and the trends toward cloud adoption and elastic computing models will only continue to accelerate. To cope with this added complexity and scale, organisations must rethink and readjust their approach to security. Only by fully assessing what's in place and then tailoring a security strategy can organisations be confident in their security posture and ability to detect and mitigate current and future cyber risk.