Connect with us

Hi, what are you looking for?


Incident Response

Cybercriminals Are Leveraging Agile Development, Organizations Must Keep Pace

Organizations are accelerating the adoption of agile development strategies as they respond to the demands of new digital marketplace requirements.

Organizations are accelerating the adoption of agile development strategies as they respond to the demands of new digital marketplace requirements. The need to be continually updating and refining end-user applications, the development of internal tools to more effectively mine for critical information in Big Data environments—especially those that span multiple network ecosystems, and the rapid adoption of new technologies, such as IoT or OT-based devices, has spawned a more flexible, iterative approach to both software and hardware development.

This approach introduces a critical challenge from a security perspective. Applications and other solutions that have access to critical resources are constantly in flux, often being updated as frequently as every 2 to 4 weeks. The rate at which organizations are introducing these updates, especially those that separate engineering teams sometimes implement in isolation, raises the potential for the introduction of critical vulnerabilities. Unfortunately, few organizations have implemented a parallel testing and validation process to provide comprehensive and ongoing analysis to detect and root out those vulnerabilities.

This approach is especially concerning as development teams add more and more automation to these solutions. Continually applying updates in a complex production environment that is, itself, undergoing regular implementation and realignment of resources due to digital transformation makes testing and validation increasingly difficult. Automating critical processes on top of that adds a layer of complexity that may be virtually impossible to secure.

Ironically, one unintended defense against these sorts of vulnerabilities is the rate at which organizations are introducing change. Vulnerability windows may be measured in only weeks or days. However, cybercriminals are responding to this by adding automation to their malware to constantly monitor and target those vulnerabilities. In addition to things like evasion detection, the latest threats also now have a wide variety of exploits available that can be automatically updated using bidirectional communications between the attack and a controller. As these tools increasingly implement automation, traditional human-based controllers who currently need to direct each phase of an attack manually will be replaced by increasingly intelligent systems that can collect real-time intelligence from targets and then provide updates to malware to exploit newly discovered vulnerabilities in near real-time.

To address these challenges, security teams need likewise to adopt a more agile approach that enables them to not only see and defend against attacks, but also to predict where attacks are most likely to occur. This sort of intelligent, iterative-based security strategy requires a defensive and prevention-based security infrastructure that can establish a baseline of normal behavior and then continuously monitor that environment to detect and inspect change, regardless of where it occurs. 

This approach cannot be achieved using traditional, point-based security solutions that function in near-isolation. It requires a comprehensively integrated strategy that spans all ecosystems, including highly mobile endpoint and IoT devices, remote offices connected through SD-WAN, and multi-cloud environments comprised of both infrastructure and services-based solutions. Such an integrated, fabric-based approach is essential if security teams want to be able to track and monitor evolving applications and services as they span across users, devices, and network segments. It is an essential requirement for any comprehensive, behavioral-based analysis that has any chance of detecting and responding to the new threats that organization may be inadvertently introducing through modern development and deployment strategies. 

An integrated and automatically reactive security fabric is also the foundation for the next generation of intent-based security solutions that can combat today’s increasingly sophisticated malware development community. Cybercriminals have already adopted an agile strategy that allows them to pick and plug together exploits and tools being developed by different teams and that are being made available in the darknet marketplace. Not only is cybercrime as a service available for the less sophisticated attacker, but more advanced criminals are building flexible and adaptable crimeware, such as VPNFilter or Hide ‘N Seek, that can be automatically updated with new exploits and toolkits as they become available. And they can operate much more efficiently than their targets as they are not bound by the same need to identify and close vulnerabilities

To achieve this, security teams need to build Identity-based security around several essential pillars. This starts with dynamic segmentation to isolate resources and detect malware moving laterally across a distributed network. Next, advanced access control needs not just to be tied to users and devices, but also to applications. And it also needs to be combined with a trust-based component that can immediately revoke access when inappropriate or unexpected behaviors occur. Of course, this depends on real-time analytics that can not only see and monitor all devices and behaviors across the distributed network, but that can also collect and correlate that data into a single, centralized system. And finally, it requires the ability to impose coordinated, real-time action against any anomalies. 

Advertisement. Scroll to continue reading.

This sort of automated response needs to go well beyond the ability of today’s NGFW solutions to close down a port or shut off a traffic stream. In today’s digital environments, such actions can have significant unintended consequences. Instead, security and networking solutions need to be able to coordinate a response that can also include dynamically re-segmenting a portion of the network, isolating and quarantining rogue devices, rerouting traffic away from sensitive or critical resources, and automatically imposing monitoring and intervention protocols that are aware of the implications of any actions they may take.

Finally, such a fabric-based approach cannot be static. Like the agile software and infrastructure it is protecting, an integrated security framework needs to be able to adapt as the infrastructure it is protecting dynamically evolves. As organizations implement new cloud-based solutions, expand their distributed environment through the implementation of SD-WAN-based connectivity, and begin to interconnect with outside environments such as public infrastructures, security needs to be able to adapt automatically. This requires building a security strategy around open standards, interoperability, and solutions designed to run consistently and seamlessly across multiple network ecosystems, whether physical or virtual, and local or remote.

Digital transformation doesn’t just affect networks. Agile software and application development add a layer of abstraction and complexity that modern security tools are simply unable to secure—and that cybercriminals have demonstrated to be more than willing and able to exploit. It requires a radical rethinking of how and where security is deployed, including deep integration and automated adaptability and response, along with an awareness of the implications of any security actions taken so that protection doesn’t disrupt the immediacy that today’s digital marketplace requires.

Written By

John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.