Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

End the Innovation Catch-22: Reduce the Attack Surface

From a computing perspective, we live in a renaissance age. Information technology is not just a tool to help run businesses, but actually an economic factor of production; it is a necessary component in practically every finished good and service, like land, labor and capital. As computing integrates into every facet of our lives, it stretches the inter-connectedness of everything we do and touch.

From a computing perspective, we live in a renaissance age. Information technology is not just a tool to help run businesses, but actually an economic factor of production; it is a necessary component in practically every finished good and service, like land, labor and capital. As computing integrates into every facet of our lives, it stretches the inter-connectedness of everything we do and touch. And it also raises the risk of our personal, commercial and national security information being obtained by bad actors.

The mainstreaming of IT has been paired to to a hailstorm of innovation over the past decade, including the fundamental emergence of a dynamic new computing architecture: distributed computing. Distributed computing and all of its branches — mobile, virtual, and cloud — is rapidly replacing the 30+ year dominance of client-server architectures. If you think I-a-a-S (AWS, Azure), you are thinking distributed computing. Linux containers? Check. Micoservices? Right on. If you are thinking of security as a fixed place in-time, you are thinking the wrong way.

The dynamic, innovative nature of new computing architectures presents a catch-22 for security professionals: what makes us more agile, fast, and distributed also exposes more mission-critical data to risk and hackers. It is difficult, potentially impossible, for the traditional network security model —built on the foundations of a fixed and centralized computing architecture — to address the new requirements.

Cybersecurity

What are some of the challenges?

• Security dependent on the network does not “bend” to hybrid or diverse environments (you cannot stretch your firewall into AWS).

• The temporal, brief life cycle of newer computing architectures such as Linux containers move too quickly for traditional, manual network management models.

• Most significantly, the segmentation model of networking such as VLANs or zones leaves too much attack surface available to bad actors.

To illustrate the last point, if a VLAN or a virtual network segment contains access to 500 workloads (i.e., physical or virtual servers), it is the cyber equivalent of Typhoid Mary. If one workload becomes infected by malware, every workload is subject to infection. The traditional network segmentation model is a poor defense in an era of heightened concern about APTs and data exfiltration. Imagine a container that moves across an entire data center being infected and it is not partitioned off from sending and receiving communications.

Advertisement. Scroll to continue reading.

So what can enterprises do?

1. Ring-fence critical assets. Determine ways to segment high-value assets away from lower-value compute infrastructure. This “hygiene” move will not stop a determined hacker, but will make communication with critical servers much more difficult.

2. Build security and segmentation into the application cycle. This would include building more granular security policies directly into application architectures to reduce inter-application communications.

3. Dynamically adapting is the best defense. Institute an adaptive security architecture whereby security moves and adapts with dynamic compute assets — such as Linux containers or vMotion that spin up or down and move — without human intervention. One of the best thought pieces on this strategy was outlined last year by Gartner’s Neil McDonald and Peter Firstbrook.

Many of the CISOs I meet have stated that action they undertake in their first six months on the job is to determine the most valuable and most at-risk actions and take steps to mitigate the risk. How can they take those steps while also addressing the catch-22?

The only way to make this change is to involve the security, infrastructure (e.g., networking), and applications teams in rethinking the application development cycle from a security perspective. These groups must jointly understand and invest in the kinds of security systems that support the rapid and dynamic workflow of distributed computing capabilities. This will reduce the attack surface and while increasing the difficulty of penetrating critical information assets.

Related Webcast: Manage: Segmentation Beyond VLANs, Subnets, and Zones

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.