Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

Thinking Beyond the Network Layer: Why the Entire Attack Surface Counts

As New Technologies Infiltrate the Enterprise, Security Practitioners Must Apply a More Holistic Approach to Enterprise Risk Management

As New Technologies Infiltrate the Enterprise, Security Practitioners Must Apply a More Holistic Approach to Enterprise Risk Management

For decades, organizations have focused their security efforts on network perimeter defense and how to secure servers, computers, and network equipment. However, in an interconnected world, a “hardware-defined” approach has lost its relevance. As organizations transition to software-defined networks, they need to look beyond the network layer to protect their expanding attack surface and consider: How is the perimeter-less attack surface rendering today’s enterprise security model ineffective? What steps can organizations take to keep up with evolving threats?

Organizations face an uphill battle when it comes to cyber security, since the attack surface they have to protect has expanded significantly and is expected to balloon even further. In the past, it was sufficient to focus on network and endpoint protection, but now with applications, cloud services, and mobile devices (e.g., tablets, mobile phones, Bluetooth devices, and smart watches) organizations are battling a broadly extended attack surface. 

This is confirmed by the Global Risk Management Survey, which revealed that 84% of cyber-attacks today target the application layer and not the network layer. Organizations need to expand their coverage to include these new areas. However, there are two attack areas in particular that enterprise security professionals overlook, even though they represent a significant threat to the business and are increasingly being exploited by hackers: The Internet of Things (IoT) and Microservices/Containers.

Internet of Things

While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with IoT. They should. Global connectivity between all devices creates significant security concerns.

IoT (e.g., physical security systems, lights, appliances, as well as heating and air conditioning systems) exposes companies all over the world to more security threats.

According to Robert Bigman, former CISO at the Central Intelligence Agency (CIA), IoT devices that manage personal health and safety systems will become the next ransom-ware gold mine. Like they have for the Bring-Your-Own-Device (BYOD) phenomenon, businesses need to adapt their risk management practices and broaden the scope of risk assessments to include all connected devices. If an employee’s smartwatch can be leveraged to spy on corporate Wi-Fi passwords, the watch suddenly falls into the scope of an organization’s risk assessment. In this context, one of the leading challenges for organizations will be how to store, track, analyze, and make sense of the vast amounts of data generated by including IoT in the cyber risk assessment process. Emerging cyber risk management technologies can assist here.

To complicate matters, the development of IoT products preceded the creation of a common security framework or standard. In the case of many IoT products, security is an afterthought. The only reasonable solution to address the lack of security in IoT devices is for new standards and government regulations to be established that require the use of trusted networks and operating systems. Until then, enterprises should enforce that the IoT devices they deploy conform at least to standards-friendly hub-and-spoke networking protocols, which are less vulnerable to attacks. In addition, organizations might want to consider expanding their penetration testing scope to include these exotic devices.

Microservices / Containers

According to a recent report by 451 Research, nearly 45% of enterprises have either already implemented or plan to roll out microservices architectures or container-based applications over the next 12 months. This number confirms the hype surrounding these emerging technologies which are meant to simplify the life of application developers and DevOps teams. Microservices are leveraged to functionally break down larger applications into smaller, distinct services; whereby containers in this context are viewed as a natural compute platform for microservices architectures.

Typically, each service is performing a specific purpose to provide a set of functions, and the different services interact to make up the entire application. Mid-sized applications consist of between 15 to 25 services. In turn, the physical characteristics of these microservices-based applications are significantly different from their multi-tier predecessors. Breaking down traditional applications into a larger number of microservices instances, naturally expands the attack surface, as the application is no longer concentrated in a few isolated servers. In addition, containers can be spun up or turned down in a matter of seconds, making it almost impossible to track all these changes manually.  

The introduction of microservices-based applications requires a rethinking of security assumptions and practices, with a special emphasis on monitoring inter-services communications, micro-segmentation, and encryption of data at rest and in transit. 

Ultimately, organizations should and cannot shy away from leveraging emerging technologies that increase business efficiency and contribute to the organization’s overall success. However, security practitioners have to apply a more holistic approach to enterprise risk management. This means not only taking a broader approach to vendor risk management, but also collecting security data  from this new attack surface.  Since most IoT devices  and microservices lack adequate security frameworks or tools to monitor and detect security gaps, traditional methods such as penetration testing should be reconsidered despite their hefty price tag.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Risk Management

The Department of Defense is launching the third installment of its ‘Hack the Pentagon’ bug bounty program, which will focus on the Facility Related...