Security Experts:

Thinking Beyond the Network Layer: Why the Entire Attack Surface Counts

As New Technologies Infiltrate the Enterprise, Security Practitioners Must Apply a More Holistic Approach to Enterprise Risk Management

For decades, organizations have focused their security efforts on network perimeter defense and how to secure servers, computers, and network equipment. However, in an interconnected world, a “hardware-defined” approach has lost its relevance. As organizations transition to software-defined networks, they need to look beyond the network layer to protect their expanding attack surface and consider: How is the perimeter-less attack surface rendering today’s enterprise security model ineffective? What steps can organizations take to keep up with evolving threats?

Organizations face an uphill battle when it comes to cyber security, since the attack surface they have to protect has expanded significantly and is expected to balloon even further. In the past, it was sufficient to focus on network and endpoint protection, but now with applications, cloud services, and mobile devices (e.g., tablets, mobile phones, Bluetooth devices, and smart watches) organizations are battling a broadly extended attack surface. 

This is confirmed by the Global Risk Management Survey, which revealed that 84% of cyber-attacks today target the application layer and not the network layer. Organizations need to expand their coverage to include these new areas. However, there are two attack areas in particular that enterprise security professionals overlook, even though they represent a significant threat to the business and are increasingly being exploited by hackers: The Internet of Things (IoT) and Microservices/Containers.

Internet of Things

While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with IoT. They should. Global connectivity between all devices creates significant security concerns.

IoT (e.g., physical security systems, lights, appliances, as well as heating and air conditioning systems) exposes companies all over the world to more security threats.

According to Robert Bigman, former CISO at the Central Intelligence Agency (CIA), IoT devices that manage personal health and safety systems will become the next ransom-ware gold mine. Like they have for the Bring-Your-Own-Device (BYOD) phenomenon, businesses need to adapt their risk management practices and broaden the scope of risk assessments to include all connected devices. If an employee’s smartwatch can be leveraged to spy on corporate Wi-Fi passwords, the watch suddenly falls into the scope of an organization’s risk assessment. In this context, one of the leading challenges for organizations will be how to store, track, analyze, and make sense of the vast amounts of data generated by including IoT in the cyber risk assessment process. Emerging cyber risk management technologies can assist here.

To complicate matters, the development of IoT products preceded the creation of a common security framework or standard. In the case of many IoT products, security is an afterthought. The only reasonable solution to address the lack of security in IoT devices is for new standards and government regulations to be established that require the use of trusted networks and operating systems. Until then, enterprises should enforce that the IoT devices they deploy conform at least to standards-friendly hub-and-spoke networking protocols, which are less vulnerable to attacks. In addition, organizations might want to consider expanding their penetration testing scope to include these exotic devices.

Microservices / Containers

According to a recent report by 451 Research, nearly 45% of enterprises have either already implemented or plan to roll out microservices architectures or container-based applications over the next 12 months. This number confirms the hype surrounding these emerging technologies which are meant to simplify the life of application developers and DevOps teams. Microservices are leveraged to functionally break down larger applications into smaller, distinct services; whereby containers in this context are viewed as a natural compute platform for microservices architectures.

Typically, each service is performing a specific purpose to provide a set of functions, and the different services interact to make up the entire application. Mid-sized applications consist of between 15 to 25 services. In turn, the physical characteristics of these microservices-based applications are significantly different from their multi-tier predecessors. Breaking down traditional applications into a larger number of microservices instances, naturally expands the attack surface, as the application is no longer concentrated in a few isolated servers. In addition, containers can be spun up or turned down in a matter of seconds, making it almost impossible to track all these changes manually.  

The introduction of microservices-based applications requires a rethinking of security assumptions and practices, with a special emphasis on monitoring inter-services communications, micro-segmentation, and encryption of data at rest and in transit. 

Ultimately, organizations should and cannot shy away from leveraging emerging technologies that increase business efficiency and contribute to the organization’s overall success. However, security practitioners have to apply a more holistic approach to enterprise risk management. This means not only taking a broader approach to vendor risk management, but also collecting security data  from this new attack surface.  Since most IoT devices  and microservices lack adequate security frameworks or tools to monitor and detect security gaps, traditional methods such as penetration testing should be reconsidered despite their hefty price tag.

view counter
Torsten George is strategic advisory board member at vulnerability risk management software vendor, NopSec. Torsten has more than 20 years of global information security experience. He is a frequent speaker on cyber security and risk management strategies worldwide and regularly provides commentary and byline articles for media outlets, covering topics such as data breaches, incident response best practices, and cyber security strategies. Torsten has held executive level positions with RiskSense, RiskVision (formerly Agiliance), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell). He holds a Doctorate in Economics and a Diplom-Kaufmann degree.