Cybersecurity and the Pareto Principle
Jeremy Colvin * look to the future of day zero preparation
They are 40 years old sequel to the movie “War Games”.
The scene begins as everyone prepares for the Christmas break, and a community of mischievous Minecraft gamers makes an incredible discovery: a systemic exploitation of the Java open source registry library integrated as a core component of most internet workloads.
The vulnerability is easy to exploit and allows remote code execution, leaving computer and security equipment around the world in jeopardy.
Instead of science fiction, this was the reality, as thousands of security teams around the world worked during the holidays to determine the extent of their reliance on Log4j and quickly fix solutions for disclosure. initial and subsequent permutations.
Log4Shell taught us about business security priorities and what it means to be “prepared” for the security industry in advance.
Log4Shell offers a lesson on the optimal tools that security teams should focus on, with teams struggling in key areas of key security preparedness and software asset management.
As attack surfaces continue to grow, organizations need to improve when it comes to prioritizing tools for their ability to delve deeper into the entire asset fleet.
The priority of security teams should not be to detect zero days.
Instead, the priority of a security team should be to set up the tools and government needed to quickly understand their exposure to a new threat and organize a response.
Pareto’s principle in cybersecurity
The Pareto principle states that approximately 80% of the consequences come from 20% of the causes (significantly different from the Pareto Efficiency which details the efficient allocation of preferences and resources).
This applies to business cybersecurity: the unrecognized 20% of our tools that contribute more than 80% of the value.
This is, of course, software asset management.
Log4Shell has been a widespread problem for years in one of the most widely used open source libraries, and has gone unnoticed for millions of hours spent reviewing traditional code and application security testing.
It is a good bet that there are other similar vulnerabilities.
The priority for your team and resources should be to be the most prepared to set up and respond to these undiscovered threats.
Software asset management provides teams with the strongest foundation on which to assess past, present, and future internal security risk.
The right software asset management tools give your team an in-depth insight into your IT ecosystem, enabling organizations to gain unique information about processes and quickly assess the applicability of new risks as they arise.
Finding zero days is often out of the job description of the security administrator and for good reason.
The focus should be on preparing for new critical vulnerabilities, and yes, that means detection but more importantly, correction.
When evaluating your team’s resources and experience, you want to optimize the speed and readiness to address these emerging CVEs.
Using Log4Shell as a case study, we further break down the gaps in the security mindset and re-emphasize the basics of a security team in a business organization.
The future of preparation: software asset management
Log4Shell was a wake-up call.
The vulnerability went unnoticed in an immensely widespread open source tool over the past decade.
For most teams, this was another lesson that the future of business security should focus on optimizing speed and visibility within your own fleet.
With a scalable software asset management solution, an organization can move from being behind to being at the forefront when faced with emerging threats such as Log4Shell.
It’s a classic phrase: you can’t protect what you don’t know.
In the case of Log4Shell, the first few weeks exposed deep pain points around the simple fact of navigating the computer ecosystem itself.
The right tool gives your computer the impact in minutes or hours instead of the days or weeks it took computers to inventory instances of Log4j in Java applications.
Sounds simple enough: get a list of all the instances of Log4j or Java processes running on your laptops, servers, and containers, but we all know colleagues and organizations who struggled (and perhaps still struggle) with this simple inventory act.
Log4Shell highlighted these flaws in the current approach to business security and encouraged us to get back to basics.
A good organization recognizes its strengths and even better its limitations.
As organizations grow and increase assets, the best way to continually protect your environment after the initial deployment is by how quickly you can implement published fixes and updates.
This is the key advantage of scalable software asset management and why this 20% of our tools offer so much to enable equipment.
It removes the barrier to action and the barrier to understanding.
Cartography of the castle grounds
There is a good reason why inventory and software asset management is the second most important security check, according to the Centers for Internet Security (CIS) critical security checks.
It is an “essential cyber hygiene” to know what software is running and to be able to access this updated information instantly.
It’s like you’re a new master of arms for a local baron in the Middle Ages.
Your first duty is to plot the castle grounds that you need to protect.
Simply put, the expectation should not be that your organization creates unique, customized solutions to emerging security threats.
You are not expected to find zero days or spend your internal budget on bug fixes for your licensed vendors.
Instead, good business security preparation (one of the main advantages of open source solutions) has been tried, tested, and transparent, allowing security teams to make rapid progress in risk assessment and implementation of solutions.
Software asset management becomes the first step and, if ignored, becomes the first hurdle to creating an agile, security-ready organization first.
For the first few minutes and hours after Log4Shell is released, think about how long it took to fully chart the extent of the impact on your infrastructure.
Extending this further, are you sure there were no lost use cases and that you really had a clear picture of your processes? Having trouble finding uber .jar files or shaded .jar files?
The economy of good security
As we leave Log4Shell behind, we incorporate these lessons learned for a more prepared future.
The allocation of resources by business security teams needs to be more intentional, as attackers become increasingly sophisticated and continue to have what appear to be unlimited resources.
Added value through clear visibility and real-time information about your entire ecosystem becomes even more important.
Remember that the primary goal of the security team is to create a secure computer ecosystem, mitigate the exploitation of known vulnerabilities, and monitor any suspicious activity.
With expanded software asset management, professionals are expanding their ability to monitor, apply patches, and strengthen assets.
This expanded visibility becomes the foundation on which teams create comprehensive security solutions.
According to Forrester, the application security market is expected to grow to $ 12.9 billion by 2025.
This is great for the security industry, as we continue to invest resources in investigating and mitigating vulnerabilities before they are exploited.
However, from an individual organizational perspective, it is logical, instead, to focus resources on tools that will move the needle within their organization.
Consider delaying patches that are still pending implementation in production, or consider possible external cases that have been lost in the Log4j mapping.
As attacks and attack surfaces continue to grow, organizations need to improve when it comes to prioritizing their security tools to create measurable results.
It’s not the most illustrious topic, but the incredibly high added value of software asset management empowers security teams in all its functions, especially as we look ahead to future emerging threats.
* Jeremy Colvin is a technical marketer of products at Uptycs and enjoys learning the bits and bytes of what makes good security.
This article first appeared on venturebeat.com.