I’ve mentioned before how important strong risk management is to a CISO1. When it comes to risk, the applications our users depend on are a big concern. In a 2016 security survey2 conducted by Ponemon Institute on behalf of F5, a majority of respondents cited security around applications as an area of great concern. It makes sense; applications are where we store our valuable data. When they go down, we can’t work.
We know applications are essential to business, but they are also hard to nail down. The same survey reported that the average organization has 1,175 applications. That is a lot of applications to keep track of, and a majority of respondents said they were not confident they knew where all of their apps were. Before you start gathering threat intelligence, you need to get a handle on where your applications are and which ones are most critical to your company’s business.
The next question is, how much do you really know about those applications? Many solutions are woven together from a multitude of smaller applications and services. Within these layers and subsystems, you find a lot of variability in implementation and security. This can lead to inconsistencies in authentication, logging, encryption, and availability. For example, a critical application might have a highly available web front-end linked via an encrypted link to a fragile database with poor audit logging. (I won’t even get into the difficulty of assessing the security of serverless apps.)
And, what about the internal robustness of the implementation? Applications change quickly in the age of DevOps. A programmer can push out a code change to a live system in second, but how secure is that? A majority of survey respondents expressed low confidence in secure development practices. As I mentioned in a previous blog post3, DevOps, with proper testing, can be highly beneficial to application security. In mature SecDevOps environments, that means QA and security checks must be automated, relevant, and thorough.
Once you have some insight into the structure and implementation of your applications, you can analyze the risks associated with each of them. Start with the basics, such as the CIA triad of requirements for Confidentiality, Integrity, and Availability. Different users will have different priorities, which can lead you to some useful insights. For example, availability is important for most users. So when we think about availability of applications, especially SaaS applications like Office365 or Dropbox, we need to include network connectivity as a dependency. If your organization’s Internet connectivity goes down for any reason, productivity goes with it.
Even if you don’t have Internet-facing services, the threat to application availability of a DDoS attack is something you need to consider. How do you keep an eye on DDoS attacks? It’s difficult since on the Internet, every attack is always a surprise attack. There are a multitude of invisible enemies with the capability to attack instantly and then vanish. To inform our risk analyses, CISOs need up-to-date and relevant intelligence on these threats. If we know what our needs are, it becomes much easier to plug this intelligence into the gaps so we can make informed decisions.
So, how do you get threat intelligence? Certainly, there are plenty of threat feeds to purchase and they are wonderful resources. But, the first and most important bit of information you need to better defend your networks you already have. The basic truth is that most intrusions are based on known vulnerabilities.
Your vulnerability management team will keep up vendor patches for all critical applications. As the CISO, you’re probably already monitoring the patch level across all your applications to make sure you’re keeping pace with expectations. However, there are more interesting pieces of information to tease out. For example, you can keep an eye out for unusually high patch churn. If an application is in constant need of security patches, perhaps it is not worth the burden on the IT operations. You can also monitor the threat-to-remediation window for vital applications. If a new vulnerability is released, take note of how long on average it takes the vendor to acknowledge and respond with a fix. Again, a number higher than average or beyond your risk tolerance is an indicator that you may need additional controls around the application. Having intelligence feeds that tell you what exploits are currently active in your business vertical and what vulnerabilities they exploit can help you to prioritize what to patch first.
More than half of survey respondents cited lack of visibility into their applications as a problem that impedes security. When looking for visibility in a complex application, it’s essential to decompose its components. This means looking at the inputs and outputs, internal interfaces, the differing zones over which application communication is conducted, and the artifacts the application leaves behind. The biggest factor is external dependencies in the application, but all of these things can point to places where you can seek out additional intelligence. For example, when DynDNS was a victim of a massive DDoS attack in late 2016, nearly 70 other major services went down because they hosted their DNS on Dyn. Another example works in the opposite direction: many SaaS applications require organizational credentials for authentication. Gathering intelligence on what is happening with your internal credentials is something you definitely want to do. Anywhere an application goes outside of your organizational control is a place you should watch.
Some of the timeliest threat intelligence come from outside your organization. What new attacks against applications are emerging? What new industry sectors are being targeted? What specific SaaS services are falling under siege? What kinds of infrastructure or technologies have been found to have serious vulnerabilities? There is a lot of threat intelligence out there, perhaps too much for a CISO to manage. Yet, by adopting a risk-centric approach, knowing your critical applications, and studying their major components, you can more easily fill in the blanks with that outside threat intelligence to give you a clearer, more complete picture.