Cybersecurity and the Pareto Principle: The Future of Zero-Day Preparedness

We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!

It is a 40th anniversary reunion sequel to the movie ‘War Games’. The scene kicks off as everyone gets ready for the Christmas holidays and a community of mischievous Minecraft players make an incredible discovery: a systemic software exploit in the open-source Java log library that’s embedded as a core component of most Internet workloads. The vulnerability is easy to exploit and allows remote code execution, confusing IT and security teams around the world. Rather than science fiction, this was the reality as thousands of security teams around the world worked through the holiday season to determine the extent of their reliance on Log4j and quickly patch together solutions for the initial disclosure and changes afterward.

Log4Shell taught us about enterprise security priorities and what “preparedness” will mean in the security industry in the future. Log4Shell provides a lesson in the optimal tooling that security teams should focus on, with teams struggling in key fundamental areas of security readiness and software asset management.

As the attack surface continues to grow, organizations must get better at prioritizing tools to zoom in on the entire asset fleet. The priority of security teams should not be to detect zero-days. Instead, a security team’s priority should be to establish the tools and governance needed to quickly understand their exposure to a new threat and organize a response.

The Pareto Principle in Cybersecurity

The Pareto principle states that about 80% of the consequences arise from 20% of the causes (notably different from the Pareto efficiency which describes an efficient allocation of preferences and resources). This applies to enterprise cybersecurity: the unsung 20% ​​of our tooling that delivers more than 80% of the value. This is, of course, software asset management.

Log4Shell was a ubiquitous problem in one of the most widely used open source libraries for years, and it still went unnoticed by the millions of hours spent sifting through code checks and traditional application security testing. It’s a good bet that there are other similar widespread vulnerabilities. The priority for your team and resources should be to be as prepared as possible to configure and respond to these undiscovered threats.

Software asset management provides teams with the strongest foundation to evaluate internal security risks from the past, present and future. The right software asset management tooling gives your team deep insights into your IT ecosystem, enabling organizations to gain unique insights into processes and quickly assess the applicability of new risks as they arise.

Finding zero-days is often left outside the security administrator’s job description, and for good reason. The focus should be on preparing for new critical vulnerabilities – and yes, that means detection, but more importantly, remediation. When evaluating your team’s resources and expertise, you want to optimize the speed and readiness to address these emerging CVEs.

Using Log4Shell as a case study, let’s further break through the security mindset gaps and re-emphasize the core mission of a security team in an enterprise organization.

The Future of Preparedness: Software Asset Management

Log4Shell was a wake-up call. The vulnerability has been undetected in an immensely ubiquitous open source tool for the past decade. For most teams, this was another lesson learned that the future of enterprise security should focus on optimizing for speed and visibility within your own fleet. With a software asset management solution at scale, an organization can move from behind to the forefront in dealing with emerging threats such as Log4Shell.

It’s a classic expression: you can’t protect what you don’t know. In the case of Log4Shell, the first few weeks exposed deep pain points around simple navigating through its own IT ecosystem. The right tool gives your team the scope of impact in a matter of minutes or hours rather than the days or weeks it took teams to inventory instances of Log4j in Java applications. It sounds simple enough – getting a list of all instances of Log4j or Java processes running on your laptops, servers, and containers – but we all know colleagues and organizations that have struggled (and perhaps still struggle) with that simple act of assessment.

Log4Shell highlighted these shortcomings in the current approach to enterprise security and encouraged us to go back to basics. A good organization knows its strengths and even better its limitations. As organizations grow and scale in assets, the best way to continuously secure your environment after the initial deployment is the speed with which you can deploy published fixes and upgrades. This is the main benefit of software asset management at scale, and the reason why this 20% of our tooling provides so many opportunities for teams. It removes the barrier to action and the barrier to understanding.

Mapping the castle grounds

There’s a good reason why software asset inventory and management is the second most important security control, according to the Centers for Internet Security’s (CIS) Critical Security Measures† It is “cyber hygiene essential” to know what software is running and to have immediate access to that up-to-date information. It’s like being a new master of arms for a local baron in the Middle Ages. Your first task would be to map out the castle grounds that you need to protect.

Simply put, don’t expect your organization to build unique, custom solutions for emerging security threats. You are not expected to find zero days or spend your internal budget looking for bugs for your licensed suppliers. Instead, enterprise security preparedness is tried, tested, and transparent (one of the key benefits of open source solutions), enabling security teams to act quickly when assessing risks and implementing fixes.

Software asset management becomes the first step and, if ignored, becomes the first roadblock to creating an agile and prepared security-first organization. In the first minutes and hours after Log4Shell’s unveiling, think about the time it took you to fully map the magnitude of the impact on your infrastructure. Expanding this further, are you sure there were no missed use cases and you really had a clear view of your processes? Did you have trouble finding uber .jar files or shaded .jar files?

The economics of good security

As we leave Log4Shell behind, let’s take these lessons learned with us for a more prepared future. Resource allocation by enterprise security teams needs to be more targeted as attackers become more sophisticated and continue to have what feels like limitless resources. The added value of clear visibility and real-time insights into your entire ecosystem becomes all the more important. Remember, the core job of the security team is to create a secure IT ecosystem, limit the exploitation of known vulnerabilities, and monitor for suspicious activity. With comprehensive software asset management, practitioners are empowered in their ability to monitor, patch, and strengthen assets.

This expanded visibility becomes the foundation on which teams build comprehensive security solutions. The application security market is expected to grow to: $12.9 billion by 2025, according to Forrester. This is holistically great for the security industry as we continue to put resources into researching vulnerabilities and mitigating them before they are exploited. However, from an individual organization’s perspective, it makes sense to focus resources on tools that will move the needle within their organization.

Consider the backlog of patches yet to be deployed in production or consider potential for remote cases missed when mapping Log4j. As attacks and attack surfaces continue to grow, organizations must get better at prioritizing their security tooling to create measurable results. It’s not the most illustrious subject, but the incredibly high value-add of software asset management empowers security teams in any function, especially as we look ahead to future emerging threats.

Jeremy Colvin is a product marketing analyst at uptycs

DataDecision makers

Welcome to the VentureBeat Community!

DataDecisionMakers is where experts, including the technical people who do data work, can share data-related insights and innovation.

If you want to read about the very latest ideas and up-to-date information, best practices and the future of data and data technology, join us at DataDecisionMakers.

You might even consider contributing an article yourself!

Read more from DataDecisionMakers

Leave a Reply

Your email address will not be published.