Full stack technology needs full stack security
In the race to digital transformation, more and more organizations are turning to new technologies and serverless architecture to accelerate productivity. This in turn expands the technology stack from traditional data centers to virtualized infrastructure, containerized and open source software, and a new range of connected devices dubbed “the Internet of Things” (IoT). But the proliferation comes at a cost - the virtual playground of new technologies is providing hackers with a myriad of opportunities to disrupt business and gain unauthorized access.
According to our latest survey of IT security professionals at the RSA Conference, 25% of organizations said they are most concerned about the security of their cloud infrastructure and applications, 23% are most concerned about their IoT devices, 20% about their mobile devices, while 15% are concerned about their web applications, and 13% about their data assets, databases and file shares. IT security pros are less concern about their owned infrastructure and data centers, with only 5% saying they were least secure.
Their concerns are well-founded. As key assets and data are becoming more distributed, their attack surface is expanding. Hackers now have more ways to gain access, build footholds and move laterally within an organization’s system. It’s no longer enough for security teams to seek out and mitigate vulnerabilities in the infrastructure independently from applications, cloud network and other connecting technologies. To protect your organization, gaining complete visibility of cyber security exposure across your technology stack and understanding the correlated risks will become a pre-requisite.
Security teams are held back by lack of resources and skills
With added responsibilities to safeguard an ever-expanding technology stack, IT security pros are finding a new definition of perimeter, and expected to keep current with the latest cloud infrastructure and data being stored everywhere. But more often than not, organizations are not preparing their security teams with the skills and resource required to cope with the new pressure.
In our RSA report, over 40% of the IT security pros surveyed admit to ignoring critical security issues when they don’t know how to fix them (16%) or don’t have the time to address them (26%).
An interesting example is the rise of agile software development and accelerated pace of “agility” to release application software continuously. IT security pros struggle to keep up with the pace, while at the same time being asked to “shift left” in the DevOps process and introduce security practices earlier in the Software Development Life Cycle (SDLC). An earlier focus on security is expected to yield results in reducing the attack surface and associated business risk.
To make things worse, the cyber security skills shortage is well documented and remained one of the biggest problems for CISOs. IT security pros are firefighting with increasing amount of security incidents and less time for training, process improvement and security strategy. No wonder only 17% of organizations surveyed in our report take the time to prioritize remediation based on business need.
How to keep up with digital transformation
Security often gets lost in the buzz (and speed) of digital transformation. As more high-profile data breaches are coming to light, so is new regulation with huge ramifications and penalties. Organizations must start consolidating their security technologies, automating the cyber security assessment process and upskilling their staff to ensure long term success.
Understand the weak points in your stack
Security testing is the first step in establishing a baseline view of your cyber security exposure. It is important to test your networks, cloud infrastructures, related applications data stores and user access proactively. Penetration testing can be an excellent way to get a holistic overview of the cyber security exposure across part or all of an organization’s assets as well as expose threats within systems that may have gone unnoticed. Our study found that organizations use penetration testers, 46 percent had uncovered critical issues that could have put their business at risk.
Automate and orchestrate your security process
Once a baseline is established, use automated assessments and notifications to complement manual penetration testing to reach a goal of continuously monitoring. Hackers use automation techniques as well to increase the pace of their attacks, so security automation is an essential element to keep up. In an age when cybercrime is rife, simply patching and hardening their systems once or twice a year leaves a big window for attack. Many attacks leverage known vulnerabilities that could have been prevented with simple patching. As the attack surface widens security leaders should orchestrate remediation efforts based on risk levels to prioritize workload and maximize efficiency.
Avoid security testing fails by taking the next step
Sadly, security testing often ends with a report being delivered, but without reaping the full benefits. Remediation action should be taken as close to the time of assessment as possible. Penetration tests are sometimes done out of habit or to show compliance, while the benefits of distributing actions and shrinking the attack surface go unfulfilled.
To maximize the value of penetration testing investment, changing the way you work with the penetration testers and the setup of projects can make a tremendous difference. We’ve seen great success by providing our clients with extended access to our security experts after the pen test. This allows organizations more time for security advice and verification of patching and remediation efforts. These are extremely useful to guide organizations with less security-savvy through the process.
It is key that organizations take time to understand the potential risk of cyber security exposure found in their environment and address the findings from both a business and technical perspective. By engaging the penetration testers post-test, senior management will also have a better understanding of the risks and be able to make better decisions on the strategy for remediation; and security team will get a better idea of the different solutions available to address the security issues.
Security testing is one of the key to uncover your risk exposure. If you want to know more about our survey, download the full report. If you want to perform a penetration test on your technology stack, our experts team is available to help you discover your weaknesses and reduce your risk exposure.