Industry Trends

Cybercrime And Agile Development, Organizations Must Keep Pace

By John Maddison | August 28, 2018

Organizations are accelerating the adoption of agile development strategies as they respond to the demands of new digital marketplace requirements. The need to be continually updating and refining end-user applications, the development of internal tools to more effectively mine for critical information in Big Data environments—especially those that span multiple network ecosystems, and the rapid adoption of new technologies, such as IoT or OT-based devices, has spawned a more flexible, iterative approach to both software and hardware development.

This approach introduces a critical challenge from a security perspective. Applications and other solutions that have access to critical resources are constantly in flux, often being updated as frequently as every 2 to 4 weeks. The rate at which organizations are introducing these updates, especially those that separate engineering teams sometimes implement in isolation, raises the potential for the introduction of critical vulnerabilities. Unfortunately, few organizations have implemented a parallel testing and validation process to provide comprehensive and ongoing analysis to detect and root out those vulnerabilities.

This approach is especially concerning as development teams add more and more automation to these solutions. Continually applying updates in a complex production environment that is, itself, undergoing regular implementation and realignment of resources due to digital transformation makes testing and validation increasingly difficult. Automating critical processes on top of that adds a layer of complexity that may be virtually impossible to secure.

Ironically, one unintended defense against these sorts of vulnerabilities is the rate at which organizations are introducing change. Vulnerability windows may be measured in only weeks or days. However, cybercriminals are responding to this by adding automation to their malware to constantly monitor and target those vulnerabilities. In addition to things like evasion detection, the latest threats also now have a wide variety of exploits available that can be automatically updated using bidirectional communications between the attack and a controller. As these tools increasingly implement automation, traditional human-based controllers who currently need to direct each phase of an attack manually will be replaced by increasingly intelligent systems that can collect real-time intelligence from targets and then provide updates to malware to exploit newly discovered vulnerabilities in near real-time.

To address these challenges, security teams need likewise to adopt a more agile approach that enables them to not only see and defend against attacks, but also to predict where attacks are most likely to occur. This sort of intelligent, iterative-based security strategy requires a defensive and prevention-based security infrastructure that can establish a baseline of normal behavior and then continuously monitor that environment to detect and inspect change, regardless of where it occurs. 

This approach cannot be achieved using traditional, point-based security solutions that function in near-isolation. It requires a comprehensively integrated strategy that spans all ecosystems, including highly mobile endpoint and IoT devices, remote offices connected through SD-WAN, and multi-cloud environments comprised of both infrastructure and services-based solutions. Such an integrated, fabric-based approach is essential if security teams want to be able to track and monitor evolving applications and services as they span across users, devices, and network segments. It is an essential requirement for any comprehensive, behavioral-based analysis that has any chance of detecting and responding to the new threats that organization may be inadvertently introducing through modern development and deployment strategies. 

An integrated and automatically reactive security fabric is also the foundation for the next generation of intent-based security solutions that can combat today's increasingly sophisticated malware development community. Cybercriminals have already adopted an agile strategy that allows them to pick and plug together exploits and tools being developed by different teams and that are being made available in the darknet marketplace. Not only is cybercrime as a service available for the less sophisticated attacker, but more advanced criminals are building flexible and adaptable crimeware, such as VPNFilter or Hide ‘N Seek, that can be automatically updated with new exploits and toolkits as they become available. And they can operate much more efficiently than their targets as they are not bound by the same need to identify and close vulnerabilities

To achieve this, security teams need to build Identity-based security around several essential pillars. This starts with dynamic segmentation to isolate resources and detect malware moving laterally across a distributed network. Next, advanced access control needs not just to be tied to users and devices, but also to applications. And it also needs to be combined with a trust-based component that can immediately revoke access when inappropriate or unexpected behaviors occur. Of course, this depends on real-time analytics that can not only see and monitor all devices and behaviors across the distributed network, but that can also collect and correlate that data into a single, centralized system. And finally, it requires the ability to impose coordinated, real-time action against any anomalies. 

This sort of automated response needs to go well beyond the ability of today's NGFW solutions to close down a port or shut off a traffic stream. In today's digital environments, such actions can have significant unintended consequences. Instead, security and networking solutions need to be able to coordinate a response that can also include dynamically re-segmenting a portion of the network, isolating and quarantining rogue devices, rerouting traffic away from sensitive or critical resources, and automatically imposing monitoring and intervention protocols that are aware of the implications of any actions they may take.

Finally, such a fabric-based approach cannot be static. Like the agile software and infrastructure it is protecting, an integrated security framework needs to be able to adapt as the infrastructure it is protecting dynamically evolves. As organizations implement new cloud-based solutions, expand their distributed environment through the implementation of SD-WAN-based connectivity, and begin to interconnect with outside environments such as public infrastructures, security needs to be able to adapt automatically. This requires building a security strategy around open standards, interoperability, and solutions designed to run consistently and seamlessly across multiple network ecosystems, whether physical or virtual, and local or remote.

Digital transformation doesn’t just affect networks. Agile software and application development add a layer of abstraction and complexity that modern security tools are simply unable to secure—and that cybercriminals have demonstrated to be more than willing and able to exploit. It requires a radical rethinking of how and where security is deployed, including deep integration and automated adaptability and response, along with an awareness of the implications of any security actions taken so that protection doesn’t disrupt the immediacy that today’s digital marketplace requires.

 

Download and review our latest Global Threat Landscape Report for more detail about the latest threats trends.

Sign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.

Join the Discussion