When the adversarial view of the attack surface is missing, DX becomes riskier

Digital transformation (DX) has become a competitive imperative in most industries. Organizations that fail to make this shift successfully – or in a timely fashion – are at grave risk of falling behind their competitors.

Yet a change of this magnitude requires diligent preparation and careful execution. Cybersecurity is one area that is often overlooked in the race to transform, and the consequences of this omission can be ruinous, both financially and reputationally.

As these initiatives have been fast-tracked, security standards have sometimes fallen by the wayside. A surprising 82% of IT leaders told the Ponemon Institute that their digital transformation initiatives were responsible for at least one data breach. One reason for this is that digital transformation has lots of uncontrolled change. Roughly 63% of IT leaders told the Ponemon Institute that they are not confident in their ability to operate securely in such contexts.

While an 82% breach rate may be understandable to some degree given the complexity of such large-scale shifts, it is also unacceptably risky. Even the most innovative processes and technologies don’t mean much if a company cannot protect its business-critical assets.

The seven key challenges when pursuing digital transformation

Let’s take a closer look at some of the key challenges that security organizations face when navigating this transformation:

• There is an increase in complexity and scale of environment. Hybrid multi-cloud creates heightened complexity. Add to this the dynamic nature of cloud computing and the amount of fast-paced change needed to execute the strategy, and it becomes very problematic for security teams to manage as the attack surface is in a state of constant flux.
• The traditional policy-based model of security does not extend easily to the cloud. Using a compliance-based, box-ticking approach and relying on manual processes to manage policy is suboptimal in a dynamic environment. Compliance has not been an effective benchmark in traditional environments, and it is unlikely to be so in a dynamic environment.
• Defenders struggle to deal with the rapid, uncontrolled pace of change associated with digitalization. A CISO may raise concerns and be dismissed as an impediment to timely progress when highlighting legitimate concerns.
• Security posture confidence is often driven by vendors like AWS and Azure who use native tools to provide a “security posture score.” Look carefully: The reality is that they are aligning configuration to policy standards – the onus of managing the configurations, controls and policies still falls on the end user.
• Operational security processes become split as separate processes are often set up to manage cloud environments, thus fragmenting the security of organizations. Split processes will really struggle to understand lateral movement. The attackers don’t care about the different environments; they are simply thinking in terms of compromising critical assets wherever they are.
• Traditional penetration testing and red teaming will not scale to meet the modern needs of an organization. The approach lacks a continuous and comprehensive understanding of the attack surface, so can never adequately scale to meet the needs of a dynamic cloud environment.
• The adversarial view is missing. Defenders lack insight into the ways that cloud environments can be compromised, as well as the mechanics and risks of lateral movement.

How attackers exploit these challenges

Attackers don’t think in terms of compliance and controls. They will use all the available technical weaknesses, as they become available, to exploit critical assets. As processes fail or security tools become badly configured, attackers seize the opportunity to take the next step on the journey towards critical assets. Traditional approaches based on compliance and policy management are the perfect scenario for attackers, who wait patiently for a process to become deficient and a control to be misconfigured.

There are many technical weaknesses that attackers can compromise within cloud environments, including:

• Unpatched servers
• Remote access
• Misconfigurations
• Insufficient credential, access and key management
• Open ports
• Overly permissive access rights
• Lack of multi-factor authentication
• Insecure storage containers
• Insecure APIs
• Inadequate change control

This lends itself to a wide range of attack techniques:

• Account hijacking
• Credential theft
• Credential stuffing
• Server-side request forgery
• Brute force
• Insider threat
• Ransomware
• SQL injections
• Cross site scripting
• Wrapping attacks
• Inside-out attacks

Organizations need to get back to basics and start thinking like an attacker to answer the fundamental questions, “How can I be attacked?” and “What can I do to prevent this?” These just happen to be very hard questions to answer in the context of hybrid environments without automation.

It is therefore imperative that organizations have a continuous view of how all the technical weaknesses chain together to allow exposure of the critical assets, and what opportunities are available for attackers to move laterally between environments. A silo-based approach managing individual technical weaknesses can never achieve this.

Why attack-centric exposure prioritization de-risks digital transformation

To avoid the scenarios outlined above, it is important to make cybersecurity a key lens from which to view almost all aspects of a digital transformation. CISOs must ensure that the security perspective is embedded within every part of the transformation process; organizational decision-makers must provide sufficient resources to support a secure and successful transformation and not view the CISO as a blocking agent, slowing down progress.

Part of this support includes choosing the right software tools to help manage cybersecurity during this transition – tools that provide the adversarial perspective on a continuous basis. This attacker’s perspective then needs to be wrapped into operational processes so that as the (proverbial) windows and doors become open, they are quickly closed before an attacker can exploit the gap.

An attack-path management platform provides continuous and safe attack simulation of the entire hybrid environment. It highlights all exploitable attack paths across the hybrid environment and highlights lateral movement opportunities between cloud and traditional environments.

Such platforms also provide the necessary insight to drive cost-effective, prioritized risk mitigation. Adversarial-focused risk reporting for corporate boards helps provide much needed quantification, resolving the disconnect that is sometimes present between CISOs and the business side of the organization.

Finally, the right platform will include integration with the operational and technology ecosystem so that detect and response processes have the attacker’s context. Before the attack path is closed down, it needs to be monitored!

Integrating these tools will ultimately provide better control over the true risk of compromise within hybrid environments and enable a more proactive approach, allowing security teams to close exposures as they appear.

Red team effectiveness will increase due to the expanding capacity and coverage, and security operations will improve because of the reduced detection and response times.

The takeaway

Ultimately, successful digital transformation requires buy-in from leaders and their teams, support from the C-suite, and a careful and well-thought-out plan. Having the adversarial perspective of the hybrid environment empowers business leaders to understand and manage exploitable risks. This provides them with the confidence to accelerate transformation and gives security teams the insight needed to dramatically reduce the chances of compromise.