The WannaCry ransomware that hit hundreds of thousands of machines across 150 countries recently is yet another reminder of the complex, large-scale threats that individuals and businesses face today in an increasingly digitalized world.
The ransomware, also known as WanaCrypt0r, leverages a hacking tool codenamed EternalBlue, which was stolen from the US National Security Agency. The tool exploits a known vulnerability in Microsoft Windows Server Message Block Server used for file sharing to penetrate networks in different forms, including as an encrypted loading method that evades traditional antivirus software.
An increasing number of breaches happen at the application level, which has become the gateway to critical enterprise data. Attacks blend in with normal web traffic, streaming data feeds and chat sessions, and propagate through various methods, including malicious email attachments and phishing.
In a SANS Institute survey, 23% of respondents report applications as the source of breaches, attacks on others or sensitive data leaks, while 40% identify public-facing web apps as the top cause of breaches.
More worrying, as F5 Networks’ director of systems engineering Gary Newe pointed out, a typical worker today could spend the entire day using cloud-managed applications that are not behind the company firewall.
Barking up wrong layer
Yet, businesses spend billions annually on firewalls and the bulk of IT security budgets is spent on securing the network. Specifically, 90% of security budgets is channeled to the network perimeter, where only 25% of attacks occur. Further, only 10% of the security budget is used for user identity and applications, the target of 72% of attacks.
Separately, a Ponemon Institute survey of IT and IT security practitioners verified that the lack of visibility in the application layer is the main barrier to achieving a strong application security posture and that the frequency and severity of attacks on the application layer is considered greater than at the network layer.
The average enterprise uses some 700 apps, which could live on-premises or in the private or public cloud as a service. The users accessing these apps from a myriad of mobile devices require authentication, blurring the traditional perimeter and making identity and access management more complex.
Hence, while security budgets have generally increased in tandem with the number and scale of threats, security investments must consider the growth in app breaches; the importance of user identity and access control; the need for visibility and contextual understanding of traffic and app behavior; and the benefits of partnering with a service provider to augment in-house security expertise. In other words, enterprises must protect applications and users to shield critical data from the guiles of cybercriminals.
Putting money where threats are
F5 Networks recommends four sequential steps to refocus the security budget and allocate security dollars wisely:
Step 1. Prioritize what need to be protected: Assess the risk of apps being used by employees to the organization, especially software-as-a-service (SaaS) and shadow IT apps. Identify critical web app vulnerabilities and identity sprawl that pose risk to the organization. This entails a manual process of interviewing business units, reviewing web filtering logs and reviewing legal contracts with SaaS providers.
Step 2. Align budget and threats: Ensure that the IT security budget does not miss the most critical vulnerabilities associated with applications and identity sprawl identified in Step 1. Identify and document areas of under- or over-spending.
Step 3. Communicate findings to senior management and the board: Explain the need to invest in areas of critical vulnerabilities that have been missed by the existing budget. Based on the trends and findings presented in this article, likely areas include identity and access management, application security management, and advanced firewall solutions. Present a cost-benefit analysis of recommended investments.
Step 4. Implement controls, and show how you are managing threats: Track and report to senior management how the allocated budget is being spent and the resulting outcomes. Total immunity to a cyber attack is still a pipe dream so it is prudent to purchase cyber insurance and establish proper incident response to minimize damage should a breach occur.
The complexity and scale of the WannaCry ransomware shows how the nature of security has changed. The IT organization may not be able to address all risks but still, it’s time to modernize security and begin aligning security budgets with the new norm in a perimeter-less world.
This is a QuestexAsia feature commissioned by F5 Networks Asia Pacific.