It’s About Time
42:54. Minutes and seconds. That’s how fast the average ransomware variant encrypts 100,000 files and locks out a user.
04:09. That’s the few minutes and seconds Lockbit could take to encrypt 53 GB of data.
Take a look at the cyber threat maps at FireEye, Checkpoint, and Digital Attack Map for views of current cyber-attacks across the world. While it’s impossible to get real-time insight into all attacks, the amount and speed of known attacks is startling, if not downright mind boggling.
Keeping in mind the rapid loss of the traditional network perimeter due to the proliferation of technologies such as mobile apps, APIs, and microservices, Microsoft’s article on Zero Trust states: “Nearly every developed application, by design, will be accessed from outside the network perimeter.”
InfoSec and AppSec (different, necessary, and complementary areas) are caught in a mesh of ever-growing needs: building useful, beautiful, and secure applications; refining the SDLC (Software Development Life Cycle); supporting and driving business goals; securing customer and corporate data and the pipes that carry them (networks and APIs); and securing endpoints – all the while maintaining, managing, forecasting, and updating the infrastructure with (very likely) limited personnel.
Automated Actions
Personnel need to be trained in proper software development, a risk program needs to be developed and adhered to, and resources need to be allocated to all stakeholders; but the view from inside a company is different than the view from outside. From the inside, there are projects and tasks to complete, checklists to fill out, audits to perform, training, email phishing campaigns, and innumerable other items to fulfill compliance and regulatory requirements.
From the outside, there are public-facing endpoints being bombarded by threat actors who use easily accessed automated tools and are seeking for that one weak point that will give them access to the whole network. Criminals have a budget, and they will search for the greatest ROI in their attacks. But they have no qualms, no policies, no barriers except what the defenders have in place.
It’s kind of like the difference between MMA (Mixed Martial Arts) and a street fight; in a street fight, there are no rules, no ring, and no referee. Threat actors use street fighting or guerilla war tactics. Data defenders need all the help available when securing assets, and perhaps the best leverage for balancing resources and effectiveness is automation.
A Way Forward
Don’t be dissuaded by the implications of automation. People can be incredibly talented, but certain jobs depend on performing simple tasks repeatedly and quickly. With what’s available today, in some cases, moving the simple data/information/knowledge tasks to automated technology actually frees employees to advance in their careers, with the commensurate need to stay up on the latest technology, concepts, and ideas. Think of the DIKW model (Data, Information, Knowledge, Wisdom), with automation taking more DIK jobs, and people remaining an evergreen necessity for the W tier. Harvard Business Review says:
“The more computers are trained to conduct high-repetitive tasks that are often assigned to entry-level employees, the more roles focused on complex tasks with competitive salaries will arise in their place.” So don’t fear – people are needed more than ever!
For application creators, there’s no possible way for individuals to manually develop, perform all the testing (SAST, DAST, RASP, IAST), remediate the issues, handle the CI/CD pipeline, maintain the inventory, and so forth. For defenders, there’s no amount of manual work that can effectively and efficiently implement the necessary security controls, and no amount of manual intervention that can detect, investigate, respond, and triage so many attacks.
Who likes to work more hours? The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) noticed “…an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021.” Darktrace estimates that ransomware encryption occurs 76% of the time on the weekend. Have the occurrences increased? FireEye says yes, increasing 860% since 2017.
Application professionals like their sleep. Criminals know this and take advantage of it. What can be done?
Because there is so much work to do, automating as many security tasks as possible – whether during development or after deployment – makes sense. Automation is not an easy way out – it’s a necessary component of the way forward. There are plenty of automation tools available for pretty much anything you choose to do, and a large number of resources online to give guidance and ideas, so no one has to start from scratch.
Make sure that you don’t overlook API security as you look to deploy security automation tools. While the average number of APIs has increased drastically over the last couple of years, the number of API attacks has doubled that increase. A recent report shows API attack traffic has grown 681% in 2021, while overall API traffic grew 321%.
Tactics, Techniques, and Procedures For All
Businesses need ample personnel to make the right decisions about security, but there are tons of other tasks that can be done faster by computers. The implications of proper automation include (but aren’t limited to) faster and more secure deployments, increased uptime, and better management of resources. These improvements give those involved in security more time to make better decisions. Decisions have to be good because automation only makes a decision faster – a bad decision automated only becomes a quicker bad decision.
Attackers develop TTPs (Tactics, Techniques, and Procedures) and automate them – so should security and application professionals.
Ross Moore
Tags: API, Application Security, Automation, SDLC, TTPs