2021 Top Enterprise IT TrendsWe’ve identified the key trends that are poised to impact the IT landscape in 2021. Find out why they’re important and how they will affect you today!
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2021-22114 PUBLISHED:2021-03-01
Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So …
Prototype pollution vulnerability in ‘object-collider’ versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution.
The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.6; MongoDB Server v3.6 versions prior to 3.6.11.
An improper binary stream data handling issue was found in the [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. Using this bug, an attacker is able to produce a denial of service attack that can eventually shut down the target server.
2021 Top Enterprise IT TrendsWe’ve identified the key trends that are poised to impact the IT landscape in 2021. Find out why they’re important and how they will affect you today!
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2021-22114 PUBLISHED:2021-03-01
Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So …
Prototype pollution vulnerability in ‘object-collider’ versions 1.0.0 through 1.0.3 allows attacker to cause a denial of service and may lead to remote code execution.
The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, and from version 4.1.0 before 4.1.2 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.6; MongoDB Server v3.6 versions prior to 3.6.11.
An improper binary stream data handling issue was found in the [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. Using this bug, an attacker is able to produce a denial of service attack that can eventually shut down the target server.
In looking at how to do application security right we talk about understanding the difference between defining types of security testing and the goals that security testing should be aiming for. Plus, we highlight how doing security right also means shifting left in terms of addressing security issues in the design phase. And throughout all this is the importance of being able to communicate security principles and how your design and testing reduces risk.
Register for the DevSecOps eSummit for which Ted will be a panelist:
Despite this point being dead-obvious today, I want to present a few arguments to further support it — it will be clear why in the end…
We need humans because the attackers are humans with their own creativity, irrationality, weirdness, etc. As one vendor once said, “you have an adversary problem, not a malware problem.” We need to hunt and not rely solely on automated systems for things like detection — hence humans are a must. This side of the argument boils down to “we need humans because the attackers are [also human].” This argument is also enhanced by arguments “why robots suck for security” and all that.
So good automation is a “force multiplier,” not a force replacer. Admittedly, some tasks — like data enrichment — are better done by machines, and humans can — and should — be rid of them. The point is to remove some tasks from humans and not to remove the humans from the SOC [entirely].
Furthermore, bad automation kills. This is due to a perennial problem that also plagues the use of ML/AI in security: garbage in — garbage out. This problem is further boosted with the fact that today’s automation logic (whether for detection or remediation) is just not smart enough for the complex world of IT around it. So, neither the data quality, nor the algorithms measure up. This is all true, while “cybersecurity is the most intellectually demanding profession on the planet.”
ED209, the most famous “failure of security automation” from Robocop (1990)
So. Convinced? Sure. But let’s continue on our journey…
All the while, there are more and more voices for more automation. Their logic is also very understandable. We need automation, because we need to scale better and go faster, we have too much data, alerts, signals, threats, etc. There is much to be said about the value of various forms of automation in security (in general) and in security operations (in particular).
However, as I said above, to keep the discussion sane we always remind ourselves that trying to take the humans out of SOC is more or less insane.
Still with me? OK, but now you’d be somewhat surprised where our journey will suddenly turn…
Now, go and imagine the following scenarios:
You face the attacker in possession of a machine that can auto-generate reliable zero day exploits and then use them (an upgraded version of what was the subject of 2016 DARPA Grand Challenge)
You face the attackers who use worms for everything, and these are not the dumb 2003 worms, but these are coded by the best of the best of the offensive “community”
Your threat assessment indicates that “your” attackers are adopting automation faster than you are and the delta is increasing (and the speed of increase is growing).
Would you still say the same? Would you still give the same advice? All these are very hypothetical in 2021, to be sure, but what about 2025? 2030? 2035?
Frankly, you can cheat and say “the middle way is the way: humans need to work with machines.” And things would feel nice for a moment, until you realize this is what chess players said sometime after their first rout in 1997. There was a concept of human+machine chess that looked really awesome in 1998–2015, but then was quickly and mercilessly killed by the improving neural networks. Naturally, one may counter that chess is mathematically solvable while information security is not (by a wide, wide, wide margin). Sure, this argument holds water …today.
Something I’ve always known about Tom Cruise is that he is a fake. Literally. He is a paid actor, who makes a living from being a fake. He is highly paid because apparently his fakes are so good. Now comes a stark warning that evidence has been found of Tom Cruise, the fake, being faked. … Continue reading Tom Cruise is a Fake. For Real This Time.→
The U.S. Department of Defense (DoD) recommends prime contractors and subcontractors in the Defense Industrial Base (DIB) prepare for Cybersecurity Maturity Model Certification (CMMC) requirements in contracts now even though no organizations are yet accredited to conduct official certification assessments.
Europe displaced Asia to emerge as the overall top attacking region of 2020. Plunging economies and financial hardships in Europe forced a large number of desperate people towards fraud in order to make ends meet The coronavirus pandemic has damaged the global economy and caused financial hardships to millions of people around the globe. People […]
2021 Top Enterprise IT TrendsWe’ve identified the key trends that are poised to impact the IT landscape in 2021. Find out why they’re important and how they will affect you today!
