As computing becomes more distributed to achieve greater optimization and efficiency, the threats posed by cyberattackers are destined to become increasingly more sophisticated. Here are some steps organizations should take in 2021 to mitigate such sophisticated security threats.
Start with developing a threat model
How can security teams get in front of business needs to reduce the threat landscape when the business is going faster? Threat modeling is one of the most important things security staff can do with a business as it looks to roll out new services. Application threat modeling in particular is very valuable but is not well understood. It addresses a deep understanding of how an application works, determines where all the entry and endpoints are, and the different ways the application can be used. And it becomes more exploratory when looking at the potential attack vectors, and determining the potential points where an application can really be abused. Looking at the model from a fraud perspective, in addition to security, is something a lot of organizations can benefit from in 2021. If you’re a security team and you’re not doing threat modeling exercises with your development teams today, we recommend looking into it. It can deliver great benefits by teaching your development teams to explore the unintended ways that software can be abused.
Unknown vulnerabilities – preparing for threats you don’t know about
How do you hunt for unknown vulnerabilities in 2021? Many teams will deploy SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) tools to look for vulnerabilities in their own software code. While this is an important part to security in the SDLC (software development lifecycle), it often misses a significant portion of the 3rd party libraries and dependencies that applications are built on and typically fails to identify “zero-day” vulnerabilities. Instead, look to adopt a positive security model that focuses on “this is how we expect the software to behave”. This will then enable you to say “we should allow all the things we do expect and don’t allow anything we don’t expect”.
Automated attacks and fraud
Today, the vast majority of cyberattacks are automated. Bots have become a bigger nuisance to nearly every organization out there, and this isn’t expected to change in 2021. Even people who didn’t think they had a bot problem quickly realized that they did. The best example is that of someone going online to book a slot to see a trainer or get into a yoga studio and seeing that every single coveted time slot is automatically taken – oftentimes it’s bots doing that and even yoga studios realized they had a bot problem.
Additionally, we’re seeing more businesses built on collecting and aggregating scraped data, and bots are an integral part of that model. These aren’t always legitimate businesses, though – they operate in more of a gray area. In these instances, we’re seeing a greater proliferation of what we call “parasitic bots” – they latch onto an existing business and scrape off the work you’re doing in terms of aggregating information, and use that information to build out their own business models on top of it. For example, most technical users will look to sources like StackOverflow in order to find answers to common issues. In the past several years, there has been a staggering increase in the number of sites that host and monetize scraped versions of this data with no additional value added. We anticipate that the number of businesses leeching on to other businesses will increase sharply in 2021 and will be a challenge for many organizations to deal with.
We also expect to see an increase in fraud considering the amount of PII that’s out there and the number of data breaches that have already happened. To fight this, it will be critically important for organizations to thoroughly understand the behavior of their clients – such as what users are doing with your applications, what data are they touching, how are they accessing the applications, etc. In many cases, people are using legitimate credentials to get access to data they shouldn’t and compromising accounts in that way. Being able to quickly flag suspicious activity and respond is an important part of reducing fraud.
The threat model for serverless computing
As a trend, serverless is here to stay. The benefits of breaking things down to a microservice level, then breaking them down further into individual workloads and small functions to perform very specific tasks, enable organizations to scale based on the consumption model of what they actually need. In 2021, we anticipate more companies will adopt it, but the big question will be: How will attack vectors change in response?
When a critical vulnerability is identified in a dependency in a monolithic application, there is a single place where the application’s dependencies must be updated to deploy a fix. With microservices architectures, the number of impacted modules requiring updates can increase significantly – from one module to potentially dozens of modules. Additionally, if the application becomes decomposed even further to support “Functions-as-a-Service”, the number of vulnerable dependencies may increase from the dozens to hundreds. While the codebase may be more modular and easier to work with, there are a number of operational tradeoffs that are made, and unfortunately security is one that is becoming harder.
Another challenge arises when you have a combination of several different teams, all contributing to the breadth of serverless functions you have. Maybe these teams all know different languages, so you’ll have different languages deployed in concert together. From a troubleshooting or security practices perspective, you have a consistency/continuity challenge and a traceability challenge – it’s tough to understand who the users are coming through these environments. Do you have consistent visibility into what kind of traffic you get and telemetry you use for this environment? The benefit of only paying for what you use is huge and the flexibility of breaking the application down to very specific tasks offers agility and optimization. But as you can see, it won’t be a free ride, security-wise.
This topic and several other trends that we anticipate impacting 2021 are discussed in the “Where Do We Go From Here? 2021 Security Predictions” webinar. We invite you to listen to the fireside chat here.