Author: Tzury Bar Yochay ,CTO and co-founder of Reblaze
The Internet’s threat environment is evolving quickly. How well is your organization keeping up?
Today, most every organization has significant web assets (sites and web apps) to protect. Even organizations which don’t rely on the Internet for direct revenue are still at risk; a successful web attack can have a wide variety of harmful consequences (lost reputation in the marketplace, damaged goodwill among customers, regulatory penalties from failing to maintain privacy standards, and more).
Moreover, the threat environment is changing rapidly. Today’s threat actors are sophisticated, tenacious, and creative. Many executives are unaware of the scope of what they’re facing, and how to maintain robust security in this environment.
This is the first article in a series about these topics.
What’s at stake
There are many obvious reasons to maintain robust web security. For example, many organizations who are hit with a successful DDoS attack will lose revenue in direct proportion to the length of the attack.
Other forms of attack can result in punitive actions by regulatory authorities. For example, the GDPR mandates stiff penalties for organizations which are negligent in protecting the private data of EU residents, or which do not follow exactly the GDPR’s requirements for post-incident notifications.
Regulatory concerns are not limited to the EU. In both the US and Canada, legislative efforts are now underway to create strict privacy-protection laws there as well. Some of these are far harsher than the GDPR. (For example, as this article is being written, the United States Senate is currently discussing a data-privacy bill that includes severe noncompliance penalties—not only for the organizations, but also for their executives, including large monetary fines and multi-year prison sentences).
These legislative efforts are motivated in large part by growing anger among voters—the result of (numerous) high-profile data breaches which exposed the private data of millions of people. From now on, any perceived carelessness in web security will result in harsh condemnation—not only from an increasingly strict regulatory environment, but also from your customers and prospects.
What we’re facing
To successfully defend against web attacks, it’s helpful to understand the attackers. Their motives and capabilities determine the overall threat environment.
The motives for cybercrime have never been stronger than they are today. Stolen data can be easily sold on mature marketplaces. DDoS extortion has become more lucrative, thanks to the increasing commercialization of the web. Successful breaches can enable ransomware extortion. And so on.
A useful proxy for the profitability of cybercrime can be found in zero-day exploits, which are bought by companies like Zerodium. The commercial value of a zero-day is a direct reflection of the amount of potential revenue it offers to criminals. Thus, it’s sobering to realize that just since 2015, the prices offered by Zerodium have tripled (now up to $1.5 million for a single exploit).
We’ve seen that threat actors have strong motives for waging attacks, but what about their capabilities? These too have never been better.
For well over a decade, many organized crime groups (especially in Eastern Europe) have treated computer crime as a profession. Today, a robust industry supports criminal hacking. There are underground marketplaces where every possible resource or skill is available for hire. Botnets and other attack resources can be rented by the hour, day, week, or month. Hackers with specific attack skills offer their services as freelancers. Customized malware is available directly from its authors, and the malware itself is technologically advanced.
The maturity of this industry can be seen not only in the breadth and depth of products and services offered, but also of its ancillary businesses. Escrow services provide safety and anonymity for illicit transactions, with many even guaranteeing the quality of the products/services/data that are sold. Translation services will customize attacks (e.g., phishing emails) depending on the language and culture of the targets. Software products are rated by their quality, feature set, and usability. Attack platforms (DDoS, ransomware, etc.) are packaged into the cybercrime equivalent of SaaS. And so on.
The Russian underground started in the mid-2000s. Today, additional markets are thriving elsewhere, especially in Brazil and China. The different regions tend to emphasize different aspects of cybercrime: for example, Brazil is a leader in financial fraud, while China is notorious for the skill of its hackers in corporate espionage, especially the theft of government and corporate secrets.
Today’s threat actors are sophisticated and highly skilled. Many are state-sponsored (China in particular is known for this). Even many independent hackers operate at the leading edge of available technology. For example, some hackers are using machine learning to increase the effectiveness of hivenets (scalable networks of bots, which use swarms of compromised devices to wage coordinated attacks. Cybercriminals are training hivenets with a technique called reinforcement learning, to create self-learning groups of intelligent attackers that share data among themselves to customize and coordinate their attacks).
Summary: today’s malicious actors pose serious threats to your organization. Do not underestimate them.
What needs to be done
In this increasingly hostile threat environment, if you wish to maintain robust web security, you must follow best practies.
First, consider your overall approach. Are you still relying on physical or virtual appliances for some, or even all, of your web security? Appliances have numerous disadvantages: in addition to their expense, they are usually time-consuming and/or difficult to administer. Even worse, it’s challenging to keep them up-to date as new threats arise. (Frequently, appliance users are forced to defer updates and patches for various reasons: a lack of time for testing, a lack of available IT staff, etc.) For organizations with important web assets to protect, this problem alone should be a deal-breaker.
Cloud solutions can overcome the disadvantages of appliances, for example:
- They’re usually provided as monthly SaaS subscriptions, which can be much less expensive than appliances.
- Many vendors have created UIs that are easier to use than a typical appliance design.
- Some solutions are fully managed and kept up-to-date by the vendors, including new security rule sets as soon as threat conditions change.
- Is your solution multi-tenant? (Almost all cloud solutions are indeed multi-tenant. This exposes their customers to spillover attacks and other vulnerabilities.)
- Does your solution scrub incoming traffic inside the customer’s cloud perimeter, or outside? (Almost all solutions scrub traffic outside of their customers’ clouds, which creates a privacy problem for many organizations.)
- Does your solution rely upon legacy threat-detection techniques such as signatures, rate limiting, and so on? (Most solutions do, so they have difficulty identifying modern bots which can evade traditional detection methods.) Or does it also use other methods, such as positive security and human behavioral analysis, in order to detect and block illegitimate activity?
- Does your solution use machine learning for recognition of, and continual adaptation to, new web threats as they arise?
Other questions will depend on your specific use cases. For example, if your organization uses DevOps, ask the cloud security vendor about DevOps support (many solutions still don’t handle this well). Similar considerations include DevSecOps, full exploit protection (for example, most cloud WAFs still cannot protect against session manipulation attacks such as Cross-Site Request Forgeries), full Layer 7 DDoS protection, and so on.
Of course, interrogating vendors is time-consuming, but it’s vitally necessary. You’ll find that most security vendors can only provide some of the features listed above. But be persistent and keep looking—there are actually a (limited) number of solutions that can provide full protection.
As shown earlier, today’s threat environment demands comprehensive, robust web security. You should not settle for anything less.
If you have any questions about these topics, or would like to discuss anything else related to web security, feel free to contact me. Just send an email to the email below mentioning this article.
About Tzury Bar Yochay
Tzury Bar Yochay is the CTO and co-founder of Reblaze. Having served in technical leadership in several software companies, Tzury founded Reblaze to pioneer an innovative new approach to cyber security. Tzury has more than 20 years of experience in the software industry, holding R&D and senior technical roles in various companies. Prior to founding Reblaze, he also founded Regulus Labs, a network software company. As a thought leader in security technologies, Tzury is frequently invited to present at industry conferences around the globe.