In the modern world, speed is everything. Customers demand constant innovation, while sudden market disruption makes agility essential for survival. To remain competitive, organizations have to move fast and stay flexible—and that can leave security teams scrambling to keep up.
Today's enterprise infrastructure is engineered for extreme resiliency, enabled by the shift towards sophisticated, serverless architecture and microservices. This trend is great news for software reliability, since more pieces means fewer single-points-of failure. At the same time, however, the cloud-native shift has significantly increased the number of cyber assets to be managed and secured. In the JupiterOne 2022 State of Cyber Assets Report, our analysis of over 370 million assets at nearly 1,300 organizations shows just how much digital transformation has impacted architecture and security teams.
Consider the rapid growth of the cloud-native, dynamic network interfaces used by DevOps teams to route traffic between subnets by hosting load balancers, proxy servers, and network address translation (NAT) servers. According to our research, these interfaces now represent a majority of all network assets, while IP addresses account for less than one percent of the total. The average security team is responsible for 12,407 network interfaces—and their ability to identify, manage, and secure them effectively is critical for the overall security of the organization.
In our last blog on the findings of the JupiterOne 2022 State of Cyber Assets Report, we explored the growing cybersecurity skills gap. In this blog, the third in our five-part series, we'll look at the breakdown of traditional methods for managing cyber asset risk, and what security teams can do about it.
Digital transformation accelerates innovation—and turns pets into cattle
Over the past decade or so, trends such as DevOps, Agile methodology, and CI/CD have become foundational strategies for driving differentiation by speeding new products and services to market. The onset of the COVID-19 pandemic turbocharged this transformation. As organizations rushed to spin up new services for the remote-first world, from telehealth and work-from-home to ecommerce, banking, and digital entertainment, they accelerated their innovation cycles from months or years to weeks or less. And having discovered just how quickly they can move, they're not about to slow back down to "before times" speed.
As systems become more dynamic and flexible, the number of cyber assets has spiraled, including many created entirely by automation without the awareness or oversight of security teams. In the past, security teams had a relatively stable and finite population of assets to manage—almost like the pets in a household. You knew each server's name, understood its idiosyncrasies, and took care of it individually. But now network automation, autoscaling, and ephemeral resources bring a constant stream of new assets into the environment all the time to live fully-automated asset life cycles.
A ratio of 564 assets for each human employee is not necessarily a bad thing, unless these assets are engineered and treated like pets in which case it becomes impossible to manually secure and manage the attack surface. A high ratio of assets to humans only works if an organization thinks about their assets like cattle which are faceless and transient, here today and culled tomorrow.
Needless to say, trying to give each cow in a growing herd the kind of personal love and care that you'd give a cat just won't work. Cyber assets need to be thought of as cattle, and engineered to securely live for a very finite period of time.
Managing cyber risk with the DIE triad and security lifecycle automation
Pets or cattle, permanent or ephemeral, all cyber assets introduce some liability to an organization. While the proliferation of ephemeral assets isn't necessarily a bad thing—in fact, it's a tremendous advantage for delivering resilient software, quickly—it does call for security teams to adjust their practices.
Traditionally, information security has been modeled on the CIA triad of confidentiality, integrity, and availability. This kind of care is appropriate and necessary for pets, but it can't scale to the size of a herd. As digital transformation brings new cybersecurity challenges, JupiterOne CISO Sounil Yu has proposed a complementary triad to protect dynamic, cloud-native infrastructure: DIE, or distributed, immutable, and ephemeral. In this model, systems are designed to be:
- Distributed to prevent dependence on a single system and increase DDoS resistance
- Immutable, so that unauthorized changes are easier to detect and reverse
- Ephemeral, with short lifespans making assets less valuable and persistence harder to attain
In keeping with the DIE model, it's important not to fall in love with your cows and start treating them like cats. If an asset is supposed to exist for ten minutes, and secured accordingly, it mustn't be allowed to stick around for two months, patched in place, or otherwise modified. Creative destruction—decommissioning, rebooting, and reimaging—will be more effective for keeping the herd safe from harm.
A faster-paced digital environment also calls for faster ways to inventory, manage, and secure cyber assets. In simpler times, it might have been possible—if onerous—to get this done using spreadsheets and equations for annualized loss expectancy (ALE) or annualized rate of occurrence (ARO). But manual methods are only practical for assets that are built manually. For assets like network interfaces that are built and deployed using automation, the security lifecycle itself should also be automated. In fact, automation should become the first option, not the last resort.
In the next blog of this series, we'll look at the findings of the JupiterOne 2022 State of Cyber Assets Report on the increasing risk posed by third-party code and the growing complexity of supply chain security. You can read the full report here.