The digital threat landscape is constantly changing. Such dynamism makes it impossible for security leaders to properly protect their organizations without formulating a carefully defined plan. They need a strategy through which they can adapt to new digital security threats and minimize risks confronting the business.
By Ali Golshan, Co-founder and CTO for StackRox
But how do they figure out where to direct their security efforts?
As a security platform for Kubernetes, StackRox has a duty to keep up with the latest cybersecurity threats and developments. Here are five trends in particular that we’ll be watching for the rest of the year. (Thanks to Built-In for providing an overview of these and other threats.)
Misconfigurations are not the products of software vulnerabilities or malicious hacking attacks. They are merely the result of human error. Indeed, misconfigurations emerge when security personnel and/or other employees fail to configure the settings on their software and hardware in a way that meets their organization’s digital security needs.
Misconfigurations take on various forms. For instance, misconfiguration events in cloud-based resources such as S3 buckets could enable anyone on the web to access and view an organization’s sensitive data. These types of incidents cost organizations approximately $5 trillion between 2018 and the end of 2019, as reported by TechRepublic.
Containers also suffer from misconfigurations. Indeed, a misapplied setting in a single container could enable a malicious actor to compromise an organization’s entire environment. Built-In notes this type of compromise is possible because containers share kernel space.
In response, organizations need to focus on baselining their assets and recording their security configurations. They should then monitor those assets over time for any deviances in behavior. Doing so could help defenders respond to a potential event more quickly.
Container and Kubernetes Vulnerabilities
Today’s containers are full of vulnerabilities. According to TechRepublic, a 2019 report found that the average container from the top 1,000 Docker Hub containers suffered from an average of 176 CVEs. The median CVE count for these containers was 37.
These security flaws pose a serious threat to organizations’ digital security. Attackers could abuse them to gain access to a container, for instance. Depending on the privileges involved with that container, they could potentially spread throughout the container environment and compromise an organization’s data.
Vulnerabilities aren’t just a concern when they affect organizations’ containers, either. Indeed, StackRox observed several vulnerabilities in 2019 that could bring down an organization’s entire Kubernetes infrastructure if they were successfully important. These security issues are especially concerning given the fact that Kubernetes generally releases vulnerability fixes for only the last three most versions of its platform. (That’s generally not the case with containers.)
As a result, security leaders need to make sure that they’re running a recently updated version if they hope to receive updates for vulnerabilities that could threaten the security of their organization’s Kubernetes environment. They should also regularly scan their containers for potential vulnerabilities. If they learn of any flaws that affect their Kubernetes or container environments, they should prioritize and schedule a patch as part of an ongoing vulnerability management program.
Trust is a crucial issue for organizations’ digital security. Too much trust means that there are few if any controls in place that limit which work resources are accessible to employees. That’s a problem, for if a malicious actor compromises an employee’s account, they could then abuse that trusting environment to move through the network and access sensitive data.
With increasingly complex IT infrastructure, organizations need to think about segmenting (and perhaps micro-segmenting) their networks. This isn’t always easy; microsegmenting a Kubernetes environment presents its challenges. For instance, with containers and microservices, organizations can’t use traditional firewalls or WAFs to enforce microsegmentation. That’s because containers and microservices are ephemeral and distributed in nature, while organizations need to account for North-South traffic along with traffic within pods (East-West).
Segmenting containers isn’t impossible, however. Organizations can use network policies to limit communication flows between pods and implement other means of segmentation. More guidelines on this topic are available here.
Greater Defender Accountability
The world is changing. With the introduction of new data protection standards and legislation such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), defenders’ employers are being held accountable for a digital security incident. This accountability isn’t just monetary in terms of paying legal fees and regulatory fines. It’s also reputational insofar as to whether consumers are willing to trust a victim of a particular security incident going forward. As more and more standards roll out, this monetary and reputational accountability for organizations will increase.
Fulfilling this accountability begins with defenders achieving complete visibility over their environments. Only by knowing what’s connected to the network can defenders figure out a way to protect them adequately. Through those measures, organizations can then develop a plan to respond to threats if and when they emerge.
Malware Abusing Containers
In the past few years, security researchers have detected several instances in which nefarious individuals abused Docker. Sometimes, they exploited open Docker API ports to mine for Monero cryptocurrency. Other times, they attempted to deploy botnet malware capable of conducting distributed denial-of-service (DDoS) attacks.
It’s reasonable to expect that incidents similar to those discussed above will continue to emerge over the next few years. Acknowledging that fact, organizations can’t ignore their container environments. They need to find a place for containers in their security strategies if they hope to protect themselves for the remainder of 2020. As part of this effort, they need to scan their containers for potential vulnerabilities and pull images down from trusted sources only.
About the Author
With a passion for building disruptive products, Ali Golshan is Co-founder and CTO for StackRox, where he oversees the company’s technology strategy and roadmap. Prior to StackRox, Golshan was the Founder & CTO of Cyphort (acquired by Juniper Networks) and led the company’s product strategy and research initiatives. Previously, he worked as a security researcher and engineer at Microsoft and PwC. Golshan started his career in Government conducting security and vulnerability research for the intelligence community.
CISO MAG did not evaluate/test the products mentioned in this article. The facts, opinions, and language in the article are entirely those expressed by the authors and do not reflect the views of CISO MAG.