Why Zero-Day Malware Isn't Our Biggest Threat – System Breaches Are

Complexity leads to errors

Large enterprises operate networks with thousands of endpoints and devices, connected with numerous firewalls and their hundreds of rules. These circuits of data – but also the system configurations on every possible type of end device – involve many risks.

System experts configure such an IT network in multiple teams and try to coordinate with each other via ticketing and change processes. A retrospective on cyber security incidents then shows that such complexity carries high risks – much more than the usable zero-day malicious code that security vendors so urgently warn us about.

A 2024 study by Skybox Security calls this the ‘network butterfly effect’, after the story in which the mere flapping of a butterfly's wings can impact weather conditions worldwide.

The challenge these days is, therefore, to integrate security-relevant systems much more with each other and reliably detect risky settings instead of procuring further technical defense systems. It also remains challenging to reliably comply with security requirements from internal and external standards – because hardly any system expert still fully understands the complexity of networked systems. 

Specifications from the ISMS and best practices of the usual market security standards only take effect if they are known to the expert and can be reliably translated into ‘real life# at any time.

Automation

The answer to this problem lies in automation. The participants in the above-mentioned study estimate that 40% of the work is directed towards manual processes – which leads to implementation times that are no longer justifiable for urgent security issues in IT operations. The time that experts spend on routine tasks is also no longer available for real system maintenance and high-quality security analyses. The patch hygiene of IT systems, which is never sufficient, is only one prominent effect of this waste of resources. However, the interlinking of technical cyber security measures with risk management, information security management and data protection is also characterized by system breaks and responsibility silos. Automation should, therefore, be thought of in two directions:

• Interacting security technologies; ecosystems – instead of best-of-breed
• Combine processual controls and technology, preferring technical controls to manual controls

Risk management & compliance in IT operations

Ultimately, both – technical cyber security activities and more tactical information security – must always be geared to specific risks. In an ideal world, all disciplines of operational management would be combined in risk management. The activation of a new firewall rule, the installation of hot fixes on the server, the commissioning of new systems, and the booking of SaaS services – none of these should raise the risk of the entire IT network above a defined level (the ‘risk appetite’). This also places consistent demands on automation – because the manual recording of IT risks using checklists or recurring queries via Excel has reached an end – and are no longer possible in complex systems.

If a firewall expert activates a new rule, the configuration must be automatically re-read into a risk-based model. Has this change made a vulnerability of the target system publicly available? Is there an attack surface that changes the risk index too much? Then the model should issue a warning to the administrator – and another approval should be obtained in the process. In this example, a risk-oriented model correlates information about attack vectors and vulnerabilities of a server, as well as protocols and network paths of a firewall rulebook.

A similar situation arises when a new system is put into operation – a risk-oriented model should detect misconfigurations and illustrate them through an increased risk situation. Whether it’s an incorrectly set network route, forgotten logging, or the use of default accounts: simple carelessness at a single node endangers the entire system. Here, too, automation must intervene and clarify the need for system hardening – immediately after the endangered system has been introduced.

Technical solutions for automatic modeling of the IT network exist on the market, and a network model of such solutions is extended with a CVE overlay. Data from vulnerability scanners and imported configurations of network components, firewalls, operating systems and applications enable the continuous calculation of possible attack paths. Weighting factors can be configured for critical systems along a protection needs analysis – in order to accurately map the specific threat situation of an IT network. Reports and alarms are automatically sent to system managers or risk managers, CISO and other responsible persons. Such technical solutions finally bring IT governance and IT operations together on a common data model – and are marketed under the term ‘CEM – Continuous Exposure Management’, for example.

The ‘butterfly effect’ can, therefore, be controlled along a model with automation – which is no longer possible when looking at individual technology silos in isolation.

Ecosystems in cybersecurity

From a technical point of view, isolated technologies should also be a thing of the past. The cybersecurity market is slowly developing a compatible API economy for this purpose. However, if you want to achieve automation quickly, there is no way around ecosystems. Attackers always use several paths at the same time. Injected malicious code via a successful phishing attack requires email as well as SSL-encrypted traffic to public web servers. If the endpoint, web proxy, cloud services and mail gateway – and possibly the sandbox – do not interact with each other, the chances of detecting and containing such attack campaigns decrease enormously. Any incompatibility or lack of integration of the various cybersecurity disciplines are serious system weaknesses – as automation is then no longer possible.

Summary

Cybersecurity technologies have to work together, and every system break harms the enterprise. Specific configurations and vulnerabilities must also be permanently analyzed for exploitability – the attack surface of an IT landscape should be managed on a daily basis. Risk management serves as the benchmark for a justifiable level of security, which has not yet been consistently incorporated into IT organizations. Solutions are available on the market, so what needs to be done now? IT organizations need a clear mandate from the CIO, and a binding IT development plan must bring about the required standardization in the medium term. Without alignment with minimum standards and desired compatibility, system breaks will otherwise repeatedly lead to blind spots – and simple configuration errors will still endanger the entire organization.

Since January 2022, Tim Cappelmann has been the Managing Director of AirITSystems GmbH – a managed service provider, consulting company and reseller for security-focused IT solutions in Germany. Prior to that, Cappelmann was Head of Managed Services for more than 10 years at the company and involved in security consulting projects. He is certified as an Enterprise Architect (TOGAF), information Security Manager (ISACA) and CISSP.