Digital as Default: Dealing with Unintended Consequences

App Layer → DevSecOps

App layer vulnerabilities can be addressed with a shift left approach, that is, making security a part of every pipeline-from development to deployment to operation. These are almost always inadvertent vulnerabilities-those that are generally caused by a human action-either intentional or accidental. They span the stack, from secrets shared through personal developer repositories to misconfiguration of S3 buckets. Tools can identify vulnerabilities in third-party components and other dependencies to make sure you're using the latest, greatest, and hopefully safest version of that script.

From WAF to DAST to RASP to SAST, tools abound to help scan and secure code. Most of them are fully capable of integrating with the development pipeline. By automating scans, you effectively eliminate a hand-off-and the associated time sink. The industry calls it DevSecOps, but you could also call it parallel processing or multi-tasking. It means the timeline doesn't stop when a team or individual is unavailable or overbooked. It means more thorough analysis and ability to catch errors earlier in the process.

Infrastructure Vulnerabilities → Distributed Defense

More traditional vulnerabilities like volumetric DDoS and DNS amplification live in the infrastructure layer. You really can't shift left to mitigate these and you definitely can't eliminate them, because you don't control attackers. You can only control your response.

Infrastructure layer vulnerabilities need more of a shield right approach-where security services defend against live attacks, because there's ways to 'process' them out.

The app is the perimeter today, and organizations have apps all over the globe. Ignoring SaaS, organizations use, on average, 2.7 different public clouds that extend existing data centers. That's plural.

They also have a lot of distributed endpoints-like my corporate laptop. Even before work from home became a more or less permanent thing, people traveled-and that meant mobile distributed endpoints.

This is driving the need for distributed app and identity centric solutions to defend infrastructure and applications. That means SASE and Zero Trust, and the use of edge to move infrastructure defensive services closer to the origin of attacks. SASE and ZTNA shift policy from IP addresses and networks to users and devices and require proof of identity to access applications and resources.

Business vulnerabilities → AI-Assistance

Finally, there's the business layer vulnerabilities. Like infrastructure layer vulnerabilities, these are inherent; you can't process them out. You can't really eliminate a login page or password reset process, so you're stuck defending against attacks that will invariably batter your defenses.

And batter them they will. F5 Labs research notes that the average DDoS attack size increased by 55% over the past year, with education one of the most targeted industries in early 2021. Credential stuffing attacks were launched against video gamers in 2020 to the tune of more than 500,000 per hour. These must be dealt with in real-time.

That's why it's no surprise that AI-Assisted security is being adopted at a frenetic pace, to keep up with the crazy rate at which new attacks and new ways to execute old attacks are developed and launched.

Remember, science tells us that human beings can only process about 50-60 bits per second. That's why it's so hard to multi-task. Data is flowing in from systems, devices, applications, clients, and the network at a much higher rate than we, as human beings, can process. That's why we have dashboards and visualization, but those don't actually inform us as to what's really going on. They are snapshots of a moment in time and too often based solely on binary metrics - up down, fast slow. The ability to accurately process and predict potential attacks was cited by 45% of respondents to our annual research as 'missing' from their current monitoring solutions. AI is one answer to that, with the promise of real-time analysis of data via trained models that can detect and alert us to a possible attack.

Ultimately, all this digitization is creating a distributed and data-driven world. It's digital as default. And that means more ways for attackers to gain access, exfiltrate data, and generally make a mess of things. In a digital as default world, security needs a digital stack and that means DevSecOps, a distributed defense model, and AI-Assisted security.