After Russia attacked Ukraine on the ground, it also attacked Ukraine in space. Specifically, Russia jammed communications on Starlink satellite terminals. The response? Upgrade the software. Following the upgrade, Russian electronic warfare was no longer effective against the terminals. You can read about it here.
This is the epitome of the concept of “shifting left” – putting security earlier in the development cycle and not having it be a bolt-on. It’s also the epitome of finding a flaw and fixing it quickly. And, to be fair, it’s not just Starlink that had a recent win with a rapid response. Many vendors responded to the Log4j vulnerability with rapid patch development to the point where what could have been a global meltdown was something of a non-event, other than the patching frenzy.
That’s great news in security. So how do we get better news? Having better knowledge of where our vulnerable systems are would help. Visibility products can discover software and hardware that are unknown to IT and OT teams. Once discovered, they can be tracked. And, with them being tracked, when the next crazy vulnerability rears up, we’ll know where to go to fix. All. The. Things.
Storytime, here. Once upon a time, there was a very large organization. The architects and managers of the organization believed with all their hearts that there was one and only one installation of SolarWinds managing their enterprise. One day, a visibility vendor – Forescout – did a PoC at that organization and found five more SolarWinds installations on the first day of the PoC. When the architects and managers tracked down those instances, they discovered that people in other locations and departments were installing management tools independently of the IT teams. Contrary to what one may think about finding Shadow IT, this was a good thing, because shortly after they discovered the additional instances of SolarWinds, the architects and managers had to deal with the SolarWinds breach. If they hadn’t started their visibility project, they’d have been in the dark about some severe vulnerabilities lurking in their network.
I’ve seen customers where the politics of visibility gets tricky. People don’t like it when the visibility tools discover lapses in their own due diligence regarding security. People don’t like it when the visibility tools find large areas of concern in the enterprise. I get that. But people have to understand how full honesty and reconciliation are vital to security efforts. Let’s establish cultural ground rules that accept that mistakes have been made and that we will work to make amends. And then let’s go out and let the visibility project tell the truth to us – all of it.
But having fuller knowledge of our enterprise is just the beginning; we also need to have a deeper knowledge of what software is running in our enterprise. Wouldn’t it be great if there was a tool that tracked not just the software on our systems, but the various components of that software? Imagine – a vulnerability is announced in an open-source module used in many programs. Now, rather than wait for a vendor to announce whether or not that module is in its software, a tool that is ready at hand tells us with a simple query response. As it so happens, there is such a tool, and I’d be happy to have you talk with me or someone from my company about Finite State.
With visibility and tracking, we can shift left that much faster when the need arises. Many of us are “good” with our security. Let’s shift left and get “better.”