To succeed at digital transformation, make application security a priority

WFH initiatives heighten security concerns

As discussed in the article “Is Digital Transformation a Victim of Covid-19” the “Covid-19 pandemic is putting growing pressure on organizations to expand their digital transformation efforts to include work from home (“WFH”) processes to allow for continued operations in a “social distancing” environment.”

As well, “WFH means many more endpoints and many more inadequately secured network access points (“endpoints”). With the use of video conferencing tools like Zoom, Microsoft Teams, and Google Meet growing, and with the use of less secure network connections growing,  there are security implications that CISOs are rushing to address — especially for these remote employees; because an increase in collaboration application usage, and remote access, means a larger attack surface for threat actors to target.”

Digital transformation demands better endpoint security

However, it’s not just the security response to COVID-19’s impact on daily business with which we should concern ourselves. Credit unions’ digital transformation efforts (designed to tap the power of mobile, internet of things (IoT) and other edge technology to improve business results) are also rapidly expanding the threat vector within which security people must contend. And if we don’t successfully address the security issues generated by digital expansion, our efforts to transform will suffer, maybe implode.

The endpoint revolution

Digital transformation is driven, in part, by the dramatic increase in computing power built into endpoint devices such as tablets, smartphones, laptops, IoT sensors, operational technology (e.g. transformers) and other endpoints. To optimize digital initiatives, we are pushing computing outward from centralized or cloud-based servers to these endpoints, to leverage their growing capability and to empower our end users. It’s true that many critical enterprise assets and resources remain behind your credit union’s network firewalls; but access to these resources is needed for endpoint applications and devices to deliver on their promise to end users – employees, members and more.

More endpoints, more risks, more losses

As described by John Aisien, CEO of Blue Cedar, “the growing number of devices and applications presents significant security challenges. Cybercriminals understand well the growing number and power of endpoint devices, and their vulnerabilities. Attackers are exploiting weaknesses in devices, apps, networks, back-end servers and other assets, even gaining access to corporate IT resources or bringing down systems and halting business.” Malware, hacks and data or infrastructure breaches are derailing digital initiatives, violating customer and user privacy, exposing enterprise assets and undermining brand trust.

Mr. Aisien tells us “to mitigate these risks, enterprises are fighting back by implementing access controls, user authentication, device status monitoring, data protection and other security measures but, in the face of these actions and investments in security solutions and services, malicious malware attacks continue to grow and continue to do significant damage.” And financial services organizations lead the way in the size and severity of attacks directed at them, with more to come. If all the work being done and dollars being spent isn’t successfully securing our endpoints and protecting our investments in our digital transformation initiatives, what are we to do?

To secure the endpoint, one must secure the application running on it

“The true security perimeter is actually enforced by each application running on an endpoint,” according to TJ Tajalli, CEO at OnSystem Logic. And it is within “each application’s memory, including those applications implementing the various functions of all modern operating systems of today, where data is manipulated as directed by the application’s instructions inside its memory.”     

The credit union technology leaders I’ve spoken with would agree when Mr. Tajalli says “today’s endpoint security defenses have been built around observation and potential enforcement of visible operations OUTSIDE of the applications. This is true regardless of the technology being used by state-of-the-art endpoint security products. However, ALL attacks, including ransomware, data theft, data modifications, endpoint software and data destruction, etc., run inside known applications or benign looking applications without being noticed by current endpoint security products — until it is too late.”  All of this leads to the conclusion that “despite billions of dollars spent on endpoint security the endpoints are truly not safer than before.”

App-centric security is the forward step we must take

Given the growth of both managed and unmanaged endpoints, including bring-your-own-device (“BYOD”) scenarios, credit unions must look beyond current endpoint security solutions.  Not only are these solutions failing to provide the “certainty” needed by our organizations as we work to digitally transform them, but these solutions too often impact negatively the end user experience we fight so hard to improve.

Unfortunately for all of us, it appears current endpoint security products have largely given up on trying to stop the execution of unwanted code and have instead moved toward POTENTIALLY detecting and responding, but only after the damage has been done. None of us should accept this as the best that we can buy or the best that we can deploy.

How to deploy app-centric security

I have come to understand that in most applications, there are operations that have a security impact on the application. One such operation that impacts all applications is the ability to change its data into executable code. Most applications don’t use this operation; however, it is the most destructive and effective method attackers use to take full control of applications. Controlling self-modification is the first and most important universal problem that must be solved. Another example of an important universal operation to control is the ability of the application to create and/or manipulate other processes. In addition to the universally important operations to control, selecting other operations to control is based on the functionality of an application. For example, a database server’s critical operations include directly manipulating backend data files, its privilege implementation mechanism, etc. 

In practice, important security operations are seldom used within an application. Learning which part of an application uses those operations during its normal operation is what is required. So, this is doable. In fact, it’s being done. There are firms pursuing and delivering solutions to this problem. They need our attention. And if we are going to succeed at digital transformation, we need their solutions. If you agree and have ideas to share or questions to ask, feel free to ask me.