How to stay one step ahead of zero-day threats

Image courtesy of Ed Hardie

In an increasingly digital world, security preparedness is an invaluable operational strategy that will save organisations a lot of time and money in the long run.

However, how can businesses prepare themselves for threats that are unknown, or have never occurred before? Can a game plan for zero-day threats be established?

For Leonard Ong, Senior Director and Regional Security Officer, APAC at GE Healthcare, nothing is impossible, at least when it comes to cybersecurity.

“We rely on technology even more than in the past. With more use of technology, and with the complexity that grows out of that, there will be a wider attack surface area, and more vulnerabilities and security issues. However, this should not be a deterrent, because our life will be improved by the adoption of technology. We just have to make sure that it can be used securely and safely,” Ong remarked during the fireside chat “Advanced Threat Protection – How Should Organisations React to Zero-Day Threats?,” organised by Jicara Media as part of the IT Security Frontiers 2022 online conference.

Because cyberthreats also grow more sophisticated in parallel with the development of new technology, the question therefore is: Are business organisations more prepared to deal with cyberattacks now, compared to a decade ago?

The senior IT expert would like to think so. He then lists four reasons to support this argument:

  • “When we look at the awareness, I think companies know that it’s important to treat zero-day vulnerabilities. Most companies have a vulnerability disclosure program. This is where the security researcher, or anybody that found a particular vulnerability in their system could report to the organisation. There’s a clear procedure, there’s a clear policy, and there’s a clear channel. There’s also the SLA (service-level agreement). And there’s also a reward or incentive for the security researcher. So there are multiple ways on how zero-day vulnerability could be discovered.”
  • “Secondly, I think it’s more about the awareness from the ecosystem, the regulators becoming more mature, and coming up with (regulatory) expectations that there is a certain cybersecurity level of maturity that is needed. That’s why we have cybersecurity laws, classifications of a CII (critical information infrastructure) operator, and industry specific guidelines and regulations.”
  • “Thirdly, the customer has also become more mature. They will ask their supplier and the supply chain to be more secure, because they rely on them to be able to do their work.”
  • “Last but not the least, as we know recently from banking scams and so on, the user has a huge component to play, because (it is useless) if you secure the organisation, you secure your supply chain, you upstream, but then your consumers or your customers are not secure. It’s really like an ecosystem.”

Covering all bases

Because of the evolving complexity of enterprise technology, Ong lamented that there really is no one-size-fits-all solution to issues such as cyberattacks.

“We have to do a lot of things as a minimum, (and) we (need to) keep on adding incremental deployment of technologies or processes, as well as (do continuous) training, in order for us to grow our maturity,” he said.

Part of these minimum efforts is software patching, but according to the IT expert, patching alone will not suffice.

“It is still very important (to do) reactive and corrective controls, to be able to patch (in time) based on the risk level, but (what’s more important) is to be resilient. We need to understand what we have. In terms of assets, what devices do we have? What applications do we have? Then, we go even deeper— what APIs do we have? What network connections? What software components?” 

“If I were to buy a particular device, and that device comes with firmware, or an application within that firmware— there are a lot of open source, and also proprietary software components. At this point, we have to understand every product, hardware, software, and cloud application that exists in our computing estate. Do we know what the solid components are? When the patch is made available, how do I know the applicability of this patch to my computing estate? If we don’t have that asset inventory, or visibility, then we will not be able to patch everything that needs to be patched,” Ong added.

To execute patching more effectively, Ong highlighted several pointers: “It is a risk every time we patch a system. There’s always a risk that the system becomes unavailable, then we have to roll back from that disruption. Then again, we have to balance (it) out. Not every patch is so critical that you need to patch right away. This is where the trust between CISOs and CIOs has to be built from the ground up. They have to be best buddies in the organisation so that you can execute this (strategy) correctly.”

When it comes to open-source software, Ong acknowledged that while it is often a vulnerable target for cyberattacks, it is a necessary component of present technology, and that there are ways to thwart threats originating from there.

“I couldn’t imagine any software at this time that has been built without a single component or library from the open-source community. Think about our browsers, our web servers— they will use at least open SSL, which is the library to handle encryptions between browsers and the web server. So is it bad? Is it good? I don’t think it is good or bad. They are just software, and could be open source or closed source. I don’t think they should be any different,” he said.

“In fact, for open-source software, if someone tries to maliciously insert a few lines of code logic issues, there will be communities that will easily see the source code, and be able to spot that and rectify right away. We also have a static and analytical software that we can spot certain logic that we typically don’t expect in the source code,” Ong added.

Future-proofing new technology

Even now, use cases for technologies such as artificial intelligence (AI) and 5G across verticals continue to evolve, and with the speed of utilisation of these tools, designing for security might be a bit of a challenge, particularly for smaller organisations.

Nevertheless, Ong remains hopeful of greater collaboration between these technologies and cybersecurity in the near future.

“I think we are still in the early phase of AI technology. A lot of AI resources or experts are being mostly focused on business applications, because they need that expertise in order to accelerate business processes. But as soon as we are able, I hope we will have access more to data scientists and AI experts in cybersecurity,” he noted.

“Ultimately, I hope that AI will not replace humans in the next few decades, but we could use AI to assist us in getting higher maturity in cybersecurity, because we are always understaffed. We always need to respond as quickly as possible. We deal with complex environments, sometimes with things that we cannot see, because these are all cyber assets in cyberspace. So AI is definitely very important,” Ong added.

Moreover, the IT expert shared several more initiatives to achieve cyber resiliency.

“Always think about modelling the security by design, or privacy by design— having all this product security built into your product. So that when you deliver the product to the customer, it is reasonably secure. After the customer purchases the product, there must also be security support, whereby the customer can use your product in a secure and confident manner. We have to remember that every manufacturer is also a consumer of an application. So no one is 100% consumer or 100% producer. We produce something and we also consume something,” he explained.

Just as companies are assigned credit ratings, Ong said that a barometer for enterprise security should also exist in order to contain the surface area of the cyberattack.

“If one particular company and ecosystem get hit, they should get some kind of a public indicator that this company has been hit, and they are working on remediation, so that everyone in the ecosystem who is connected to that company will be able to take some precaution or heighten their alert level. I think we need to have that continuous chain of trust within an ecosystem,” he concluded.