Cybersecurity and the Pareto Principle: The Future of Zero-Day Readiness

It is a 40 year reunion sequel to the War Games film. The scene begins as everyone prepares for the Christmas holidays and a community of mischievous Minecraft players make an incredible discovery: a systemic software exploit in the open-source Java logging library embedded as a core component of most internet workloads . The vulnerability is easy to exploit and allows remote code execution, embarrassing IT and security teams around the world. Instead of science fiction, this was reality as thousands of security teams around the world worked through the holidays to determine the extent of their dependency on Log4j and quickly stitch together fixes for initial disclosure and later permutations.

Log4Shell taught us the priorities of enterprise security and what “preparing” means in the security industry going forward. Log4Shell provides a lesson in the optimal tools security teams should focus on, with teams struggling in key foundational areas of security readiness and software asset management.

As attack surfaces continue to grow, organizations need to get better at prioritizing tools to drill down into the entire asset fleet. Security teams shouldn’t prioritize detecting zero-days. Instead, a security team’s priority should be to put in place the tools and governance needed to quickly understand how they face a new threat and orchestrate a response.

The Pareto Principle in Cybersecurity

The Pareto principle states that about 80% of the consequences come from 20% of the causes (especially unlike Pareto efficiency, which describes an efficient allocation of preferences and resources). This is true for enterprise cybersecurity: the unsung 20% ​​of our tools that bring over 80% of the value. That, of course, is software asset management.

For years, Log4Shell was a pervasive problem in one of the most widely used open source libraries, and it still went unnoticed by the millions of hours spent poring over code reviews and traditional application security testing. It’s a good bet that there are other similarly widespread vulnerabilities. The priority for your team and resources should be to be best prepared to configure and respond to these undetected threats.

Software asset management provides teams with the strongest foundation to assess internal past, present, and future security risks. The right software asset management tooling gives your team a deep view of your IT ecosystem, allowing organizations to gain unique insights into processes and quickly assess the applicability of new risks as they arise.

Finding zero-days is often left out of the security administrator job description, and with good reason. The focus should be on preparing for new critical vulnerabilities – and yes, that means detection, but most importantly remediation. As you assess your team’s resources and expertise, you should optimize the speed and readiness to address these new CVEs.

Using Log4Shell as a case study, let’s further break down security mindset gaps and re-emphasize the core competency of a security team in an enterprise organization.

The future of pension provision: software asset management

Log4Shell was a wake up call. The vulnerability has lurked unnoticed in an immensely widespread open source tool for the past decade. For most teams, this was another lesson learned that the future of enterprise security should focus on optimizing speed and visibility within their own fleet. With a scalable software asset management solution, an organization can move from the back to the front when dealing with emerging threats like Log4Shell.

It’s a classic sentence: You can’t protect what you don’t know. In the case of Log4Shell, deep pain points related to the simple navigation in one’s own IT ecosystem became apparent in the first few weeks. The right tool gives your team the scope of impact in minutes or hours instead of the days or weeks it took teams to inventory instances of Log4j in Java applications. It sounds easy enough – getting a list of all instances of Log4j or Java processes running on your laptops, servers and containers – but we all know colleagues and organizations that have struggled with this simple act of taking inventory ( and maybe still struggling).

Log4Shell highlighted these shortcomings in the current approach to enterprise security and encouraged us to get back to basics. A good organization recognizes its strengths and even better its limitations. As organizations grow and resources scale, the best way to continuously secure your environment after initial deployment is the speed with which you can implement released fixes and upgrades. This is the primary benefit of software asset management at scale and why these 20% of our tools offer so much to support teams. It removes the barrier to action and the barrier to understanding.

Mapping of the castle grounds

There’s a good reason software asset inventory and management is the second most important security control according to the Centers for Internet Security (CIS) Critical Security Controls. Knowing what software is running and having instant access to that up-to-date information is “essential cyber hygiene”. It’s like being a new master-at-arms for a local baron in medieval times. Your first duty would be to map the castle grounds that you are tasked with protecting.

Simply put, don’t expect your organization to develop unique, custom solutions to emerging security threats. You are not expected to find zero-days or spend your internal budget troubleshooting your licensed providers. Instead, good enterprise security preparation is tried, tested, and transparent (one of the key benefits of open source solutions), allowing security teams to move quickly as they assess risk and implement fixes.

Software asset management becomes the first step and, if ignored, the first obstacle to becoming an agile and prepared security-first organization. In the first few minutes and hours after exposing Log4Shell, think about the time it took you to fully appreciate the magnitude of the impact on your infrastructure. Are you sure you didn’t miss any use cases and that you really had a clear picture of your processes? Having trouble finding about .jar files or shadowed .jar files?

The Economics of Good Security

As we move beyond Log4Shell, let’s incorporate these lessons learned for a more prepared future. The allocation of resources by enterprise security teams needs to be more targeted as attackers become more sophisticated and continue to have seemingly unlimited resources. The added value of clear visibility and real-time insights into your entire ecosystem is all the more important. Remember that the primary role of the security team is to create a secure IT ecosystem, mitigate exploits of known vulnerabilities, and monitor for suspicious activity. With advanced software asset management, practitioners are enhanced in their ability to monitor, patch, and harden assets.

This expanded visibility becomes the foundation on which teams build comprehensive security solutions. According to Forrester, the application security market will grow to $12.9 billion by 2025. Overall, this is great for the security industry as we continue to invest resources in researching vulnerabilities and mitigating them before they are exploited. However, from an individual company’s perspective, it is logical to instead focus resources on tools that move the needle in their business.

Think about the backlog of patches pending implementation in production, or consider the potential for external cases that were missed when Log4j was mapped. As attacks and attack surfaces continue to grow, organizations need to better prioritize their security tools to achieve measurable results. It’s not the most famous topic, but the incredible value of software asset management empowers security teams in every role, especially in the face of emerging threats.

Jeremy Colvin is a Product Marketing Analyst at Uptycs.