Cybersecurity and the Pareto Principle: The future of zero-day preparedness

It’s a 40-year reunion sequel to the movie “War Games.” The scene starts as everyone is getting ready for Christmas break and a community of mischievous Minecraft players makes an unbelievable discovery: a systemic software exploit in the open-source Java logging library embedded as a core component of most internet workloads. The vulnerability is easy to exploit and enables remote-code execution, leaving IT and security teams around the world scrambling. Instead of science fiction, this was reality as thousands of security teams around the globe worked through the holidays to determine the extent of their dependency on Log4j and quickly patch together fixes for the initial disclosure and permutations thereafter. 

Log4Shell taught us about enterprise security priorities and what “preparedness” in the security industry will mean going forward. Log4Shell provides a lesson in the optimal tooling that security teams ought to focus on, with teams struggling in key fundamental areas of security readiness and software asset management. 

As attack surfaces continue growing, organizations need to get better at prioritizing tools for their ability to drill down into the entire asset fleet. The priority of security teams should not be to detect zero-days. Instead, the priority of a security team should be to set up the tools and governance needed to quickly understand their exposure to a new threat and organize a response. 

The Pareto Principle in cybersecurity 

The Pareto Principle states that approximately 80% of consequences come from 20% of the causes (notably different from the Pareto Efficiency detailing efficient allocation of preferences and resources). This applies to enterprise cybersecurity: the unsung 20% of our tooling that brings over 80% of the value. This is, of course, software asset management.  

Log4Shell was a pervasive issue for years in one of the most widely used open-source libraries, and it still went unnoticed by the millions of hours spent poring over code checks and traditional application security testing. It’s a good bet that there are other similarly widespread vulnerabilities out there. The priority for your team and resources should be focused on being the most prepared to configure and react to these as-of-yet undiscovered threats.

Software asset management gives teams the strongest foundation on which to evaluate internal past, present and future security risk. Proper software asset management tooling gives your team deep visibility across your IT ecosystem, allowing organizations to gain unique insights into processes and quickly assess the applicability of new risks as they emerge. 

Finding zero-days tends to be left out of the security admin’s job description, and for good reason. The focus should be on preparing for new critical vulnerabilities — and yes, that means detection but, more importantly, remediation. When evaluating your team’s resources and expertise, you want to optimize for speed and readiness to address these emerging CVEs.

Using Log4Shell as a case study, let’s further break down gaps in the security mindset and re-emphasize the core purview of a security team in an enterprise organization. 

The future of preparedness: software asset management

Log4Shell was a wake-up call. The vulnerability lurked unnoticed in an immensely widespread open-source tool for the past decade. For most teams, this was yet another lesson learned that the future for enterprise security should be focused on optimizing for speed and visibility within your own fleet. With a software asset management solution at scale, an organization can go from being on the back foot to being on the front foot when dealing with emerging threats like Log4Shell.

It’s a classic phrase: You can’t protect what you don’t know. In the case of Log4Shell, the first few weeks exposed deep pain points around the simple act of navigating one’s own IT ecosystem. The right tool gives your team the scope of impact in a matter of minutes or hours rather than the days or weeks it took teams to inventory instances of Log4j in Java applications. It sounds simple enough — getting a list of all instances of Log4j or Java processes running in on your laptops, servers, and containers — yet we all know colleagues and organizations that struggled (and perhaps are still struggling) with that simple act of inventorying. 

Log4Shell highlighted these flaws in the current approach to enterprise security, and encouraged us to get back to the basics. A good organization recognizes its strengths and even better its limitations. As organizations grow and scale in assets, the best way to continuously secure your environment after initial deployment is through the speed at which you can implement published fixes and upgrades. This is the key benefit of software asset management at scale, and the reason why this 20% of our tooling offers so much in the way of enabling teams. It removes the barrier to action and the barrier to understanding. 

Mapping the castle grounds 

There’s a good reason why software asset inventory and management is the second-most important security control, according to the Centers for Internet Security’s (CIS) Critical Security Controls. It’s “essential cyber hygiene” to know what software is running and being able to access that up-to-date information instantaneously. It’s as though you were a new master-at-arms for a local baron in the Middle Ages. Your first duty would be to map out the castle grounds that you are charged to protect. 

Simply put, the expectation should not be that your organization will build unique, custom solutions to emerging security threats. You are not expected to find zero-days or spend your internal budget on hunting for bugs for your licensed vendors. Instead, good enterprise security preparedness is tried, tested, and transparent (one of the major benefits of open-source solutions), enabling security teams to move quickly in assessing risk and implementing fixes. 

Software asset management becomes the first step and, if ignored, it becomes the first roadblock toward creating an agile and prepared security-first organization. In the first minutes and hours after Log4Shell was disclosed, think about the time it took for you to fully map out the extent of the impact on your infrastructure. Extending this further, are you certain that there were no missed use cases and that you truly had a clear picture of your processes? Did you struggle with finding uber .jar files or shaded .jar files?  

The economics of good security

As we put Log4Shell behind us, let’s incorporate these lessons learned for a more prepared future. The allocation of resources by enterprise security teams needs to be more purposeful, as attackers become increasingly sophisticated and continue to have what feels like unlimited resources. The value added through clear visibility and real-time insights into your entire ecosystem becomes all the more important. Remember, the core scope of the security team is to create a secure IT ecosystem, mitigate the exploit of known vulnerabilities and monitor for any suspicious activity. With extended software asset management, practitioners are amplified in their ability to monitor, patch and harden assets.

This extended visibility becomes the foundation on which teams build comprehensive security solutions. The market for application security is forecast to grow to $12.9 billion by 2025, according to Forrester. This is great holistically for the security industry as we continue to pour resources into researching vulnerabilities and mitigating them before they become exploited. However, from an individual organization perspective, it is logical instead to focus resources on tooling that will move the needle within their organization. 

Think of the backlog of patches that are still pending to be implemented in production or consider potential for outside cases missed when mapping out Log4j. As attacks and attack surfaces continue growing, organizations need to get better at prioritizing their security tooling to create measurable outcomes. It’s not the most illustrious topic, but the incredibly high value added from software asset management empowers security teams in every function, especially as we look ahead toward future emerging threats. 

Jeremy Colvin is a product marketing analyst at Uptycs.