Then there are the zero-day exploits. According to Jeff Williams, CTO and cofounder at Contrast Security, software applications and APIs average 26.8 serious flaws per app. "That’s a staggering number," he said. "The public was outraged at the negligence of Equifax, but the fact is that almost every company is equally insecure at their application layer. We are seeing widespread application attacks probing from thousands of IP addresses all over the world."
To protect against these kinds of attacks, companies need to speed up their patch deployment. "It used to be that attacks would take weeks or months to emerge after an application vulnerability was disclosed," he said. "Today, that safe window has been reduced to about a day, and will probably be only a few hours in 2018."
Companies also need to start embedding security controls directly into applications themselves, he said. It's called runtime application self protection, and Gartner predicts a 9 percent compound annual growth rate for this market segment.
"Security needs to move closer to the application, and go deeper into core processes and memory usage," said Satya Gupta, founder and CTO at Virsec Systems, Inc. "New control flow technology, embedded at the application level, understands application protocols and context, and can map the acceptable flow of an application--similar to a Google map. If the application is supposed to go from point A to point B, but makes an unexpected detour, then something is definitely wrong."
Attackers can also use a compromised credential or take advantage of weak, default or nonexistent passwords. No malware needs to be installed, there's no communications with a C&C server, and no lateral movement. "Finding a leaked database or an Amazon S3 bucket means the attack is accomplished without much that the defenders can do," said Ben Johnson, CTO at Obsidian Security, Inc.
According to a report released this month by RedLock, 53 percent of organizations that use cloud storage services like Amazon S3 have accidentally exposed at least one such service to the public. Earlier this summer, Skyhigh Networks reported that 7 percent of all AWS S3 buckets used by enterprises have unrestricted access, and 35 percent are not encrypted.
Since the data is leaving through a legitimate channel, the exfiltration defenses might not pick it up, either. "You need specialized tools to protect specifically against web application attacks," said Govshteyn.
Or take a denial of service attack. "You still have to pick your target, so there is some reconnaissance," said Sam Curry, CSO at Cybereason, Inc. After that, the attackers jump straight to the disruption phase.
A denial of service attack could also be just the first step, he added, helping to mask other malicious behavior. "When you stress a system, you can create a vulnerability," he said. "Or you create a high signal-to-noise ratio, flood the defenders to drown the evidence and destroy the ability to find the signal."
Sign up for CIO Asia eNewsletters.