Practitioners are familiar with the dynamism of cybersecurity. It may be part of the reason they got into it in the first place.

Taking one measure alone, 55 common vulnerabilities and exposures (CVEs) were recorded on average every day last year, a record. 2022 is already on track to exceed that. These vulnerabilities are spread throughout the full stack of technologies used by organisations. With systems and applications as interconnected as they are today, multiple vulnerabilities can be chained together by attackers to improve their chances at exploitation, or to escalate attacks.

Attackers also have a greater choice of potential targets and entry points to choose from, while conversely practitioners have more gates to protect and can limit traffic through their organisation.

A recent study found 75% of Australian businesses are now living with a vastly increased attack surface. The largest contributor to this is the increased use of web applications to engage with dispersed and often 'location agnostic' employees, customers, and other stakeholders. The increased number of endpoints inevitably expands the attack surface and exposes companies to new vulnerabilities. Often companies are not aware of the status of all devices accessing their resources.

In addition, the need for infrastructure modernisation and digitalisation has led to adoption of newer technologies, further expanding the risk.

While Australian CISOs may say they have everything covered, the survey found that security maturity could well be further developed and nurtured.

But our research simultaneously shows that when you dig down and talk to people lower down in the security hierarchy, the reaction and response is inconsistent at best, and all over the place at worst.

Frontline security in the SOCs are chasing to keep up with the combined impacts of a rapidly widened attack surface, changing architectures, more people working remotely and ongoing digitalisation.

In short, current cybersecurity postures are struggling to align with dynamic attack surfaces.

That needs to change.

Breaching the moat

Cybersecurity teams have traditionally focused on preventing all attacks, using what might be referred to as a 'castle and moat' approach. The 'castle' is the office network, protected by the 'moat' (the network perimeter). Everyone inside the 'moat' was trusted, not so anyone outside it. A 'drawbridge' lowered over the 'moat' allowed traffic movements to be controlled in and out.

This works on the assumption that people work within a walled, protected environment, that they are accessing sensitive data and systems mostly from within an office on corporate-owned devices.

Most organisations don't operate like this anymore. Only 18% of Australian companies say that they still have this traditional 'castle and moat' defence.

The reason for that is that this defensive model simply does not work when the network perimeter becomes blurred. It also does not offer workable prevention against the growing dynamism of the attack surface.

Adapting to change

A completely different approach to cybersecurity is required.

The desirable end state - easier said than done - is to embrace an adaptive cybersecurity posture, supported by people, process and technology - that is more responsive to the dynamism of today's cybersecurity landscape.

As research firm Ecosystm notes, "anticipating threats before they happen and responding instantly when attacks occur is critical to modern cybersecurity postures. It is equally important to be able to rapidly adapt to changing regulations. Companies need to move towards a position where monitoring is continuous, and postures can adapt, based on risks to the business and regulatory requirements. This approach requires security controls to automatically sense, detect, react, and respond to access requests, authentication needs, and outside and inside threats, and meet regulatory requirements."

Adaptation is also likely in future to involve artificial intelligence. A golden example of applying AI adaptively for cybersecurity would be to be able to detect the presence of code, packages or dependencies that are impacted by zero-days or other vulnerabilities, and to block those threats. That may be some way off yet - it would require a model, and enough time and data to train it. But it's an example of the thinking and discussion on adaptive cybersecurity that is currently taking place.

Tackling attack surface

While an adaptive cybersecurity posture is the end game, there are things Australian organisations can do in the interim to get a better handle on their environments.

An interim goal could be to better protect web applications - the single largest contributor to an expanded attack surface in Australia.

For this, development and security teams alike should embrace security-as-code and policy-as-code. Using a security-as-code approach allows developers to communicate runtime security assumptions to the application infrastructure at deployment. Limiting the types of requests that an application has to process can be more efficient as it allows pre-processing of inputs at the edge of the application infrastructure, rather than inside the application.

In addition, next-generation web application firewalls (WAFs) give teams more options to deal with threats. They allow security to be addressed in a more automated way, detecting and either logging or blocking malicious request traffic before it reaches the web application.

Leveraging WAFs and content delivery networks (CDNs) should be part of any holistic defence-in-depth security strategy, and offer a pathway to immediate protection, as well as towards more adaptive forms of cybersecurity protection.