theNet by CLOUDFLARE

Three emerging security trends

Tackling the ever expanding attack surface

Staying ahead of the threat landscape is crucial for CISOs to safeguard their business, but maintaining a leading edge is difficult in practice. Threat actors are accelerating, increasingly targeting organizations with both well-established and new methods of attack. Security programs face constant expansion, tasked with protecting an evolving attack surface, especially as organizations rush to build and deploy internal AI models. And security teams find themselves caught in the crossfire, racing to keep up with both adversaries and organizational advancements.

This article highlights three emerging trends, backed by real-world data and observations, that demand immediate attention and action from CISOs.

Trend 1: Vulnerability management programs are unprepared for the increased pace of weaponization

For years, vulnerability management programs have struggled to maintain patching cadence at the speed of vulnerability disclosure. The mean time to patch a critical web application vulnerability is slow, at 35 days. Unfortunately, maintaining a responsible patching cadence only gets harder as more vulnerabilities are discovered each year – there were more than 5,000 critical vulnerabilities in 2023.

Making matters more difficult, threat actors increasingly exploit vulnerabilities at lightning speed. For example, CVE-2024-27198, was disclosed on March 4th, 2024, exposed TeamCity servers to complete compromise. Threat actors attempted exploitation that same day, with attacks observed just 22 minutes after proof-of-concept code was published.

With nearly 100 zero-day vulnerabilities identified in 2023 alone—a 50% increase from the previous year—organizations face a perpetual cycle of emergency responses upon disclosure.

Recommendation:

Organizations must adopt a multi-pronged strategy that goes well beyond just patching to effectively mitigate vulnerability risk. Start by reducing the exploitable attack surface through network segmentation and Zero Trust principles.

Next, implement protection measures to stop exploitation of assets that don’t yet have an available patch or patching resources. One example could be leveraging threat intelligence in firewalls (both network and web application firewalls) to stop exploitation attempts.

Finally, when patching, prioritize using risk of exploitation, not vulnerability severity. Resources like CISA's Known Exploited Vulnerabilities Catalog are invaluable in determining prioritization.

Trend 2: Security teams must prepare to protect internal AI models

Much has been said about the potential for employees to misuse public LLM models by exposing sensitive data, which is why organizations like Samsung have banned its use.

However, there’s been far less conversation about internal AI models, which are a prime target for attackers. And organizations are investing heavily, with spending forecasted to reach $143 billion by 2027.

Internal LLMs are likely to have wide-ranging access to sensitive information and intellectual property. Examples might include an AI co-pilot trained on sales data and customer interactions used to generate tailored proposals, or an LLM trained on an internal knowledge base that can be queried by engineers. Additionally, since the models run on high-powered machines, financially motivated actors may target them for their computing power.

Attacks on internal LLMs are not theoretical; they have already happened. Threat actors exploited Ray, a popular open-source AI framework, granting access to production AI workloads across hundreds of companies. This enabled them to steal sensitive data, passwords, and cloud access privileges. The actors also deployed crypto mining malware.

Recommendation:

Security leaders should ensure their teams grasp the risks of LLM usage and actively engage in corporate projects to deploy internal LLMs. Starting with the OWASP Top 10 for LLMs can guide organizations in prioritizing protection measures, spanning from data loss prevention to dedicated AI firewalls.

Trend 3: Increased attacks on VPNs drive organizations to seek alternate remote access solutions

The past year has seen a significant increase in successful attacks on security appliances, especially VPNs. In just the first 4 months of 2024 there have been major zero-days for Ivanti’s SecureConnect VPN, Palo Alto Networks’ GlobalProtect VPN/firewall, and the VPN features of Cisco’s Adaptive Security Appliance.

Threat actors deliberately target these tools because once compromised, they provide wide-ranging access to an organization’s network. With VPNs being all-too-frequently attacked, many organizations are evaluating alternate remote access options.

Zero Trust Network Access (ZTNA) tools are one such option, providing authenticated access to specific applications instead of the broader network. They also provide performance benefits, making it faster and easier for employees to access internal resources.

ZTNA is a common starting point for organizations adopting Zero Trust. According to an ESG study* of 200 cyber security and IT professionals, the two highest ranked use cases for initial Zero Trust implementation are enforcing Zero Trust Application Access (ZTAA) policies for SaaS applications and deploying Zero Trust Network Access (ZTNA) for private applications. And in fact, 75% of cyber security and IT professionals currently using ZTNA report that they have replaced or plan to move away from VPNs for all employees.

Recommendation:

Perimeter-based defenses like VPNs don’t make sense in the context of today’s threat landscape and the rise of remote work. CISOs should develop a roadmap for Zero Trust adoption, with VPN replacement as an early roadmap item. To demonstrate value quickly, start with a smaller use case or targeted set of users, and expand from there. Consider factors such as speed of implementation, risk profiles of users and applications, employee feedback, and existing contract timing to prioritize deployment and maximize effectiveness.

Staying ahead of emerging risks

As organizations rely more on distributed IT infrastructure and embrace distributed and hybrid work, the complexity of securing an organization continues to grow. Tackling these threats has traditionally involved manually stitching together an expanding suite of traditional and siloed tools across security domains (e.g. network security, application security, data security, and threat intelligence).

Cloudflare is a unified, intelligent platform of programmable cloud-native services that delivers everywhere security to protect people, apps and networks. This enables organizations to regain control, lower costs, and reduce the risks of securing an expanded network environment.

*Enterprise Strategy Group, a division of TechTarget, Inc. Research Survey, Cloudflare Zero Trust for the Workforce Survey, May 2024

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.



Dive deeper into this topic.

Learn more about the latest security trends by reading Cloudflare’s new report: Security Brief: Threats against people, apps, and infrastructure.



Key takeaways

After reading this article you will be able to understand:

  • How Security is racing to keep up with both adversaries and organizational advancements

  • 3 emerging trends requiring immediate attention from CISOs

  • Practical recommendations that help organizations get and stay ahead



Receive a monthly recap of the most popular Internet insights!