As organizations move to the cloud, they increasingly seek risk mitigation strategies to combat security vulnerabilities.
As digital transformation accelerates, organizations turn to hybrid and multicloud architectures to innovate, grow, and reduce costs. But the complexity and scale of multicloud architecture invites new enterprise challenges. Security vulnerabilities can easily creep into IT systems and create costly risks.
As a result, organizations are adopting cloud observability technologies to gain visibility into their IT environments and the associated application performance and software vulnerability issues. Observability platforms have, in turn, become central to cloud management toolkits to identify application performance issues as well as security vulnerabilities and resolve these issues in a timely manner.
Log4Shell software vulnerability highlighted need for cloud observability
Some security incidents have a widespread, costly impact, such as Log4Shell, a software vulnerability in Apache Log4j 2, a popular Java library. Log4j is a ubiquitous bit of software code that appears in myriad consumer-facing products and services.
Discovered in 2021, Log4Shell affected millions of applications and devices. The average cost of remediation has been estimated at $90,000.
“Analysts predict that Log4Shell will linger for years,” Threatpost wrote in a May 2022 article.
“Protection means securing complex, distributed and high-velocity cloud architectures,” the article continued. “Achieving this requires companies to adopt a modern development stack, one that arms security managers with greater observability and superior vulnerability management.”
Cloud environments require ongoing risk mitigation
As enterprises continue to operate and innovate in the cloud, risk mitigation becomes critical to prevent losses like those associated with Log4Shell.
At the same time, organizations rely more than ever on software development to modernize and grow.
But with this increasing emphasis on software development to drive revenue, teams find that they must streamline development, operations, and security. It has become imperative to “embed security in development and IT operations so organizations can improve their overall software reliability,” said Sandi Larsen, Dynatrace vice president of security solutions. During a recent Perform 2023 conference panel discussion, Larsen addressed the growing importance of application security for industry leaders.
Modern observability technology has helped enterprises identify software vulnerabilities such as Log4Shell in their environments. Additionally, modern observability enables organizations to reduce the time it takes to identify these software vulnerabilities from weeks or months to hours or days. A modern platform also plays a key role in helping organizations prioritize which instances of the vulnerability are most critical and which to address first. Numerous Dynatrace customers used the platform to remediate Log4Shell within a matter of hours.
For companies like Skyworks team, reducing the time it takes to find vulnerabilities from days or weeks to hours enables teams to be more effective and strategic, rather than being mired in days of fire-fighting.
Log4Shell reveals need for shift-left and defense-in-depth strategies
Log4Shell also revealed the importance of having a comprehensive cybersecurity strategy that enables organizations to shift left —that is, to identify security vulnerabilities in development through testing—as well as to shift right by identifying vulnerabilities in production through real-user monitoring, performance tracking, and other methods.
Organizations with mature DevSecOps practices—where development, security, and operations teams work collaboratively—have recognized the importance of shifting left as they develop software.
But having an observability platform with visibility into the entire software development lifecycle has been challenging for many organizations.
A defense-in-depth approach to cybersecurity strategy is also critical in the face of runtime software vulnerabilities such as Log4Shell. A defense-in-depth cybersecurity strategy enables organizations to pinpoint application vulnerabilities in the software supply chain before they have a costly impact.
“It’s all about having a strong posture around defense in depth,” Skyworks’ Jayadev said. “There have been many attack vectors that have focused on critical vulnerabilities within the software supply chain. …. It’s important to focus on having good hygiene, having a good patching regimen, having a good security policy over the course of time, and finally, good governance.”
At USI Insurance Services, end-to-end observability for application security is core to protecting sensitive customer data.
“We deal with a lot of personal information,” said Wendy Mathis, senior software lead at USI. “With hackers being very creative, we are trying to keep ahead of them.”
For these customers, having an observability platform that can capture issues from end to end is key. The ability to unify data silos and see the environment holistically gives their teams a critical advantage in detecting and mitigating application security risks.
“The one thing that binds everything together is a great automation technology across the application security stack,” Jayadev said. “That helps tighten the screws when it comes to your posture.”
The convergence of observability and security data becomes key
Panelists also indicated that if cloud observability technology has become a necessity, using a platform that can unify observability and security data is also critical.
“Convergence [between observability and security] is more of a necessity now,” Jayadev said. “How do you combine observability with software intelligence … [to] deliver to the business and shorten their time to the market? Convergence is going to be a huge factor [in that effort],” he said.
Mathis echoed this sentiment and said having a unified platform in which to view infrastructure and applications has helped her team identify software code flaws. This approach has also provided an additional “layer of security in one package [that] helps us quite a bit,” she said.
According to the panel, the growing convergence of observability and security data is clear. The objective now is to enable developers to understand and navigate the security lexicon. Once developers can understand the security considerations in their own language, it can streamline the development process, the panelists indicated.
How automation and AIOps are game changers
For the panelists, an observability platform like Dynatrace brings software intelligence and automation to formerly manual, error-prone, and imprecise processes. A modern observability platform like Dynatrace uses causal AI and topological mapping to identify root causes of application issues and unify siloed data.
For Skyworks, automation and AIOps—or AI for IT operations—have enabled the company to unify data and become more efficient.
“Prior to 2020, we had a very manual process and very siloed ways of doing things. Everyone did their own monitoring,” Jayadev said. By bringing in a unified platform in Dynatrace, Skyworks has been able to minimize siloed monitoring. “The automation is going to help us be competitive by a big margin,” Jayadev said.
USI’s Mathis noted that a unified platform enables development, operations, and security teams to identify the precise root cause of problems without blame and finger pointing. With traditional observability platforms, organizations often have to gather in a war room of sorts to determine the root cause of an application problem. With an observability platform that unifies data silos and provides real-time data on the cause of issues, finger pointing can give way to collaboration among teams.
“Instead of having to go back and forth to see which team is responsible for the problem,
with Dynatrace, it has filled a gap,” Mathis said. “We are seeing new security vulnerabilities we need to address on an application on autopilot.”
Eliminating war rooms and finger pointing not only hastens security breach remediation but also creates value for an organization overall. Instead of spending days and weeks identifying the root cause of application issues, teams can resolve issues before sensitive data is compromised or systems are breached.
Ultimately, Skyworks’ Jayadev said protection against cyberthreats and software vulnerabilities does more than defend organizations against security threats. Technologies such as observability in fact create value.
“Sometimes risk mitigation is value creation,” Jayadev said. “The risks that we have mitigated are actually adding value. The automation … is building a lot of value behind the scenes.”
For more on Dynatrace’s approach to Log4Shell, check out our resource center.
For all our Perform 2023 coverage, check out our conference guide.