Overview
Enterprise security is under siege, but not where you might expect.
In this episode of Global Tech Tales, host Keith Shaw and co-host Matt Egan explore a critical shift in the cybersecurity landscape: a surge in zero-day attacks targeting edge devices like VPN gateways, firewalls, routers, and other embedded infrastructure. Lucian Constantin, Senior Writer at CSO Online, joins the show to speak with Daniel dos Santos, Head of Security Research at Forescout Technologies. They examine why attackers are moving beyond endpoints and exploiting overlooked areas of the enterprise network.
This episode covers:
The growing focus on edge infrastructure by state-sponsored and financially motivated threat actors
Why legacy code, patch delays, and low visibility make these devices attractive targets
The rise of zero-day vulnerabilities and what makes them so dangerous
Practical steps organizations can take to reduce risk and harden remote infrastructure
This episode is sponsored by Commvault.
And check out the bonus episode, as Lucian and Daniel discuss the challenges of patching vulnerabilities in modern cybersecurity:
Transcript
Matt Egan
Are you ready to take on the future of cyber resilience? on November the 19th, Commvault Shift virtual brings you dynamic keynotes breakthrough product innovation and live Q and A with the experts. It's your chance to stay ahead of the threats shaping tomorrow.
You'll join global leaders and innovators with live captions in more than 15 languages, wherever you are. Don't just keep up lead. Register now for Commvault shift virtual. Keith Shaw Hi everybody.
Welcome to Global Tech Tales, where we hear stories from IT leaders and editors from around the world about the latest technology and leadership topics.
I'm Keith Shaw co hosting along with Matt Egan, he is the global content and editorial director at Foundry, and he also represents the UK in this case, Hello, Matt, welcome back. Matt Egan Hey, Keith.
How you doing? Keith Shaw good, good.
So today we are going to talk about the some of the latest trends in cyber security, specifically how attackers are going after edge devices and other infrastructure systems that lie in a remote setting while other endpoint devices, such as laptops and employee workstations are still vulnerable.
Researchers have seen a surge in the types of attacks that are going after enterprise edge devices. So as always, we start with some statistics and surveys that were out there. Got some cool stats here to talk about with you, Matt.
First of all, Google's Threat Intelligence Group tracked 75 in the wild zero days in 2024 and 44% of those attacks targeted enterprise technologies, not end user platforms. A large share of those hit Security and networking appliances such as VPNs, firewalls and routers.
And in fact, the 2025 horizon data breach investigations report, sometimes known as the DBIR, notes that the edge devices in VPNs accounted for 22% of exploitation of vuln actions, up almost eight eight times from last year.
So that's a huge surge, and remediation was incomplete for nearly half of those and took about 32 days for most of those vulnerabilities to be patched and finally recorded future observed Edge Gateway appliances among the top exploited classes with more than 50% of attributed exploitation by state actors.
And we're even seeing this in the news. Recently, the US cybersecurity and infrastructure security agency, or CISA, urged government agencies to address two Cisco security vulnerabilities, warning that state sponsored threat actors are actively exploiting these flaws.
So you know, what are some of your thoughts around these statistics and news items that are coming up? Matt, I mean, it's so striking, right? We are used to now like the threat coming in through the front door, right? Matt Egan
The issue being like phishing human beings like making mistakes letting folks into end user devices. And yet, this is a really striking search, right?
Where, where sometimes vulnerabilities that have been known about and understood for decades are acted on, or these zero days, which are the real issue, right? Because that's immediately a problem without a solution.
You know, the reason this happens is only ever because it's the most effective way for the bad guys to get in. But, but, but why is it happening?
Well, I'm really interested to understand why it is that they would now be choosing to go for these vulnerabilities in these these sort of central edge devices, rather than what we've become used to the sort of front door attack, yeah, and so I think to bring up the issue, we're going to bring in our senior expert on all things cyber security.
We're going to throw it over to Lucian Constantine. He is from CSO, and he's going to discuss the issue with Daniel dos Santos and security research at four Scout technologies. So take it away. Lucian Constantin
Hi everyone, and welcome to Global Tech Tales, where we speak with IT leaders about the latest technology trends. My name is Lucian Constantine.
I'm a senior writer with CSO online.com Today, I'm joined by Daniel dos Santos, Senior Director and Head of Research at four Scout Technologies, a company that specializes in cyber risk management, amongst other things, welcome, Daniel. Daniel dos Santos
Thank you so much for having me. Lucian, Lucian Constantin of course.
So Daniel, you have extensive experience in vulnerability research and intelligence, particularly in areas like network security, enterprise IoT, industrial control systems and what we broadly call embedded devices.
And one topic I wanted to discuss with you today is over the past several years, but more so over the past two years, last year and this year, we've seen a sharp rise in attacks exploiting both known and previously unknown, zero day vulnerabilities across a range of enterprise network edge devices.
These include VPN gateways, firewalls, load balancers, email and web security gateways, routers, switches and so on. And many of these attacks, especially those leveraging zero day vulnerabilities, have been attributed to cyber. Lucian Constantin
Espionage groups operated by or affiliated with nation states. At the same time, ransomware operators and other financially motivated groups have also been quick to exploit these flows for initial access into corporate environments, often only a few days after the vulnerabilities receive the patch.
So why are we seeing this surge in attacks against network cache devices. Now, vulnerabilities in these systems are not a particularly new development, right? Researchers have been reporting them for over a decade, yet attackers seemed less interested in targeting them in the past. Daniel dos Santos
Yeah, so there are several reasons for that. Let me go into some detail.
So one of the things is that there has been a shift in general into exploiting vulnerabilities, rather than using credentials, leaking credentials, phishing and all these kinds of attacks that don't rely on vulnerabilities themselves, right? It's not that those attacks don't happen anymore. They still happen.
Phishing is very relevant, credential leaks and all that. But we do see an increasing in vulnerability exploitation in general, and particularly in the types of devices that you mentioned, network edge devices and so on. One of the main reasons is their privileged position in the network, right?
The fact that once you have a access into a router, a VPN appliances so on, you usually get a very privileged position in the network. You can see a lot of the traffic. You can connect move laterally to other parts of the system.
It's not like getting access to a workstation that might not have you know what you're looking for as an attacker. Another reason is actually the lack of telemetry security telemetry of those devices, which makes security response and kind of understanding those attacks, responding to those attacks, much harder.
So it's true that vulnerabilities have existed for a very long time on those devices, but threat actors have kind of caught up to the fact that it's easier to achieve massive scales of attacks when you're looking into those devices, then with other types of attacks, right?
And we do see, for instance, that you mentioned nation states, often for espionage, for pre positioning into specific networks. We do see ransomware groups specifically, very, very active into routers and network edge devices.
We did have a couple of blogs where we talked about even them using zero days as well, which is something that ransomware groups have been using in the past couple of years.
But we also see more attacks coming from automated sources like botnets and scanners online and so on. So as a whole, these devices have been massively scanned and exploited in the past couple of years.
As you mentioned, everything that is online and that has a an unpatched vulnerability and that has this privileged position in the network has been targeted. Lucian Constantin Okay?
Do you think that the covid 19 pandemic and the rapid shift that follow to support a fully remote workforce, and later a hybrid one that we have today, led to an increase in the number of deployed network edge devices such as VPN gateways, firewalls and traffic monitoring appliances.
In other words, is this also a case of there now being more devices in this space for attacker to target, to target, than than maybe in the past. So we are seeing more attacks as well. Daniel dos Santos Yeah, yeah.
That is one of the factors as well, the fact that there is way more VPN connections as a whole, and after the pandemic, yes, but in general, VPNs have been, have been growing recently.
There are also other factors, other types of devices, as the word becomes more connected, becomes more digitalized, let's say, Right? A lot of OT networks that used to be very air gapped or segmented and so on have also there, also for the need of remote access. Remote Management.
Have been connected to the internet via industry routers, via VPN appliances, secure remote access solutions and so on, and those are also exposed online and have been targeted by by threat actors as well.
So indeed, the pandemic kind of accelerated, but it's a thread that was going on and will continue to go on even after the pandemic. Now right the need for more connection into different environments for remote monitoring, remote management, remote access, into a lot of environments.
And yes, work from home is one of those cases. But also, as I said, industrial medical environments and several others are becoming more connected. Lucian Constantin
Okay, do you think because for many years, phishing and social engineering so attackers as a form of initial access, attackers were focusing on getting malware implants on onto endpoint devices, employee workstations, laptops, so on, and then performing lateral movement across the network, targeting servers, domain controllers, that sort of things, whereas and does.
Daniel dos Santos
Security industry has focused a lot on securing the endpoint right, and also security awareness training for employees.
And do you think we're at the point where the endpoint is now more secure and attackers are kind of looking for the new low hanging fruit, which, at the moment, appears to be these network edge devices. I do think so i There are a couple of issues there.
So first, yes, we still see, as I said in the beginning, phishing. We still see the credential leaks and so on. But those tend to happen now in workstations that are that are less secure, that are not running in the hour, on personal laptops and things like that.
And it's more to deploy info Steelers in many cases, or rats and this kind of attack, which is different from the targeted attack that we're talking about here, it's different from the massive ransomware deployments and so on, those more sophisticated attacks are many times now, either starting from unmanaged devices, as we call them, as the network edge, or at some point moving laterally to those devices.
So there are lots of examples, and those are connected to EDR advancements and basically the fact that workstations and traditional endpoints are more secure, right? So we've been talking here about the initial access on the edge devices. That's one case.
But we also see, for instance, ransomware being deployed on virtualization servers, right? ESXi servers.
We also see examples of ransomware groups that have, for instance, moved laterally to IP cameras to then encrypt files on a workstation starting from the IP camera, because the EDR was blocking the ransomware from executing on the workstation.
So there is a strong correlation between advances in India and being able to detect and respond to more of those attacks and more sophisticated attacks, let's say, and threat actors moving to devices that are managed, that have less telemetry, that don't have security agents, that oftentimes organizations have less visibility into them, right?
So that, first of all, allows the attack to happen, and second, makes it much, much more harder for the organization to respond to that, to do the proper type of forensics to understand what actually happened, to bring those devices back to the kind of the safe state, and also the fact that those devices are harder to patch in the first place, right?
So, you know, everybody's is very well used to patch Tuesdays these days. Or, you know, whatever operating system you have that will have their own vulnerability management program. Those things are mostly automated in large IT enterprises these days, right?
Like you, you, you know, every every month, there is an update cycle. Your computer often even reboots automatically when you're not working, and then you go to work the next morning, and everything is safe and secure and all that.
That's very different when we're talking about those other types of devices, right? There's no automated patch in many cases, it's a much more manual process. You think of networks that have hundreds or 1000s of routers and switches, maybe 999 of those routers and switches were updated.
But there is one that the patch, for whatever reason, didn't apply, right?
And so that's the one that's used as an initial access so yes, there is a very strong correlation with EDR, as we mentioned, patch management and the fact that IT security is definitely not solved, but it's something that's much more understood these days, and organizations have put a lot more effort, a lot more investment into that, Lucian Constantin
but we don't yet see this level of investment into protecting the other half of the network. Let's put it this way.
I want to talk about the nature of these vulnerabilities a little bit because some some in the security research community have criticized the nature of the vulnerabilities being exploited, describing the many of them as trivial issues that should have been caught by automated scanners during routine security testing of code bases.
We are talking about flows like unsanitized input leading to command injection missing authorization checks that enable authentication bypasses and privilege escalation basic buffer overflows. These are generally well understood problems that date back more than two decades at this point, and I wanted to get your perspective on that.
Are these flows something that manufacturers should have been able to catch easily? Why do they continue to persist in code basis after all this time, and does this point to shortcomings in secure development life cycles? Daniel dos Santos
Yeah, that's that's a very interesting question, right? So the the reality is that, yes, those vulnerabilities, those classes of vulnerabilities, have been known and understood for decades.
There are automated tools, you know, static analyzers and even dynamic testing and so on that should be able to catch some of those, if not all, most of those, let's say, and we do see there is kind of a correlation between the ease of exploiting vulnerability and the fact that that vulnerability is being exploited, right?
You mentioned, for instance, buffer. Flows and so on. Those are, in some cases, a little bit harder to exploit.
You have to craft a specific payload and all, but we see things like the command injections that you said and the and the authorization bypasses that are usually very easy. It's just a string you know, that you send on an HTTP request. And those get exploited massively.
The reality is that, yes, it's frustrating as a network defender, let's say it's frustrating as somebody in the security community to see that those issues still plague like security products or networking products or basically things that people depend on to have their business running. Daniel dos Santos
And I do think that there has been an improvement in many vendors, at least most of the major vendors, into updating their security programs, making sure that they have testing in place, making sure that they have responses to vulnerabilities and so on.
It's, it's a fact that vulnerabilities continue to happen, right? And I don't expect that we reach a point where they will not happen.
I think what is important is that organizations are responding faster to those what is alarming is, as you mentioned in the beginning, the trend of zero days, right? Zero days are really becoming a huge problem because, you know, they're exploited without the patch being available.
They're exploited without the vendor knowing about the vulnerability, right?
So indeed, I do think that there needs to be more investment and more effort into catching those things as early as possible and making sure that attackers are not the one finding them, or making sure that at least, if not internal security teams, at least external security researchers via bank boundaries or something like that, Lucian Constantin
can help to secure those products, right? It's, it's, from my point of view, the really riskiest part of what we're discussing here now is the zero days on network devices and the fact that they, in many cases, continue to be easy to find and easy to exploit vulnerabilities.
Do you think this is also a case of inherited security debt, because many of these companies are not necessarily the original developers of these products, right.
They acquire them along with their parent companies originally, and maybe many of those original developers have left the company, have not necessarily made the transition right, and now you have other developer, numerous development teams, taking care of this product.
And one argument I've heard is that there is some reluctance to go from developers to go into old parts of code they don't completely understand, and there's no one around to explain it to them, because those people are long gone Lucian Constantin
and go and make changes.
So the burden of proof for maybe a finding by a security scanner, which might be like an insecure function, this might be potentially a vulnerability, but you have to show it to me that you can actually exploit it, that code path can be reached by a potential attacker before I go in and Lucian Constantin
start changing things and make things worse or break some feature or something like that, right? Do you think there's also something like that going on? And also, we know that re engineering legacy code bases is a big investment, right? Requires many man hours development resources.
It's a long time project, so, and of course, those, those resources could maybe better use, be used, from their perspective, those companies perspective, to develop new features. So do you think there's, there's some of that going on there? No, absolutely, that's, that's a Daniel dos Santos relevant factor.
So the reality is that code bases are messy nowadays, right? We've been, we've been dealing with software, technology, networking, for, you know, over 30 years now, right? You know, the internet really became popular in the 90s, let's say, right.
So at least 30 years of this code base is being being around. There is what you mentioned, companies being acquired. There are developers leaving. There are open source projects.
There are commercial projects that are included libraries, and then the maintainers are no longer, you know, available, and things are, you know, are kind of left there, integrated into a code base, but nobody really owns the responsibility for that code bases are messy and that, and as you mentioned, we discussed before about static analyzers and things like that being used in secure development life cycles.
They are being used, but indeed you get, you run that on a fairly large code base, you get 1000s and 1000s of alerts right and which one of those are Daniel dos Santos
real, true positives versus false positives? What you prioritize, what you fix, as you said, Go and maybe fix it, but then you create new issues.
We see that that's that's another point, by the way, we see a lot of vulnerabilities that are kind of partly fixed nowadays, but they lead to other vulnerabilities, right? You kind. Daniel dos Santos
Of close let's put it this way, one way of reaching a vulnerable code, piece of code, but then you open up another way. That has happened a lot.
There was actually a statistic, I don't remember the right statistic now, but Google's Project Zero Day found that something like half of the vulnerabilities that they had found in a specific year, I think a couple of years ago, were related to incomplete fixes of vulnerabilities, right?
So that's that's also something that's going on.
So just to summarize, like I said, code bases are really messy and difficult to handle, difficult to manage, but that will become more and more problematic as they grow and as you know technology evolves, and as more and more products get, as you said, acquired, get integrated, get developed, new features appear, and so on.
So complexity is not going down. Code bases are not becoming smaller, any in any time in the future. So we do need to probably look at new ways to manage this complexity in a way.
And finally, on this topic, what can customers what do you think customers can do to mitigate this threat.
It's not easy to put compensated controls like IP filtering on devices that are supposed to accept external connections from roaming employees who could be at coffee shops airport and data so on these devices are meant to be the controls themselves.
Have you observed customers maybe shifting towards their attention, towards maybe SaaS type offerings where these functions are handled in the cloud through global CDN networks, with those those service providers being responsible for patching and securing their services, rather than the customer, and the customer only needs to come and configure their own access policies.
And that sort of thing is that something, is that a shift that you see companies doing, instead of deploying all of these appliances and hardware devices that are hard to manage and hard to patch and so on? So that's a great question.
So yes, there is a reevaluation of secure access and VPN technologies and things like that going on in the industry, and a lot of people are adopting SaaS technologies and going to other types of Daniel dos Santos
other types of solutions. Let's say there was a guideline set by SaaS also, maybe last year, a couple of years ago, that was talking it was not a guideline, actually. It was just discussing exactly like alternatives to traditional VPNs for organizations to look into and so on.
I don't think that every organization will move there. I don't think that solves all the problems. That solves some problems, but but introduces others. There might be vulnerabilities on the on the SaaS providers as well, and so on.
I do think that there are things that organizations can still do to harder their own internal devices or appliances, even if they are exposed online, right? So, for instance, you might expose the services that need to be exposed, but not the management interfaces.
Let's say, if it's a router, right, you don't necessarily need the whole management interface of the router to be exposed directly online. Maybe that can only be accessed from the internal network, or maybe that can be accessed via a VPN.
There are ways to think of how to control access. You don't need to think of a device and full access into those devices externally, right? There are other solutions, like multi factor authentication that help to mitigate some of those attacks.
There is a logging on those devices that can be enabled, can be enriched, can be sent to the seam, and can be used for threat detection.
There are a lot of things that can be done to reduce risk, making sure that you know the networks that are connected to those devices are well segmented in a way that even if you do get access to a device like that, you don't necessarily have access to the whole entire network of an organization and so on.
So I would say that there is a Daniel dos Santos
there are two ways of looking at at this, right? One is yes, consider if it makes sense for your business, for your organization, to transition from a traditional VPN, traditional networking deployment, to something different. There.
There are advantages, there are disadvantages for that it's on each individual business to look into that and weigh those pros and cons and decide what you do.
But even if you decide to stay with the traditional appliances, traditional devices, traditional equipment, there are ways to look into hardening those, to look into having the right level of visibility into those and the right level of network segmentation that you reduce your risk to a way that to a level that might be more acceptable.
Lucian Constantin
Thanks a lot for taking the time to chat with me and share your insights into this, these complex issues that companies have to deal with in the world of cyber security. Keith Shaw
All right, so that was a great interview, and we're going to bring Lucian on to discuss this in a second. But first, are you ready to take on the future of cyber resilience on November 19?
Commvault shift virtual brings you dynamic keynotes breakthrough product innovation and live Q and A with the experts. It's your chance to stay ahead of the threats shaping tomorrow.
You'll join find global leaders and innovators with live captions in more than 15 languages, wherever you are, don't just keep up lead. Register now for Commvault. Shift virtual. All right, we're back, and we're going to bring in Lucian Constantine. He is a senior writer at CSO online.
Hello Lucien. Lucian Constantin Hi Keith.
Hi Matt. Hey. Keith Shaw So So, so.
Lucien, what? What was your biggest takeaway from that interview with with Daniel, because you raised a lot of interesting angles and perspectives. So what was the thing that stood out most from from your perspective? Lucian Constantin
Well, I the most important thing, I guess it needs. The companies need to give more importance to these devices in their patch management and integrate them, Lucian Constantin
pull pull the logs from them into their cm products, and monitor them from for suspicious activity and make sure they are timely patched. When it comes to zero day vulnerabilities, as you said, these are vulnerabilities that are previously unknown and are getting exploited.
So there is no patch available, but there is a lot of things. There are a lot of things that you can do in order to detect potential intrusions through these vulnerabilities. So it's not just about prevention, the patching thing. It's also about the response.
It's doing, threat hunting, scanning these logs for suspicious activities and so on. Lucian Constantin
I guess that's the takeaway here, and from the overall threat that trend that we've been seeing for the past three years, but especially last year and this year where it really accelerated.
And these are targets for mostly state sponsored apt groups, what we call advanced persistent threats, usually cyber espionage groups, if you are being honest, and what they look for is stealthy, persistent access into enterprise networks, Keith Shaw
and from there, they can do lateral movement and start their espionage goals, which is, you know, collecting files, collecting IP, collecting everything they need to steal, right?
Yeah, one of the things that stood out for me when I was watching the interview was that that a lot of these devices, such as the firewalls, the VPN appliances, even IP cameras, are a lot harder to patch than maybe some of these endpoint workstations, laptops that you see out there.
And I chuckled a little when because we've done such a good job with Patch Tuesday and some of these patch management applications that now, you know, the now that the attackers are like, well, they're doing such a good job with that, let's go somewhere else.
And they're finding some of these other devices. It reminded me of that old saying about, well, why do you rob banks?
And someone's like, well, that's where the money is, and in the same thing is like, Well, why are you attacking these now it's because that's where the holes are.
So, you know, we've done a good job patching on one side, but the, you know, the other part of the of the network is now out. Matt, any other thoughts from you on your reactions to the interview? Matt Egan
Yeah, well, I mean, first of all, I find it fascinating because I wasn't fully aware of the of the situation, given the stats that you read out at the start there, Keith, and then trying to understand the why, as we said earlier.
I mean, some of the things that I thought found really fascinating.
I mean, Lucien, presumably, you know, it's fair to say, and this is something that resonates with the IT leaders that I speak to, like one of the challenges here is, is literally understanding how many devices you have, understanding your your legacy code base, or your, you know, your legacy infrastructure, because actually, for a lot of organizations, that kind of real, basic but deep kind of knowledge might not be at your fingertips, right, Lucian Constantin right?
I would say this is kind of like the law the new low hanging fruit, right for attackers, because over the past decade, or even more, the security industry has focused a lot on on protecting the endpoint. So the endpoint now has like Windows pulls out.
You have cm products that pull out logs from windows. You have EDR products. Windows itself has become much more hardened than it used to be back in the day, at the kernel level, at the user level.
So while there still are vulnerabilities in windows that are getting exploited, sometimes there's also a fast response with the Patch Tuesday and page deployment for Windows. Lucian Constantin
I remember there was a SharePoint, I think one of the vulnerability intelligence companies shared with me, there was a SharePoint vulnerability exploited, and in a matter of hours after the pitch came came out, 67% of enterprises or more had adopted the patch. Whereas for this net.
Catch devices the time is more in the range of days, months, even, because the process is different, right? And it shouldn't necessarily be different. Lucian Constantin
But these devices have been considered black boxes for a long time for both the enterprises and admins, enterprise admins, but also for the attackers. They are embedded devices. They have unusual tool sets. While many of them run Linux. It's a very embedded it has restricted tools.
It has restricted commands available.
The File System is encrypted, so while researchers have found vulnerabilities in these devices for over a decade now, it was more of a research endeavor you didn't often see attacks targeting these devices, because finding a zero day in these devices is not necessarily easy, Lucian Constantin
but also from a development perspective, they have, they don't have the same code maturity as Windows has, for example, so you still find bugs that you know some security researchers call 90s eras, vulnerabilities like Buffer simple buffer overflows, which is an insecure code function that someone wrote, and things that they argue automated tools should catch so it's not only a user, from a user perspective, a problem of monitoring these devices.
It's also from a vendor perspective, a problem, because it seems the entire industry, the manufacturers of these devices, are all affected. Lucian Constantin
And the question is, you know, is this a secure development life cycle problem? Why are they not using secure coding practices?
And there's a lot of discussion right there, there as well, because rewriting legacy code is a big investment monetarily, and if there's another request in the market for it, if that's not your differentiator in the market, but new features, then your some companies, some vendors, might not make that investment in going back and rewriting code that was written 10 years ago by developers who are no longer with the company.
Keith Shaw Yeah, yeah.
That's another thing that stood out during your interview. Lu chin, was, you know, the frustration over that code based, code based complexity.
Not only is that, you know, code getting more and more complex, but that inherited security debt, and I found it fascinating that a lot of security team members don't want to go into the code that might be 1015, years old if the original developers are no longer there, because it felt like they were saying that, well, if we tried to fix it, that could open up additional vulnerabilities or break things even.
And so I think that that's just part of the the tech debt, you know, problem that I think a lot of companies are facing. Lucian Constantin
It's more of the developers don't like, don't want to go there, or the the burden of proof is higher, right?
Because technically so the security teams, what they do, they are supposed to find the vulnerabilities, so they run automated scanners, static analysis, dynamic analysis, even manual code reviews, right? And you know, you might run a scanner and find whatever potential buffer overflows, Lucian Constantin
and you give this to the development team, hey, fix it, and if it's in in code that's not very well understood and written long ago by someone who's no longer around with the company.
Developer might say, No, you have to actually show me how an attacker can reach this, this, you know, vulnerable function in the code. Is there an attack PaaS to it?
Because, you know, if we go and make changes and we might break something and then causes more, you know, develop more development hours and so on.
I mean, this is something that was, you know, shared with me, with my research, not necessarily my personal opinion, but this, this kind of things do exist. Keith Shaw
Yeah, Matt, Matt, anything else that stood out with the the interview with Daniel? Matt Egan
Well, a couple of things right now. I was just gonna ask a question off the back of that. Question off the back of that, like, does that mean that organizations, to a certain extent, accept a certain level of risk? Would you say?
Like, do they have to decide how comfortable they are with managing risk with legacy devices? Do you think Lucian Constantin
you're talking about users of the enterprises, not manufacturers, not the manufacturers. Yeah, yeah. So, yes, sorry, yeah. So the the enterprises themselves, right? Like, like, this will be an issue for pretty much any organization.
So, like, sort of, but to your point, it's probably not possible to completely resolve it. So do they have to decide what level of risk they're happy to take versus what amount of investment they want to put into potentially finding and solving problems. Lucian Constantin
Yes, but that also applies to anything really, because security is not the practice of eliminating risk, it's the practice of managing risk. So any piece of software. Lucian Constantin Will have vulnerabilities.
Obviously there are differences. The more you invest in secure coding practices, secure development lifecycle, that sort of thing, rewriting code regularly, going back, running fuzzers, all of these tools, the fewer vulnerabilities you'll have. But there's no guarantee you won't have any vulnerabilities.
I mean, even Windows, after all these years of patching and patching and patching, obviously it's a huge code base, still gets a lot of vulnerabilities and buffer overflows, and then there is anti exploitation, things that you can do on top of that at the kernel level.
So even if you find one of these flows, you have to chain it with other flows. It's and if you even this exploits on network edge devices, usually there's like two vulnerabilities combined. So it's kind of an attack chain.
It's not a single exploit, it's a command injection combined with a privilege escalation or buffer overflow to execute code on the operating system. So Lucian Constantin
the goal is for the developers to make these attack chains as complex, as complex as possible. So the attackers, the return on investment is, yeah, but also, when you're dealing with nation state attackers, these are groups that have a lot of resources and time and interest, right?
It's not your average cyber criminal. You know? These are Matt Egan so usually, yeah.
Well, the other question I was going to ask, then, does AI change this? Because, you know, we understand how a can help.
AI can help secure things, but again, with unlimited resources and the ability to apply an AI technology to finding these potential, you know, multiple secondary infections, let's say floor with another floor that can be good like, does that change the game again as well?
In terms of it creates, it's easier to find vulnerabilities, presumably, Lucian Constantin
sure, I'll go back a little bit to your question, because I think I kind of deviated and didn't answer. Companies do have they could choose to use other technologies.
That's like SaaS, which is secure access service edge, which means many of these features that this like zero, day 00, trust network access, that VPN gateways maybe are doing Lucian Constantin
some this now exist in the cloud, right? Like, you know, with true CDN networks through distributed networks around the world, and this is as a service, and in that case, you kind of the management is done by the service provider.
So it's no longer up to your admins to go and PaaS, the device and all that, because it's their service they are doing as an organization, you are just in charge of setting the policies, who has access, where and when they connect, and what's being checked, and two factor, multi factor authentication and device fingerprinting and all those things.
But this means that you no longer have, necessarily have to have, you know, 10 of these devices in every office so you can support remote employees logging in remotely. So this hardware appliances, VPN gateways, or firewalls at the network edge.
So that's, there's that option, and some companies might might go for that. That comes with other challenges. You're now depending on a, you know, cloud service. What happens when the internet goes down and those, those types of things.
So it's always, yeah, you have to balance those things out. But also, companies have paid for these devices, so they have, as long as they are still under Support, they're probably going to make use of them, not buy something else, because of budgetary constraints and Keith Shaw
stuff as for AI to wait, wait, Lucian, that's that's part of our bonus footage.
I was just gonna mention that we have bonus footage with Lucien in the interview, additional discussions, including the impact of AI on vulnerability research, as well as more discussions around patch management solutions and the growth of zero day and one day attacks.
So we're going to actually put that out in a couple of weeks as as sort of our bonus DVD coverage of this episode. So we are out of time unfortunately. So Lucien and Matt again, thanks for being on the show to talk about the latest in cybersecurity. Sure.
Thanks for having me. All right. Thank you to everyone who joined the show today. If you liked this episode, be sure to give us a like on YouTube. Add any comments and check out our other tech talk shows, such as today in tech.
CIO leadership live first person and DEMO if you are looking for the latest product demonstrations, I'm Keith Shaw, thanks for watching and thank you to Commvault for sponsoring this episode. You. Transcribed by https://otter.ai
