Log4Shell a huge wake-up call for 95% of security leaders

April 29, 2022

Security leaders are still dealing with the impact of Log4Shell, and cloud security leaders are changing the way they secure cloud workloads in the aftermath of Log4Shell. New Valtix research reveals that 95% of cybersecurity leaders say Log4Shell was a wake-up call for cloud security, changing it permanently, and that 87% feel less confident about their cloud security now than they did before the incident.

Log4Shell was a significant zero-day vulnerability in the Log4J developer library that posed a critical risk to too much of the internet. Even three months after the incident, the research found that 77% of IT leaders are still dealing with Log4J patching, with 83% stating that Log4Shell has impacted their ability to address business needs.

For organizations that don’t have a solid understanding of their exposed attack surface, moving to a cloud environment can create critical gaps in security visibility — further emphasizing that lack of knowledge, explains Matthew Warner, CTO and Co-Founder at Blumira. “Log4Shell was a reminder for IT professionals that it’s important to not only understand your attack surface from a port-exposure perspective, but also the actual applications used.”

Despite better tools and knowledge, 78% of IT leaders still lack clear visibility into what’s currently happening in their cloud environment:

82% say visibility into active security threats in the cloud is usually obscured.
86% agree it’s more challenging to secure workloads in a public cloud than in an on-prem data center.
Only 53% feel confident that all of their public cloud workloads and APIs are fully secured against attacks from the internet.

Both on the researcher and defender side, Casey Ellis, Founder and CTO at Bugcrowd, says Log4J pushed security leaders to defend against a widespread, pervasive vulnerability to its limit. Bugcrowd, for instance, saw a ton of activity starting with the release of the Log4Shell POC, and this activity continued until it mysteriously dropped around January 2nd or 3rd.

“When we looked into this, it wasn’t necessarily because there was nothing left to patch and nothing left to hack,” Ellis explains. “Most often, it was literally because everyone was looking forward to their Christmas and New Year break, and had been denied it by the Log4J vulnerability announcements. Bug hunters and security managers alike were weighing the cost of pushing just a little further against the practical importance of sanity and capacity to ‘fight another day.’”

“Following least-access practices, treating your cloud architecture like a sensitive component of on-prem, and utilizing cloud features to support your security needs will help,” Warner says, “but you must also know how your environment is built and what the attack surface is to stay ahead of ongoing threats.”

A complimentary copy of the full report can be downloaded here.

Maria Henriquez joined Security Magazine in 2019 as its Associate Editor. Since then, she has been covering the security industry and reporting on issues affecting enterprise security leaders, to include cybersecurity, leadership and management, risk and resilience and pressing security challenges facing the industry. Within her role at Security, she works to produce several Special Reports and other stories for the monthly eMagazine, Newswire articles, Web Exclusive features, as well as manage social media, the 5 minutes with series, and the Today’s Cybersecurity Leader and Security enewsletter. She graduated from the University of Illinois at Urbana-Champaign with a bachelor’s in English and Creative Writing.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Security departments have long struggled to bring their real-time voice communications into the present, resorting to communicating with radios, unsecure applications, multiple devices, and Wi-Fi-only solutions.

Poll

Business Travel Security

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Log4Shell a huge wake-up call for 95% of security leaders

Recent Articles by Maria Henriquez

US, EU expand access to cybersecurity tools for SMBs

Buffalo mass shooting investigated as racially motivated violent extremism

COBALT MIRAGE conducts ransomware operations in US

Five years after the WannaCry ransomware attack

SolarWinds data breach lawsuit takeaways for CISOs

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Log4Shell a huge wake-up call for 95% of security leaders

Recent Articles by Maria Henriquez

Related Articles

Related Products

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.