The Changing Face of Security Operations

Security Operations (SecOps) continues to evolve in significant ways. This year marks the eighth anniversary of the “Stuxnet” virus, which provides a good opportunity to reflect on how it fundamentally changed the state of information security operations.

While Stuxnet’s impact received little attention outside of security circles, its ripple effects still impact security operations in several critical ways.


The level of sophistication and complexity used by Stuxnet was unprecedented and stunned the Symantec security team that worked on analyzing the virus. Liam O’Murchu, Director of the Security Technology & Response group at Symantec, had this to say:

“A threat using one zero-day vulnerability by itself is a quite an event, however a threat using four zero-day vulnerabilities is extraordinary and is unique to this threat. This is the first time we have ever encountered a threat using so many unknown and unpatched vulnerabilities…which shows the extraordinary sophistication, thought, and planning that went into making Stuxnet.”1

But Stuxnet’s level of sophistication was only a glimpse into its far-reaching implications.

From Cyber to Physical

To begin with, the Stuxnet virus marked the first obvious use of cyberwarfare by a nation-state to cause physical destruction, specifically centrifuges being used as part of Iran’s nuclear enrichment program. Prior to the discovery of Stuxnet in 2010, cyberattacks were just beginning to evolve from glory-seeking “joy-riding hackers and cybercriminals” to also include high-stakes espionage with the goal of stealing sensitive data over time while remaining undetected.

Stuxnet, however, “wasn’t an evolution in malware but a revolution.”2

Stuxnet opened an entirely new front for security operations to defend from attack: physical devices linked to industrial control systems.

Stockpiling Exploits

Stuxnet also illustrates the threat from a cyber arms race and stockpiling of zero-day exploits stockpile rather than identifying exploits and patching them.

Once a zero-day vulnerability is exploited, it runs the risk of discovery, as happened with Stuxnet. Nation-state cyberwarfare has created a gray market where governments and government contractors work to create and purchase zero-days to stockpile for future use.

While non-government cyberattacks may make use of a zero-day vulnerability, it is rare. However, governments will pay as much as $1 million for an exclusive zero-day exploit.

The net effect of this is that rather than the vulnerability coming to light and being addressed by the software publisher, it may remain hidden for years. The current average lifespan of a zero-day vulnerability is 6.9 years according to a March 2017 Rand Corporation study.

This statistic becomes even more sobering when compared to a July 2007 statistic indicating that the average zero-day lifespan was 348 days, indicating more than a seven-fold increase over the last ten years.

Today, Breaches Are a Matter of When, Not If

All this plays into the ongoing and ever-increasing difficulties faced by SecOps teams around the globe.

This is why ServiceNow, along with partners like Aptris, are investing heavily in new solutions and processes to help enterprises prepare for and effectively respond to security breaches when (not if) they occur.

For more on how to use ServiceNow to deliver a more efficient and immediate response to a breach, view our on-demand webinar here »

If you have questions or are considering getting in-depth guidance for a more robust SecOps solution, don’t hesitate to reach out to us!

FOOTNOTES: (1) Liam O’Murchu. “Stuxnet Using Three Additional Zero-Day Vulnerabilities,” Symantec, September 14, 2010, available at (2) Kim Zetter, Countdown to Zero Day, Crown Publishers, 2014

Brian Huber
About the Author: Brian Huber is Vice President of SecOps, ITOM and GRC at Aptris. He has been with the company since it was founded and has over 25 years’ experience in the IT field.