Shield on virtual globe showing attack surface management

Leveraging the Attack Surface – A Novel Approach in Navigating the Threat Landscape

The threat landscape is constantly evolving as cybercriminals are getting more sophisticated and it seems new cyber threats are arising daily. As a cyber defender, there is not a lot we can do about the threat landscape. What we can do is imagine how that landscape might dispatch a threat, how it would gain access and how it might move through our infrastructure and what harm it may bring. This means we need to have an accurate map of our attack surface, so we can devise ways to protect it.

Recently there has been a lot of buzz around attack surface management (ASM), which covers the ongoing process of asset discovery and risk classification. ASM solutions build a continually updated view of the entire technology infrastructure and the level of protection, thereby presenting a comprehensive map of attack points. This is particularly important considering how complex IT stacks are today.

According to Forrester, Asia Pacific hosts the widest market share of cloud data centres globally at 37 per cent with leading enterprises forming inroads in markets such as New Zealand, Malaysia, Thailand, and Indonesia. Fifty-seven per cent of Asia Pacific excluding Japan (APEJ) small and medium-sized businesses (SMBs) are also projected to raise their expenditure on cloud applications and services by 31 per cent compared to the previous year, which is expected to expand till 2025 as deduced by IDC. Inevitably, this mass cloud adoption in the region acts as a lightning rod for cyber attackers to undertake their malicious activities.

ASM is the process by which organisations assess themselves as attackers would. This approach is helpful in prioritising maintenance, upgrades, patching, tool procurement and policy enactment because it forces decision makers to consider where attackers will hit first. In the multi-cloud and hybrid environments in which regional organisations now find themselves, we must focus on external attack surface management (EASM), as the cloud arena is where the battle now rages. Every application, every port, every server and website, every cloud and container — all this and more must be reviewed, assessed and triaged for treatment.

Know yourself

Natively integrated EASM allows cybersecurity teams to see the environment at a glance, from on-premises assets to the far-flung reaches of the cloud. The analyst will be able to discover assets and their vulnerabilities before attackers do, even though they operate in an elastic business environment plagued with shadow IT and constantly changing rosters of technology partners, service providers and other third parties that come and go. The days of siloed asset management must be left behind. Everything from endpoints to development projects might previously have been departmentalised. But now, we must recognise that this plays into the hands of threat actors. Formally managed configuration management databases (CMDBs) give security teams deep, contextual understanding of what each asset does, how it is configured and which department or individual controls it.

Unfortunately, many of today’s EASM solutions do not include a sufficiently thorough view of assets and therefore do not adequately provide for assessment, prioritisation and remediation. This shortfall gives way to manual processes that are prone to error and traps skilled resources in tedious workflows rather than empowering them to innovate and add value. This can lead to a reduction in job satisfaction and lower retention rates of cybersecurity talent. Given the regional shortage of such talent, this erosion of security personnel is, in itself, a risk to the enterprise.

When building a successful cybersecurity team, organisations must consider the employee experience just as they must do across all other roles. Analysts and threat hunters must be able to see the external attack surface in its entirety. They must be notified automatically of new assets. They must be able to track asset changes. And they must be able to monitor workloads wherever they run, even on public clouds. IoT sensors and devices, out-of-service IP addresses, shadow IT — nothing must escape the watchful gaze of the security team.

Proper EASM

Armed with the right EASM solution, security can work with IT to decommission or reconfigure externally facing assets when they are no longer relevant to business operations. The best EASM platforms automatically associate assets with business function regardless of location or ownership. These data points help analysts join the dots (as an attacker would) from an externally facing asset to sensitive information or critical systems.

EASM has a critical role to play in digital asset management. It enables discovery, eliminating the need for vast, time-consuming surveys of assets held on premises, in the cloud and in the homes of employees and facilities of partners, subsidiaries and suppliers. Proper EASM even allows organisations to get a handle on asset attribution by presenting a path to discovery by attackers on the public Internet and how this can lead to the compromise of critical data.

EASM enables the undertaking of continuous risk assessment. By gaining context on each asset, including the “when” and “how” of its creation, security teams are armed with actionable information. This information is enriched by monitoring configurations (for example, unsanctioned open ports, unapproved services or expired or expiring SSL certificates). And through integration with sources like Shodan’s connected-device search engine, EASM solutions can allow security practitioners to find potential vulnerabilities via automated lightweight scans and act on them before bad actors can.

Control and order

The combination of EASM with CMDB delivers what today’s cybersecurity professionals need most: real-time visibility of the entire stack. Previously unknown or unmanaged assets come into focus and risk mitigation takes a leap forward. Automated workflows weed out vulnerabilities at scale, which simplifies the previously overwhelming proposition of exhaustive investigation and patching, asset by asset.

The stack may look like a messy mountain right now, but EASM returns a measure of control and order to the chaos. Being able to plaster over the cracks in the mortar before an attacker can slip through is a boon to security professionals. And it has been a long time coming.

 

Vice President, Asia and Managing Director, India at Qualys