Modern Attack Surface Management means going beyond the surface
Security teams today are contending with an ever-increasing attack surface and an exponentially growing volume of vulnerabilities. Yet most teams are still equipped with the cybersec equivalent of a bucket to shovel out an ocean of CVEs. Buying them another shiny new bucket pales in comparison to plugging the actual leak in your ship (or enterprise).
Vulnerabilities can’t all be patched, so prioritizing these based on business risk is the most grounded approach. While leading security teams have begun to implement more advanced vulnerability management (VM) programs, others are struggling with outdated, manually intensive and less effective ways of managing vulnerabilities without context or insights on the true risk they pose. This can only work for so long, as it requires the continuous process of monitoring, discovering, analyzing, and remediating vulnerabilities across all potential attack vectors. Even then, good old human error sneaks its way in.
Comparing the numbers over the last 10+ years of disclosed vulnerabilities, it’s easy to see how this process drains resources. In 2010, 4,653 CVEs were discovered. By 2020, the yearly rate of CVEs was at 18,325. In ten years, the rate of CVEs discovered per year has nearly quadrupled. That exponential growth has yet to slow and, with the adoption of new technologies at an unprecedented pace, it likely won’t ever.
It is crucial to understand that simply patching vulnerabilities does not mean your entire infrastructure is safe. An organization’s attack surface includes every asset that could be exposed and exploited in a cyberattack, from on-premises desktop computers to public cloud systems and other internal-facing assets within the network.
The most foundational remedy is Attack Surface Management (ASM) where a business can contextualize and prioritize vulnerabilities to ensure risks are managed according to its specific attack surface.
Understanding the fundamentals of ASM
Attack Surface Management (ASM) falls under the umbrella of Exposure Management (EM). EM also includes other practices like Validation Management and Vulnerability Management. With so many acronyms under the umbrella term, they can be confusing to tell apart, but each one has distinct features.
Think of ASM as a security blanket stretching over all potential access points to protect internal environments. However, ASM is not a tool. When ASM is regarded as a practice, we start to see the full scope of EM, whose roots run throughout the environment to maintain a strong security posture.
Over-enthusiastic vendor marketing often misinterprets ASM as a specific solution or process. In fact, the approach should combine many different activities and solutions. There are three main components to a comprehensive ASM strategy:
External Attack Surface Management (EASM) -- A practice focused entirely on public-facing assets like public IP addresses or public clouds and everything outside a firm’s firewall.
Digital Risk Protection Services (DRPS) -- This requires high levels of cyber maturity as it focuses on visibility into threat intelligence from multiple sources. These sources include social networks, open data containers, and the deep web.
Cyber Asset Attack Surface Management (CAASM) -- Considered the cornerstone of the ASM practice. It allows security teams to improve persistent asset visibility and challenges by collecting related data.
Businesses that have yet to adopt ASM are usually prioritizing individual vulnerabilities rather than making decisions based on the business risk to their organization. This type of reactive security falls far short of the proactive approach they should be taking. It is extremely hard to prioritize security efforts without a broader context. Remember: Not all vulnerabilities need to be remediated.
Moreover, some companies are trying to carry out ASM activities without the right tools in place. We encounter many firms that still rely on Excel sheets to track their external and internal risk management. This creates an unnecessary manual workload, making it likely that critical risks to the company go overlooked.
So, what ASM practices does an organization need to execute?
Practices to implement the ASM approach
More organizations are realizing that they need to re-evaluate their approach to ASM. The initial challenge for a business is understanding its security needs around ASM and how these fit in with other similar yet distinct practices like EM. To overcome this, enterprises must communicate these differences to the board and secure their buy-in for essential investments, which poses another challenge entirely.
At its core, a successful ASM strategy depends on breaking down silos between different IT departments and IT-Security adjacent departments such as web teams, DevOps, and cloud. Each group has its own agenda, processes, and tools. That means many disconnected solutions, from vulnerability scanning to code configurations -- sometimes even within the same team. Therefore, there must be a unified version of risk and universal KPIs for vulnerability mitigation. This will enable firms to prioritize risks across the entire enterprise from a single point of reference.
Creating a normalized view of cyber risk
To build a unified ASM approach, we need to establish a normalized view across any business area with a stake in security. CISOs must have clear visibility of everything, and hence all risk data must flow to the same point and be visible simultaneously in the same format. The older and larger the business, the more untangling required to align departments that have evolved independently over time.
This will make it possible to identify where tools, processes, and tasks are duplicated unnecessarily. Firms can eliminate redundancies and implement greater automation to boost team productivity. After the internal ASM strategy is matured, the organization can then broaden its scope by implementing CAASM and taking on more threat intelligence.
Moving beyond surface-level ASM is key to achieving true security. Only then can organizations proactively identify, prioritize, and remediate the vulnerabilities threatening to sink their business.
Image Credit: donscarpo / depositphotos.com
Sylvain Cortes is VP of Strategy at Hackuity & 17x Microsoft MVP.