The idea of attack surface management is not new, but how organizations and CXOs need to view their attack surfaces should be updated. Traditionally, IT has looked at an organization’s attack surface from the inside out, asking questions like “What are the assets that connect to the wider internet?” and “Where is the perimeter that must be defended?”
For better or worse, that view of an attack surface has imploded with the rise of remote work and digital transformation into the cloud. Staff and work are distributed geographically, and new cloud assets can be spun up in seconds.
Rather than looking at an organization’s attack surface from the inside out, CXOs should be looking from the outside in, asking questions like “What assets in the cloud or belonging to supply chains are connected back to the company network?” and “How many of those assets are unknown?”
What is Attack Surface Management?
An attack surface is shifting sand. Between multi-cloud, private and public clouds, inheriting assets via mergers and acquisitions (M&A), access from supply chain partners and remote workers, it’s impossible for IT experts alone to gain footing and keep track of all assets and the people responsible for them.
Additionally, focusing on vulnerability management is no longer sufficient for two reasons. First, what a scanner looks for can vary by product and may not catch all risks. Second, vulnerability scans can only check known assets, so any unknown assets will still be vulnerable.
Attackers have undergone their own digital transformation and can scan the entire internet for vulnerable systems in less than an hour.
Attack surface management (ASM) takes all of this into account to provide a complete inventory of all assets—including IP addresses, domains, certificates, cloud infrastructure and physical systems—connected to an organization’s network and maps who in the organization is responsible for each asset.
ASM must work at the speed and scale of the internet to continuously discover, identify and mitigate risks across all public-facing assets, whether they are on-prem, in the cloud or operated by subsidiaries and critical suppliers.
How does it work?
Traditionally, mapping the assets on an organization’s network was a heavily manual and error-prone task. ASM calls for an automated process that can scale to the size and speed of the entire internet.
Attackers have undergone their own digital transformation and can scan the entire internet for vulnerable systems in less than an hour. Therefore, defenders must keep pace and ensure their mean time to inventory (MTTI)—the time it takes to inventory all known and unknown vulnerable assets—is faster than the MTTI for attackers.
This starts with scanning the entirety of IPv4 space for assets connected to an organization’s network and determining which ones need patching, have insecure remote access implementations, exposed databases or other risks. When a previously unknown asset is found, the notification should be routed to the team or individual responsible for securing that asset.
Beyond remediating risks, ASM should also focus on reducing an organization’s attack surface, so assets that can be decommissioned or segmented from the internet can no longer be targets for attackers.
Metrics and actions
Another key item to consider is the rate of the most common vulnerabilities. According to the Palo Alto Networks threat research team, Unit 42™, over the course of the pandemic (Q1 through Q4 of 2020), RDP exposures increased over 27% across all cloud providers. But there was also a 768% increase in RDP attacks during that same time. In separate research by Cortex® Xpanse™, RDP exposures accounted for 32% of all security issues recorded.
Exposures of common protocols like RDP are major targets for attackers, especially ransomware groups.
Often, the focus in vulnerability management is mean time to respond (MTTR), or how long it takes to remediate a vulnerability once it is found. Unfortunately, the value of MTTR is meaningless when dealing with unknown assets, because those vulnerabilities won’t be known until it is too late.
Before MTTR can have value, an organization must have a full inventory of assets, and the speed at which that inventory is built should be considered a race. As mentioned earlier, MTTI for attackers is under an hour. Research by Cortex Xpanse puts MTTI for defenders at 12 hours.
Having a plan in place to keep the process moving smoothly is essential. Some general actions to keep in mind:
- Generate an automated, and continuously updated, single source of truth for all internet-connected assets.
- Discover and identify account owners for all previously known and unknown assets.
- Find all exposures—vulnerabilities, expired certificates, unsecured remote access protocols, etc.
- Automate risk remediation and reporting.
- Continue to monitor, discover, evaluate and mitigate risks as the attack surface changes.
To close this critical gap, organizations need an automated Attack Surface Management solution that provides a complete and accurate inventory of their global internet-facing assets and misconfigurations to continuously discover, evaluate and mitigate the risks on an attack surface.
This was originally posted on Wall Street Journal.