Why companies need attack surface management in 2024
The attack surface is in a constant state of change and growth -- which is bad news for cyber-risk management. This vulnerability needs to be addressed.
Why does attack surface management matter? Because it is essential for mitigating cyber-risk.
Military people talk about getting "left of boom" -- i.e., understanding threats and vulnerabilities that could be exploited by an adversary and then taking active measures to mitigate these risks before an attack occurs. Cyber-risk management demands the same left-of-boom discipline. It is incumbent upon security teams to identify every door and window across the IT infrastructure, know whether they are open or closed, understand which ones lead to critical business assets and recognize which ones are most likely to be exploited by cyber adversaries.
Here's the problem: The attack surface is an organic, dynamic and poorly understood monster at many organizations. In fact, research from TechTarget's Enterprise Strategy Group found that 62% of organizations' attack surface increased over the past two years, driven by additional third-party connections, increasing use of IoT and operational technology, and more use of public cloud infrastructure.
Aside from growth, the attack surface is in a constant state of change as developers, IT operations and security teams, and end users fiddle with configuration settings, upload and download files, tweak source code and work on shadow IT projects on their own.
The research also indicated that 76% of organizations experienced some type of cyberattack due to an unknown, unmanaged or poorly managed internet-facing asset.
Keeping up with constant growth and change isn't easy. When asked to identify attack surface areas with the least visibility, survey respondents pointed to the following:
- Systems running obsolete OSes or application software -- large enterprises tend to have lots of these.
- Misconfigured user credentials -- i.e., permissions or entitlements.
- Sensitive data in a previously unknown location.
- Servers, workloads and APIs with open access.
- Websites with a direct or indirect path to the organization.
- Code fragments exposed on webpages.
- Unknown third-party connections.
That's a lot of things -- among many, many others -- most of which are typically managed by different groups and tools.
Aside from the obvious successful cyberattacks, getting your corporate arms around attack surface management (ASM) is becoming increasingly important for several reasons:
- New regulations, such as the new SEC rules, the European Union's NIS 2 Directive and U.S. Department of Defense Cyber Maturity Model Certification, mandate strong cyber-risk practices.
- Cyber insurance providers are pushing a similar agenda. An organization without a strong ASM program might not get coverage or have its claims fulfilled.
- Organizations that are slowly deploying phishing-resistant passkey technologies based on the FIDO2 specification will be forced to up their game on vulnerability exploitation.
What to include in an ASM program
ASM isn't a new challenge; it's just getting more difficult. Yes, there are tons of tools now available, but as security technologist Bruce Schneier always reminds us, "Security is a process, not a product."
Based on my experience, the best ASM programs include the following:
- Continuous discovery. When attack surface assets are added, moved or changed, someone needs to know so they can assess whether these changes are benign or create new vulnerabilities.
- Attack path mapping. CISOs don't want another report with a lot of data they have to work to interpret. Since ASM reports are often full of this type of information, a person or technology has to know what's connected to what and be able to then interpret how a bad actor might get from point A to B -- a process known as attack path mapping. By doing so, security teams can identify and mitigate vulnerable choke points that could be used across a multitude of cyberattacks.
- Threat intelligence integration. It's one thing to know which assets are vulnerable, but it's another to know which cyber adversaries are actively exploiting. This is where ASM and threat intelligence analysis intersect. Vendors understand this synergy, which is why ASM is often part of a broader digital risk protection service from vendors, including Flashpoint, Mandiant, Recorded Future and ZeroFox. Threat intelligence analysts should work with security and IT operations teams by gathering requirements, tracking adversary groups and disseminating actionable reports targeting risk mitigation.
- Risk scoring. As previously mentioned, someone or something has to analyze all the data and determine which risks are critical priorities that need immediate remediation. Homegrown or vendor-supplied risk-scoring algorithms are required here, but organizations should still apply a human touch to cyber-risk mitigation decisions. Take into account things such as asset business value, regulatory requirements, board-level priorities and customer data.
- Process integration and automation. As a general rule, security teams discover attack surface vulnerabilities while IT operations and software developers remediate them. View ASM in broad organizational terms that include integration across domain-specific processes and tools. Process automation can certainly optimize end-to-end workflows, but this could require process reengineering. In my experience, getting all participants involved in ASM collaboration is difficult, requiring oversight from CIOs and CISOs to get it right.
- Executive reporting. ASM must include a dashboard component. CISOs need to know about cyber-risks so they can make decisions and coordinate and communicate with executives and corporate boards.
When you think about it, ASM is basic cyber hygiene: Know what you have and fix what's vulnerable. It's part of every regulation, best practice and cybersecurity certification. We've always known this, yet the collective we -- executives, IT, developers, security -- let it get out of control. We can no longer afford to do so.
Jon Oltsik is a distinguished analyst, fellow and the founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.