5 minute read
UNDERSTANDING YOUR ATTACK SURFACE
from XDR
by cxoinsightme
FORGET THE THREAT LANDSCAPE; TO SEE YOURSELF AS THE BAD GUYS DO, LOOK TO YOUR ATTACK SURFACE, WRITES HADI JAAFARAWI, MANAGING DIRECTOR – MIDDLE EAST, QUALYS
How often do you hear GCC cybersecurity specialists talk about the “attack surface”? Depending on your role, it could be monthly, weekly, or daily. As one of those specialists, I can tell you that we think about it every minute. As cyberdefenders, we can do little about the threat landscape, which just represents the innovation of our adversaries.
Advertisement
Our challenge is to imagine how that landscape might dispatch a threat — how it would get in, and how it might move through our infrastructure and do us harm. That means getting to know the attack surface and devising ways to protect it.
Attack surface management (ASM) has been formalised of late to cover the ongoing process of asset discovery and classification by risk. Through repeated assessment of all assets, we build an always-current view of the entire technology infrastructure and the degree to which it is protected, thereby presenting a comprehensive map of entry points for attackers. This is of particular importance today because of the dizzying complexity of IT stacks.
The Arab Gulf region was one of the quickest to react to the COVID pandemic, but when mass cloud migration occurred, it was a red rag to every threat bull out there. ASM is the process by which organisations assess themselves as attackers would. This approach is helpful in prioritising maintenance, upgrades, patching, tool procurement, and policy enactment because it forces decision makers to consider where attackers will hit first. In the multi-cloud and hybrid environments in which regional organisations now find themselves, we must focus on external attack surface management (EASM), as the cloud arena is where the battle now rages. Every application, every port, every server and website, every cloud and container — all this and more must be reviewed, assessed, and triaged for treatment.
Know yourself
Natively integrated EASM allows cybersecurity teams to see the environment at a glance, from onpremises assets to the far-flung reaches of the cloud. The analyst will be able to discover assets and their vulnerabilities before attackers do, even though
they operate in an elastic business environment plagued with shadow IT and constantly changing rosters of technology partners, service providers and other third parties that come and go. The days of siloed asset management must be left behind. Everything from endpoints to development projects might previously have been departmentalised. But now, we must recognise that this plays into the hands of threat actors. Formally managed configuration management databases (CMDBs) give security teams deep, contextual understanding of what each asset does, how it is configured, and which department or individual controls it.
Unfortunately, many of today’s EASM solutions do not include a sufficiently thorough view of assets and therefore do not adequately provide for assessment, prioritisation, and remediation. This shortfall gives way to manual processes that are prone to error, and traps skilled resources in tedious workflows rather than empowering them to innovate and add value. This can lead to a reduction in job satisfaction and lower retention rates of cybersecurity talent. Given the regional shortage of such talent, this erosion of security personnel is, in itself, a risk to the enterprise.
When building a successful cybersecurity team organisations must consider the employee experience just as they must do across all other roles. Analysts and threat hunters must be able to see the external attack surface in its entirety. They must be notified automatically of new assets. They must be able to track asset changes. And they must be able to monitor workloads wherever they run, even on public clouds. IoT sensors and devices, outof-service IP addresses, shadow IT — nothing must escape the watchful gaze of the security team.
Proper EASM
Armed with the right EASM solution, security can work with IT to decommission or reconfigure externally facing assets when they are no longer relevant to business operations. The best EASM platforms automatically associate assets with business function regardless of location or ownership. These data points help analysts join the dots (as an attacker would) from an externally facing asset to sensitive information or critical systems.
EASM has a critical role to play in digital asset management. It enables discovery, eliminating the need for vast, time-consuming surveys of assets held on premises, in the cloud, and in the homes of employees and facilities of partners, subsidiaries and suppliers. Proper EASM even allows organisations to get a handle on asset attribution by presenting a path to discovery by attackers on the public Internet, and how this can lead to the compromise of critical data.
EASM enables the undertaking of continuous risk assessment. By gaining context on each asset, including the “when” and “how” of its creation, security teams are armed with actionable information. This information is enriched by monitoring configurations (for example, unsanctioned open ports, unapproved services, or expired or expiring SSL certificates). And through integration with sources like Shodan’s connecteddevice search engine, EASM solutions can allow security practitioners to find potential vulnerabilities via automated lightweight scans and act on them before bad actors can.
Control and order
The combination of EASM with CMDB delivers what today’s cybersecurity professionals need most: real-time visibility of the entire stack. Previously unknown or unmanaged assets come into focus and risk mitigation takes a leap forward. Automated workflows weed out vulnerabilities at scale, which simplifies the previously overwhelming proposition of exhaustive investigation and patching, asset by asset.
The stack may look like a messy mountain right now, but EASM returns a measure of control and order to the chaos. Being able to plaster over the cracks in the mortar before an attacker can slip through is a boon to security professionals. And it has been a long time coming.
