Enhancing Cyber Defence: Trends in Attack Surface Management

Attack Surface Management (ASM) has emerged as a crucial discipline within cybersecurity amidst an evolving threat landscape. Yet, the topic is often confined to a narrow discipline of infrastructure vulnerability management or external attack surface scanning.

With an existing number of devices and growing sophistication of cyber-attacks, organisations should adopt a more unified approach that addresses the multiplicity and interconnectedness of their environments.

We share common trends and our observations on ASM based on recent work in helping clients enhance their security posture.

It’s vital that an organisations ASM strategy aligns with an organisation’s larger operating model and not confined to a sub-discipline. With the sheer number and variety of potential entry points for attackers, a unified approach requires collaboration between teams, top management commitment and changes in existing workflows. We see some common themes in successful organisations:

1. Shared responsibility model: Defining an ASM model that spans IT operations, development teams, and business units, fostering a shared responsibility across the organisation.
2. Cross-functional teams: Key departments should be represented in these teams, convening regularly to discuss the state of the attack surface, progress towards common goals, and ensure effective ASM implementation.
3. Unified data and tooling: Implementing common platforms that offer capabilities like asset discovery, vulnerability management, configuration management, and threat intelligence can reduce fragmentation and enhance cross-functional collaboration.
4. Common language and metrics: Establishing a common set of terminologies and metrics that everyone can understand helps to set common goals and improve collaboration.
5. Common risk approach: Teams should cooperate to identify the vulnerabilities posing the greatest risk which require remediating first. Ensuring alignment between the organisation’s risk management efforts and business objectives.

We frequently help clients during distress scenarios resulting from security incidents, near misses, or regulatory issues. We’ve learnt that treating symptoms alone is not enough, it is necessary to treat the root causes. Some examples include:

• Inadequate patch management: A lack of disciplined patching results in unmanageable backlogs of avoidable vulnerabilities. Implementing regular patching cycles mitigates this.
• Improper configuration management: Incorrect or outdated system configurations may inadvertently provide easy access points for attackers.
• Uncontrolled third-party risks: An absence of mature third-party management processes can leave an organisation vulnerable to unexpected exposures.
• Insufficient security training: Developers may introduce security vulnerabilities into code due to inadequate cybersecurity training.
• Outdated IT infrastructure: Ageing systems can generate a multitude of vulnerabilities with limited remediation options due to scarce vendor support.
• Immature DevSecOps processes: Not integrating security from the outset of the development process can result in additional compliance efforts and rework.

These scenarios trigger 'vicious cycles', where we're so focused on firefighting that we overlook the source of the fire. Organisations need an ASM strategy that not only tackles immediate threats but also plugs the gaps where new vulnerabilities can creep in. It’s about getting to the root of the problem, preventing repeats, and shifting from reactive to proactive defence.

Cybercriminals employ lateral movement strategies to delve deeper into systems once the initial breach occurs, so we cannot discount the risk of post-breach movements. Much like a professional thief who finds numerous ways to navigate a secured facility, cybercriminals employ lateral movement strategies to delve deeper into our systems once the initial breach occurs.

Successful ASM is about creating a comprehensive security plan, not just securing the front door. This boils down to having effective internal controls, for example:

• Network segmentation: Dividing our cyber ‘building’ into secure ‘rooms’, each fortified against unauthorised intrusion.
• Identity and access management (IAM) controls: IAM acts as our internal gatekeeper, ensuring individuals only receive the access necessary to perform their tasks.
• Logging and monitoring capabilities: Functioning as vigilant guards and astute detectives on the lookout for potential breaches and suspicious behaviours.
• Training and awareness: Recognising people as integral parts of our attack surface. Regular training and awareness programmes equip our teams to identify and respond to threats.
• Third-party controls: Third-party vendors and SaaS providers form part of our attack surface. Implementing rigorous third-party risk management controls ensures consistent security standards and prevents weak links in our cybersecurity chain.

Many organisations use their data to get a holistic view of cyber threats and controls. Whilst security information and event management (SIEM) remains a powerful tool for real time monitoring and alerting, it is less effective at creating a single-pane view joining data across inventories, environments and control deployments. Unifying data analysis enhances visibility, creating a more inclusive view of the security landscape.

We have seen a shift towards data driven approaches which involve extracting and combining all cybersecurity data (often using a data lake) to create use cases:

• Threat driven risk assessment: Modelling real attack paths and understanding cyber risk based on observed status of cybersecurity controls and sensitivity of an asset.
• Continuous control monitoring: Creating a complete and real-time view of cyber defences, down to individual asset instances or people.
• Advanced threat hunting: Performing advanced threat analysis on months of historic data, correlating multiple data sources into one.
• Cross-domain monitoring and alerting: Bridging existing data and organisational silos to generate cross-functional alerts and aid investigations.

Data journey often starts from more modest foundations, such as defining key risk and controls indicators across all asset types and main attack surfaces. Even a small number of metrics reported consistently across the estate can make a big difference in reducing the risk.

The ever-growing digital landscape calls for a vigilant eye on asset management. As we integrate remote work standards, bring your own device (BYOD) policies, and Internet of things (IoT) into our systems, our attack surfaces are widening at an exponential rate.

Maintaining accurate and updated asset inventories can be challenging. With gaps in configuration management databases (CMDB) and other inventories, organisations may be left with vulnerabilities that are invisible and unprotected. Combatting this issue requires a proactive solution:

• Leverage multiple sources: Triangulate data by collating information from multiple sources like discovery scans, network segmentation tools, firewalls, and proxies.
• Real-time identification: Supplement existing inventories with additional IT and security tools’ telemetry, allowing for real-time asset identification and tracking within the network.
• Clear governance: Treat inventory management as an independent control alongside a robust cybersecurity strategy. Include clear governance and set processes for ensuring swift and appropriate remediation of vulnerabilities.

Effective inventory management cannot be done by Cybersecurity teams alone and requires close collaboration with the wider IT organisation.

Automation has become a key component in vulnerability management. More organisations are adopting automation in risk assessment, triage, assignment, prioritisation, and vulnerability scanning.

Automating remediation is the next logical step of this evolution. Whilst we do not envision a fully automated remediation regime imminently, we see significant steps being made towards automating and applying remediation actions with minimal overhead.

Large organisations are increasingly incorporating Machine Learning (ML) to improve operational efficiency and the remediation process. Using ML models in ASM is still in its early stages but showing promise. For example, these models are being used to:

• Predict asset and vulnerability ownership, addressing the challenge of accurate and timely assignment of remediation activities.
• Forecast future vulnerability remediation dates, helping manage backlogs and identify operational bottlenecks.
• Classify and assign ownership for newly discovered and unknown assets.

In the future, we can expect to see an ASM strategy increasingly characterised by intelligent automation and data-driven decision-making.

KPMG brings together cybersecurity, technology, analytics and change expertise to help introduce new levels of resilience and agility to your cyber defences. Together, we can help create a trusted digital environment that allows your organisation to push the boundaries of what’s possible, secure in the knowledge that your attack surface is effectively managed. Please get in touch if you would like to discuss how we can help to improve security posture and resilience within your organisation.