Attack Surface Management (ASM) has emerged as a crucial discipline within cybersecurity amidst an evolving threat landscape. Yet, the topic is often confined to a narrow discipline of infrastructure vulnerability management or external attack surface scanning.
With an existing number of devices and growing sophistication of cyber-attacks, organisations should adopt a more unified approach that addresses the multiplicity and interconnectedness of their environments.
We share common trends and our observations on ASM based on recent work in helping clients enhance their security posture.
Breaking Down the Silos
It’s vital that an organisations ASM strategy aligns with an organisation’s larger operating model and not confined to a sub-discipline. With the sheer number and variety of potential entry points for attackers, a unified approach requires collaboration between teams, top management commitment and changes in existing workflows. We see some common themes in successful organisations:
- Shared responsibility model: Defining an ASM model that spans IT operations, development teams, and business units, fostering a shared responsibility across the organisation.
- Cross-functional teams: Key departments should be represented in these teams, convening regularly to discuss the state of the attack surface, progress towards common goals, and ensure effective ASM implementation.
- Unified data and tooling: Implementing common platforms that offer capabilities like asset discovery, vulnerability management, configuration management, and threat intelligence can reduce fragmentation and enhance cross-functional collaboration.
- Common language and metrics: Establishing a common set of terminologies and metrics that everyone can understand helps to set common goals and improve collaboration.
- Common risk approach: Teams should cooperate to identify the vulnerabilities posing the greatest risk which require remediating first. Ensuring alignment between the organisation’s risk management efforts and business objectives.
Maintaining a Balance: Addressing Symptoms and Causes
We frequently help clients during distress scenarios resulting from security incidents, near misses, or regulatory issues. We’ve learnt that treating symptoms alone is not enough, it is necessary to treat the root causes. Some examples include:
- Inadequate patch management: A lack of disciplined patching results in unmanageable backlogs of avoidable vulnerabilities. Implementing regular patching cycles mitigates this.
- Improper configuration management: Incorrect or outdated system configurations may inadvertently provide easy access points for attackers.
- Uncontrolled third-party risks: An absence of mature third-party management processes can leave an organisation vulnerable to unexpected exposures.
- Insufficient security training: Developers may introduce security vulnerabilities into code due to inadequate cybersecurity training.
- Outdated IT infrastructure: Ageing systems can generate a multitude of vulnerabilities with limited remediation options due to scarce vendor support.
- Immature DevSecOps processes: Not integrating security from the outset of the development process can result in additional compliance efforts and rework.
These scenarios trigger 'vicious cycles', where we're so focused on firefighting that we overlook the source of the fire. Organisations need an ASM strategy that not only tackles immediate threats but also plugs the gaps where new vulnerabilities can creep in. It’s about getting to the root of the problem, preventing repeats, and shifting from reactive to proactive defence.
Beneath the Surface
Cybercriminals employ lateral movement strategies to delve deeper into systems once the initial breach occurs, so we cannot discount the risk of post-breach movements. Much like a professional thief who finds numerous ways to navigate a secured facility, cybercriminals employ lateral movement strategies to delve deeper into our systems once the initial breach occurs.
Successful ASM is about creating a comprehensive security plan, not just securing the front door. This boils down to having effective internal controls, for example:
- Network segmentation: Dividing our cyber ‘building’ into secure ‘rooms’, each fortified against unauthorised intrusion.
- Identity and access management (IAM) controls: IAM acts as our internal gatekeeper, ensuring individuals only receive the access necessary to perform their tasks.
- Logging and monitoring capabilities: Functioning as vigilant guards and astute detectives on the lookout for potential breaches and suspicious behaviours.
- Training and awareness: Recognising people as integral parts of our attack surface. Regular training and awareness programmes equip our teams to identify and respond to threats.
- Third-party controls: Third-party vendors and SaaS providers form part of our attack surface. Implementing rigorous third-party risk management controls ensures consistent security standards and prevents weak links in our cybersecurity chain.
Many organisations use their data to get a holistic view of cyber threats and controls. Whilst security information and event management (SIEM) remains a powerful tool for real time monitoring and alerting, it is less effective at creating a single-pane view joining data across inventories, environments and control deployments. Unifying data analysis enhances visibility, creating a more inclusive view of the security landscape.
We have seen a shift towards data driven approaches which involve extracting and combining all cybersecurity data (often using a data lake) to create use cases:
- Threat driven risk assessment: Modelling real attack paths and understanding cyber risk based on observed status of cybersecurity controls and sensitivity of an asset.
- Continuous control monitoring: Creating a complete and real-time view of cyber defences, down to individual asset instances or people.
- Advanced threat hunting: Performing advanced threat analysis on months of historic data, correlating multiple data sources into one.
- Cross-domain monitoring and alerting: Bridging existing data and organisational silos to generate cross-functional alerts and aid investigations.
Data journey often starts from more modest foundations, such as defining key risk and controls indicators across all asset types and main attack surfaces. Even a small number of metrics reported consistently across the estate can make a big difference in reducing the risk.