By David Monnier, Team Cymru Fellow
Will your organization become the next big cyberattack reported in the news? Or have you been following the trends close enough to know how to proactively protect against attack?
As businesses across the globe see vulnerabilities exploited and weaponized at an increasing rate, there is wisdom in watching closely to determine what trends emerge from these battlegrounds. Are organizations finding successful methods and solutions to protecting the attack surface? If so, how can we apply them to our organizations?
Just as the attack surface never stays static, neither should an organization’s approach to Attack Surface Management (ASM), and knowing current trends can give us valuable insights into what other organizations are experiencing and the strategies they use to protect their digital assets.
Here are three evolving trends in ASM and how knowing and understanding these trends can help keep your organization safe.
Trend #1: Attack Surfaces Are Expanding With No One at the Helm
One of the biggest trends we’re seeing today is not only an ever-expanding attack surface but the need for tools and approaches to evolve—like ASM v2.0—to keep up with it.
Your external attack surface includes anything visible that malicious actors could exploit. When you try to visualize your organization’s attack surface, your list should consist of endpoints, servers, domains, certificates, credentials, and public cloud services. That list is then compounded for your supply chain’s attack surface, including third-party infrastructure and partner software code vulnerabilities, and in turn, who is connected to them, your fourth party.
How has that list changed over time? For most companies, their attack surface—especially their external attack surface—is expanding at an incredibly rapid speed. This hurried expansion explains why there was no such term as Attack Surface Management only five years ago. It wasn’t needed, as attack surfaces were relatively static.
However, as organizational attack surfaces expanded over the years, there was already an increasing need to deploy processes, technologies, and professional services to continuously discover or map external-facing assets and systems. Covid managed to turn a gradually increasing yet manageable need into a runaway train. This need was the impetus behind what is now called ASM v1.0.
Yet original ASM processes do little to help you manage your attack surface and reduce risk. Even after being able to conceptualize and map their attack surface, most organizations continue to rely on spreadsheets and a variety of disparate security tools and resources to manage their attack surface manually. Additionally, ASM v1.0 is slow and expensive. It takes the average organization over 80 hours to update its attack surface point-in-time inventory. And that’s for known assets.
These deficiencies prompted the need for a revolution in ASM, or ASM v2.0. The predominant features of ASM v2.0 are the addition of integrated threat intelligence and vulnerability scanning to an enhanced attack surface discovery process. Overall, an organization needs these autonomous and continuous assessment tools that will keep up with their ever-expanding attack surface; ASM v2.0 is it.
Trend #2: The Convergence of Security Technologies
Another trend is rising IT complexity, which makes being effective at security and defense more challenging. To address complexities, many organizations layered on more security tools such as reporting, orchestration and automation solutions—creating a problem that is now squared from the original. For example, it is likely to ingest several threat intelligence feeds, have other tools that scan for vulnerabilities, and then have complex workflows and processes. Some security tools provide alerts and signals while others proactively remediate vulnerabilities.
Acquiring and maintaining an arsenal of security tools means managing multiple systems and shouldering all the complexity and cost associated with it. Embarking on this strategy means that someone on the security team must regularly meet with various vendors to maintain a relationship. The organization must understand each vendor’s system and ensure that updates and upgrades are kept current, in addition to the human resources that operate them. This strategy is neither budget-friendly, optimal, nor scalable.
Additionally, security teams today are frequently understaffed and overwhelmed. This labor shortage means fewer practitioners are available to understand, manage, and operate the various systems that, over time, organizations have acquired.
If there is no integration between the systems your organization owns, there may be a need to populate data from one system to another manually. If there is an integration between these systems, someone needs to ensure the integration doesn’t break and know how to fix it when it does—again, incurring time and cost.
This is why the current acceleration in the convergence of security technologies is driven by the need for organizations to reduce complexity, leverage commonalities, reduce administrative overhead, and provide more effective security.
Moving from an ASM v1.0 paradigm to a converged solution that includes the enhanced ASM v2.0 characteristics is a highly cost-effective way to improve your organization’s security posture through better risk management while simultaneously reducing operating costs.
Trend #3: Risk-Based Decision Making
An attack surface management program needs to speak the language of business, and the language of today’s business revolves around risk.
There should also be a joint goal for IT and any line of business starting with one question; ‘how can we make simultaneous and unanimous decisions together about risk management?’ If the process starts with this question, the outcome is a single platform that speaks both IT and Risk languages, enables both types of IT and line of business to become key stakeholders, and speaks back in terms, trends, metrics, and graphs that both sides find valuable.
Cyber risk is a top-level topic within most organizations. Boards and executive leaders need to know how effective they are at managing cyber risks. Leaders that control corporate purse strings demand that security expenditures continually prove their value in risk-reducing terms.
Yet in order to have a meaningful conversation about risk, you need to start with a deep understanding of threats and vulnerabilities and how they relate to your attack surface and weave in how valuable each asset is to the organization. You also need an ASM v2.0 solution to identify known and unknown customer assets, remote connectivity, and third- and fourth-party vendor assets.
In order for both the C-suite and security teams to gain the vantage points they need, monitor these assets continually to determine the presence of vulnerabilities or threats and provide risk scoring. This strategy allows security teams to prioritize remediation efforts while freeing up business leaders to make risk-based decisions that drive business actions.
Additionally, security teams can detect supply chain threats and dangers posed by business partners. Because of this, corporate leaders considering a merger or acquisition can check to ensure that the other organization is not inadvertently suppressing threats or vulnerabilities.
Following Trends for Future Action
Do you truly know by how much and how fast your organization’s attack surface is expanding? Clue: it is by a lot and faster than your team can keep pace. With attack surfaces expanding, more complexities at the convergence of security technologies, and the need for highly effective and precise risk-based decision making, organizations may need to step up their efforts to ensure ongoing and scalable protection. Companies that are not poised to transition from ASM v1.0 processes and technologies risk being the target of the next cyber attack.
Now is the time to extend your view of your attack surface beyond the walls of your company or your cloud provider. Integrating threat intelligence, vulnerability scanning, and attack surface management will be essential to your organization’s future.
About the Author
David Monnier is a Team Cymru Fellow who has 30+ yrs experience in cyber intelligence and has presented keynote insights more than 100 times in over 30 countries.
David Monnier was invited to join Team Cymru in 2007. Prior to Team Cymru, he served in the US Marine Corps as a Non-Commissioned Officer, then went to work at the Indiana University. There, he drove innovation in a high-performance computing center, helping to build some of the most powerful computational systems of their day. He then transitioned to cybersecurity, serving as Lead Network Security Engineer at the university and later helped to launch the Research and Education Networking ISAC.
At Team Cymru, he has been systems engineer, a member of the Community Services Outreach Team, and a security analyst. David led efforts to standardize and secure the firm’s threat intelligence infrastructure, and he served as Team Lead of Engineering, establishing foundational processes that the firm relies on today.
After building out the firm’s Client Success Team, he recently moved back to the Outreach team to focus once again on community services, such as assisting CSIRT teams around the globe and fostering collaboration and data sharing within the community to make the Internet a safer place.
With over 30 years of experience in a wide range of technologies, David brings a wealth of knowledge and understanding to threat analysis, system hardening, network defense, incident response and policy. He is widely recognized among veteran industry practitioners as a thought leader and resource. As such, David has presented around the globe to trust groups and at events for network operators and security analysts.
David can be reached online at LinkedIn and Twitter. Our company website https://team-cymru.com/
Source: www.cyberdefensemagazine.com