The Real Story Behind Attack Surface Management
Attack surface management evaluates an IT environment to assess where it is most likely for an attacker to strike.
Today's approach in the industry presents the idea that you should consider your IT environment for the points of entry — or “attack vectors” — most likely for an attacker to use. This approach is more interesting than straightforward vulnerability management and hygiene because it focuses vulnerability management efforts on assets most likely to be hacked vs. assets that can be hacked.
However, this idea still has flaws that anyone looking to employ it should consider deeply. Wouldn't it be better to focus efforts on the assets most likely to be valuable to an attacker? The assets likely to be hacked are not necessarily those attackers would most like to ransom or steal from. Isn't that where your security mitigations should begin?
Less than half of all companies apply patches immediately, and, in 2017, more than half were running business functions on assets that were unpatchable. It seems as though an honest assessment of most organizations’ attack surfaces (aka “attack vectors”) is that they are huge, and the attack could happen anywhere.
Put differently, the resulting value of most attack surface management is triage, not defense. The answer to where an attacker could create a beachhead is mostly anywhere.
For years, the cybersecurity industry has presented numerous vulnerability management and endpoint security solutions as solutions to the cybersecurity problem. However, the simple fact is that it is a poor use of security operators’ time – and a severe risk to the organization – to try to get every piece of software in the environment up to the current patch level. Things can break, and you can spend most of your time addressing software security problems on computing assets that don't matter. While most assets can assist an attacker in moving through the organization laterally, only a few will make them stop and declare victory.
Watch Out for That CAASM
Imagine you just assumed leadership over an IT operation where very little of the environment is patched, and your predecessor used a Cyber Asset Attack Surface Management (“CAASM”) tool to attempt to identify the vulnerability points most likely to be leveraged by an attacker.
The CAASM tool would have effectively yielded a list of large, unpatched servers, some important to the business and others not in production. That wouldn't be useless... but you would likely want an assessment of the crown jewels in your environment in terms of the value to your business or the value to the attacker – as opposed to the perceived priority of how busy a device is and how interesting to them a software vulnerability would be.
Specifically, you would want to set aside those large, non-production servers and focus on all your most critical assets that aren't obviously valuable at a glance. You would want to direct your resources to the parts of the environment through which an attacker could hold your business hostage.
Don't IT organizations know what's most valuable, though? Sadly, we've found that organizational capability to be even more bleak than patch management. Consulting firms we work with found that large IT operations usually account for only around a third of critical assets. This makes sense as they rarely employ a tool to discover criticality as they do to uncover software vulnerabilities.
Imagine if such a tool existed and you could direct your resources to those assets for which a failure would be an existential threat. Many breaches and ransomware attacks happen on assets an organization didn't realize they had. You should know about those before your adversaries do.
Make Cyber Resilience Your Goal
We believe over the next 10 years, CISOs will be leveraging tools with advanced AI to identify the areas to commit resources to avoid disruption or damage to the company's operations – as opposed to simply patching systems that may look like attractive targets.
And those tools won't just consider assets with an important role, but all the assets they depend on as well. This wouldn't just make organizations more secure; it would make them more resilient.
CAASM, if we're all honest with ourselves, is mainly rehashed ideas from vulnerability management. We've seen this before when next-generation firewalls or advanced endpoint protection rebooted the same ideas as virus scanners and traditional firewalls; CAASM is vulnerability management 2.0.
We should be prioritizing the protection of our crown jewels instead of guessing where an attacker will start. We propose CISOs start now and get ahead of the curve and real-time monitoring to identify their crown jewels and build out their attack surface management from those points.
To do that, you need a tool like Redjack. Contact us to learn more about our approach to cyber resiliency.