In this two-minute read, Zach outlines three simple things that CISOs and security leaders can do to reduce the modern enterprise attack surface: discovery, contextualization, response.

You can’t secure what you don’t know exists; you can’t hide what you don’t know is exposed.

John Binns, the self-professed perpetrator of this summer’s T-Mobile breach, reminded us of this when he shared the striking image of his entry point: a publicly exposed router. It was the first domino in a kill chain yielding millions of exfiltrated customer records.






Source: WSJ

The Problem: A Story of the Old and the New

The problem is not new, and many organizations believe it addressed by existing vulnerability management and red teaming efforts. However, our old methods have not kept pace with the growth and transformation of what constitutes an organization’s attack surface. Propelling this new challenge are two drivers: first, legacy/forgotten assets; and second, novel/unknown assets.

  • On the legacy front, organizations host heaps of debt from decades-old domains and M&A activity. This means that vulnerability management activity may not include all exposed assets. The assets included produce overwhelming volumes of results, usually prioritized by CVS scores and existing organizational knowledge (e.g., that’s our ERP system, we need to fix that vulnerability) versus granular analysis. This leads to many assets – like overexposed routers – being overlooked.
  • The problem of the new may be even more pressing. SaaS makes shadow IT easy, which expands the perimeter to user identities and data movement across thousands of platforms. If we enumerate only our datacenter and known cloud locations, we miss every “as-a-service” entity our users have made their own.

The Solution: Dedicated Attack Surface Reduction and Data Leak Assessment

More than likely, the router at the root of T-Mobile’s breach was captured by at least one external vulnerability scan and in-scope for multiple red team assessments. But in the face of competing priorities and limited scopes, no-one made their way down the list to discover it. To address this challenge, organizations must dedicate time and resources to comprehensively discovering, contextualizing, and responding to their attack surface.

  • Discovery can no longer be limited to a set of known IP addresses and domains. This means non-intrusively querying external environments and augmenting vulnerability-centric with data-centric analysis to find your data outside of your known environment. Additionally, organizations must enrich discovery with business knowledge, like past M&A activity, to uncover forgotten assets and repositories.
  • Additionally, current methods of contextualization based on CVSS scores and known understanding of criticality need to become more comprehensive. Automation always helps, but at the end of the day, some manual analysis will be needed to vet newly discovered assets and potential data leaks.
  • Finally, organizations should design boundary-spanning response processes to address problems uncovered outside of their known perimeter. For instance, if security discovers a potential source code leak to a personal GitHub account or accidental data exposure from a partner, privacy or legal needs to be engaged for resolution.

In summary, a transformation of the technology landscape requires an equal transformation to secure it. Vulnerability management of known assets, the security industry’s current approach to attack surface management, is an important starting point, but is just incomplete.

To address decades of technical debt and the SaaS-powered reframing of “perimeter” to identity and data, organizations must augment current practices with non-intrusive, comprehensive, and often data-centric discovery approaches.

To truly understand and protect their digital footprints, organizations must reconsider – and discover – what comprises it.

Zach Luze