In this four-minute read, Zach outlines three simple things CISOs and security leaders can do to reduce the modern enterprise attack surface: discovery, contextualization, and response.

You can’t secure what you don’t know exists; you can’t hide what you don’t know is exposed.

John Binns, the self-professed perpetrator of this summer’s T-Mobile breach, reminded us of this sentiment when he shared the striking image of his entry point: a publicly exposed router. It was the first domino in a kill chain yielding millions of exfiltrated customer records.

Source: WSJ

The Problem: Lack of Visibility into Old and New Assets

The problem is not new, and many organizations believe it is addressed by existing vulnerability management and red teaming efforts. However, our old methods have not kept pace with the growth and transformation of what constitutes an organization’s attack surface. Propelling this new challenge are two drivers: legacy/forgotten assets and novel/unknown assets.

Legacy/forgotten assets

On the legacy front, organizations host heaps of debt from decades-old domains and M&A activity. This means that vulnerability management activity may not include all exposed assets. 

The assets that are included produce overwhelming volumes of results rather than more granular analysis. Such results are usually prioritized by CVSS scores and existing organizational knowledge (e.g., that’s our ERP system, we need to fix that vulnerability). This leads to many assets – like overexposed routers – being overlooked.

Novel/unknown assets

The problem of the new may be even more pressing. SaaS makes shadow IT easy, which expands the perimeter to user identities and data movement across thousands of platforms. If we enumerate only our datacenter and known cloud locations, we miss every “as-a-service” entity our users have made their own.

The Solution: Transforming Asset Discovery and Vulnerability Management

More than likely, the router at the root of T-Mobile’s breach was captured by at least one external vulnerability scan and was in scope for multiple red team assessments. But in the face of competing priorities and limited scopes, no-one made their way down the list to discover it. To address this challenge, organizations must dedicate time and resources to comprehensively discovering, contextualizing, and responding to their attack surface.

Discovering the attack surface

Discovery can no longer be limited to a set of known IP addresses and domains. This means non-intrusively querying external environments and augmenting vulnerability-centric with data-centric analysis to find your data outside of your known environment. Additionally, organizations must enrich discovery with business knowledge, like past M&A activity, to uncover forgotten assets and repositories.

Contextualizing the attack surface

Additionally, current methods of contextualization based on CVSS scores and known understanding of criticality need to become more comprehensive. Automation always helps, but at the end of the day, some manual analysis will be needed to vet newly discovered assets and potential data leaks.

Responding to the attack surface

Finally, organizations should design boundary-spanning response processes to address problems uncovered outside of their known perimeter. For instance, if security discovers a potential source code leak to a personal GitHub account or accidental data exposure from a partner, privacy or legal needs to be engaged for resolution.

Learn more about Kudelski Security’s suite of services designed to reduce the attack surface

In Summary: Reframing Our Understanding of the Perimeter and How to Secure It

In summary, a transformation of the technology landscape requires an equal transformation to secure it. Vulnerability management of known assets, the security industry’s current approach to attack surface management, is an important starting point but is incomplete.

To address decades of technical debt and the SaaS-powered reframing of the “perimeter”, organizations must augment current practices with non-intrusive, comprehensive, and often data-centric discovery approaches.

To truly understand and protect their digital footprints, organizations must reconsider – and discover – what comprises it.

Was this article helpful?