3 Things Modern CISOs Can Do to Reduce the Attack Surface
In this four-minute read, Zach outlines three simple things CISOs and security leaders can do to reduce the modern enterprise attack surface: discovery, contextualization, and response.
- The Problem: Lack of Visibility into Old and New Assets
- The Solution: Transforming Asset Discovery and Vulnerability Management
- Discovering the attack surface
- Contextualizing the attack surface
- Responding to the attack surface
- In Summary: Reframing Our Understanding of the Perimeter and How to Secure It
You can’t secure what you don’t know exists; you can’t hide what you don’t know is exposed.
John Binns, the self-professed perpetrator of this summer’s T-Mobile breach, reminded us of this sentiment when he shared the striking image of his entry point: a publicly exposed router. It was the first domino in a kill chain yielding millions of exfiltrated customer records.
Table of contents
The Problem: Lack of Visibility into Old and New Assets
The problem is not new, and many organizations believe it is addressed by existing vulnerability management and red teaming efforts. However, our old methods have not kept pace with the growth and transformation of what constitutes an organization’s attack surface. Propelling this new challenge are two drivers: legacy/forgotten assets and novel/unknown assets.
On the legacy front, organizations host heaps of debt from decades-old domains and M&A activity. This means that vulnerability management activity may not include all exposed assets.
The assets that are included produce overwhelming volumes of results rather than more granular analysis. Such results are usually prioritized by CVSS scores and existing organizational knowledge (e.g., that’s our ERP system, we need to fix that vulnerability). This leads to many assets – like overexposed routers – being overlooked.
The problem of the new may be even more pressing. SaaS makes shadow IT easy, which expands the perimeter to user identities and data movement across thousands of platforms. If we enumerate only our datacenter and known cloud locations, we miss every “as-a-service” entity our users have made their own.
The Solution: Transforming Asset Discovery and Vulnerability Management
More than likely, the router at the root of T-Mobile’s breach was captured by at least one external vulnerability scan and was in scope for multiple red team assessments. But in the face of competing priorities and limited scopes, no-one made their way down the list to discover it. To address this challenge, organizations must dedicate time and resources to comprehensively discovering, contextualizing, and responding to their attack surface.
Discovering the attack surface
Discovery can no longer be limited to a set of known IP addresses and domains. This means non-intrusively querying external environments and augmenting vulnerability-centric with data-centric analysis to find your data outside of your known environment. Additionally, organizations must enrich discovery with business knowledge, like past M&A activity, to uncover forgotten assets and repositories.
Contextualizing the attack surface
Additionally, current methods of contextualization based on CVSS scores and known understanding of criticality need to become more comprehensive. Automation always helps, but at the end of the day, some manual analysis will be needed to vet newly discovered assets and potential data leaks.
Responding to the attack surface
Finally, organizations should design boundary-spanning response processes to address problems uncovered outside of their known perimeter. For instance, if security discovers a potential source code leak to a personal GitHub account or accidental data exposure from a partner, privacy or legal needs to be engaged for resolution.
In Summary: Reframing Our Understanding of the Perimeter and How to Secure It
In summary, a transformation of the technology landscape requires an equal transformation to secure it. Vulnerability management of known assets, the security industry’s current approach to attack surface management, is an important starting point but is incomplete.
To address decades of technical debt and the SaaS-powered reframing of the “perimeter”, organizations must augment current practices with non-intrusive, comprehensive, and often data-centric discovery approaches.
To truly understand and protect their digital footprints, organizations must reconsider – and discover – what comprises it.