Learn about gaining visibility into your network and monitoring for threats.Rapid7 Cloud Risk Complete
Attack surface management (ASM) is the process of maintaining visibility into an ever-changing network environment so that security teams can patch vulnerabilities and defend against emerging threats. So, what is an attack surface? It’s your whole network, on-prem and off, and the potential vulnerable points where attackers could gain entry.
Forrester defines attack surface management as the process of continuously discovering, identifying, inventorying, and assessing the exposure of an entity’s IT asset estate. Based on everything above, we can safely assume this is something security teams have regular difficulty staying on top of and addressing. Limited visibility in an environment means you don’t know about everything that could possibly hurt the organization and the business.
And if there is limited visibility, keep in mind that any sort of process in application development could be compromised due to a lack of observability of aspects such as how code is behaving in production. Put simply, limited visibility into the attack surface renders unreliable many aspects of business operations and security.
Security organizations can monitor and manage attack surfaces by managing vulnerability, regularly testing web applications, automating threat-detection response, and gaining visibility into the most up-to-date indicators-of-compromise (IOCs). There is no one correct way to manage an entire attack surface, especially in larger enterprise organizations. But, by gaining increased visibility, a security team can begin to tailor actions and search for solutions specific to its environment.
Attack surface management is important because it provides the visibility, context, and prioritization needed to address vulnerabilities before they can be exploited by attackers; it’s critical for teams who want a deeper understanding of their key risk areas. Attack surface management also aids in making IT, security personnel, and leadership aware of what areas are vulnerable to attack, so the organization can find ways of minimizing the risk.
Aspects of the process – like vulnerability assessments and penetration testing – are best practices teams can leverage to gain visibility and context into where breaches might occur along the attack surface. This overall attack surface analysis strategy can increase awareness of both technical and process-related risks.
External attack surface management (EASM) is the process of identifying internal business assets that are public-internet facing and monitoring vulnerabilities, public-cloud misconfigurations, exposed credentials, or other external information and processes that could be exploited by attackers. No inventory of these assets will be perfect; the goal being to obtain as close a snapshot as possible to help evaluate cloud security posture.
As mentioned above, misconfigurations can play a big part in your vulnerability landscape. Properly configuring any cloud environment plays a key role in protecting it from a broad range of threats, whether in the form of deliberate attacks or unintended mistakes.
EASM solutions are increasingly focused on identifying rogue external assets that could be part of an organization’s attack surface. They should be able to tap into threat feeds that enable active threat hunting so practitioners can understand what bad actors are doing in the wild and how it could bleed into the internal environment.
They should also be able to leverage external threat intelligence from the post-perimeter attack surface to properly detect and prioritize risks and threats, from the nearest network endpoints to around the deep and dark web. This has the added benefit of lowering the overall signal-to-noise ratio.
The challenges around external attack surface mapping are many, but that doesn’t mean there aren’t solutions for a capable SOC. Whether that team exists all in one location or they’re scattered the world over, it’s imperative for a globally distributed workforce to secure its modern attack surface. Let’s take a look at a few highlights among those challenges:
The ephemeral nature of maintaining the bulk of operations in the cloud means that there is no defined perimeter like in the “old days” of on-prem-only. That perimeter is ever-changing and expanding, so the challenge of distributed IT ecosystems that host and house an organization’s clouds is that it can be difficult to monitor and secure a national or global perimeter that lies beyond firewalls and other protocols that protect local networks.
Collaboration between traditionally siloed teams can be a challenge when attempting to monitor and map your attack surface for budding threats, especially when those teams can be distributed geographically, whether that means a network of remote workers, regional offices, or multinational headquarters. These days, there is a greater focus on solutions that can provide the shared view and common language that can bring together those traditionally siloed teams to work toward a common goal of threat prevention.
Between known and unknown assets constantly joining the network, your attack surface grows and changes daily. Most of the time, this is because of growth in the company, and that’s a good thing. However, any SOC worth their talent will want to ensure that expanding perimeter is as secure as can be. Automating operations can certainly cut down on the time it takes to secure an expanding attack surface, allowing developers and security analysts to more closely collaborate and prioritize vulnerabilities.
This includes extensive scanning to discover systems and/or assets that may be particularly open to threats. These sorts of assets could be anything from application builds, to personal assets accessing a company’s network, to the hardware/software of a supply chain partner. That last point is of particular concern, as most every company in existence leverages the services of multiple vendors, who each leverage the services of multiple vendors of their own – and so on and so on.
This complexity and reliance on so many partner networks underscores the need to go beyond discovery, to accelerate scanning and visibility into real-time territory. As threat actors gain speed with their breach methodologies, security organizations must keep pace as the time to exploitation continues to shrink.
Regular testing – of varying types – is a reliable way to ensure applications and systems are properly secured. From there, you can determine what action needs to be taken to fortify perimeters.
It’s crucial to have context around potential risks or threats. Data sprawl and complexity can lead to an unwieldy attack surface that poses major challenges to security operations (SecOps) teams looking to fully understand threats and manage vulnerabilities at an ever-increasing pace.
Contextualized threat intelligence can help provide insights into every layer of your tech stack so you can effectively prioritize and respond to risks and threats. This means more than just intelligence feeds: it also means understanding public accessibility, presence of vulnerabilities, whether or not a resource is associated with a business critical application, and more. Vulnerabilities have a certain level of risk, as does every asset on your network. Therefore, it’s crucial to have strategies in place that prioritize remediation of the most sensitive risks before they become real threats.
The sheer number of security issues that can arise in one security organization, whether it’s in the SOC or elsewhere, is not necessarily an indicator of the team’s ability to thwart threats and patch vulnerabilities. A modern attack surface includes both on-premises and cloud environments. That kind of sprawl includes scenarios like an identity and access management (IAM) team dealing with millions of distinct identities as each resource and service is assigned a role. Each of those roles has its own exploitable permissions and privileges.
Last year, 88% of organizations reported they planned to increase spending on, among other things, improving alert context and prioritization. Automating processes like risk analysis and workflow frameworks can vastly decrease the complexity and enormity of evaluating which incidents are in the most need of timely remediation.
It’s critical to implement and continuously enforce internal compliance – and regulatory, if applicable – standards that shrink your attack surface as much as possible.
Rigorously adhering to compliance policies can have the benefit of accelerating response time in that smaller attack surface. By also incorporating as much automation as possible, you can reduce the blast radius when an attack or breach does occur. Shifting security left is an example of how those standards can also create a culture of faster response. This means integrating security earlier into the application development/deployment process via continuous template scans while builds are taking place and also post-deployment.
As your network grows, your attack surface expands. That’s a lot of space for attackers to find a way in and exploit it to the max. With, as mentioned above, contextual threat intelligence and prioritization, over time it can become possible to behave like an attacker, staying one step ahead and remediating issues before they can be exploited. Automated remediation plays a critical part in the ability to rapidly address one potential threat after another.