Creating an effective defense plan requires understanding the scope of what you're protecting. If you put an alarm system in your home, you know you need sensors on all the doors and windows.
When it comes to defending your corporate network, things are significantly more complicated. Even when users and systems were on premises and in networks companies managed, it was hard to determine all the exploitable entry points. Now, most employees operate in a multi-cloud and work-from-anywhere world, so identifying and defending the attack surface has become even more complex.
To help companies reduce complexity and ensure security, vendors are developing tools and services around attack surface reduction (ASR). If you're interested in ASR or attack surface management (ASM), it's worth learning about what these tools do and where they overlap with current inventory and vulnerability management products.
What is attack surface reduction and management?
Before the cloud, the corporate attack surface was often defined as anything outside the firewall, but that definition doesn't work well today. A modern organization's attack surface extends anywhere business data flows or is stored and all the potential entry points to the corporate network.
An organization's attack surface could, for example, extend to the following:
- customer data stored in Salesforce;
- company source code stored in GitHub;
- collaboration documents in Google Workspace;
- application servers and storage buckets housed at Amazon and DigitalOcean; and
- apps, such as WordPress, running on servers.
That's a lot of surface to protect, and it doesn't even account for endpoints. Plus, thanks to DevOps and microservices, an organization's attack surface might change rapidly as new services are added and new code is pushed to production on a daily or even hourly basis.
It's time to get the attack surface under control. One way to do this is with ASR. At a high level, attack surface reduction involves the following:
- continuously determining what your cyber attack surface is;
- taking steps to reduce the attack surface; and
- shoring up protections where reduction is not an option.
How ASR works with existing cybersecurity tools
ASR intersects closely with existing security and management products. Existing orchestration platforms, for example, might report when a new container is running, but it might take additional research to understand the increased attack surface. For example, maybe the container runs a new REST API used by a production application.
Existing tools don't fully address ASR, and likewise, ASR is not a replacement for existing products. Rather, ASR complements existing tools and can use them as sensors and feeds to a broader ASR program. Some vendors offer ASM tools, which combine aspects of these services into a single console.
But you can start doing ASR now without purchasing ASM. ASR tools can gather data from the following sources.
ASR requires an inventory of existing devices and systems but for a slightly different purpose. ASR asset discovery shines a light on shadow IT. Inventory management is a repository of known systems, while the asset discovery component of ASR scans for all systems, including the ones that haven't made it into the repository yet.
Vulnerability management tools scan external, and sometimes internal, systems to determine if an asset is vulnerable to attack. This information can be fed into ASR to prioritize which systems or services need to be addressed to reduce the attack space.
External risk ratings
Vendors perform ongoing assessments of an organization's public-facing security posture. While they are usually not in depth and don't look at the internal attack surface, external risk rating information can be fed into ASR to hone the plan.
Red teaming and penetration testing
Another excellent set of inputs for ASR is results from red team or pen testing consultants. These provide expert, hands-on information about where surface attackers can get in. This information should be used to prioritize which parts of the surface to better protect or reduce first.
Shrinking the attack surface
Once you've combined findings from the above and done a full asset discovery sweep, it's time to reduce the attack surface. To do so, shrink the attack space where possible by removing unneeded components, gating services, and strategically adjusting what is accessible and from where.
Where the attack surface cannot be reduced, harden what remains exposed. Some examples of how to accomplish this in practice are the following: