How to implement an attack surface management program
Keeping attackers away from corporate assets means keeping constant vigilance over the organization's attack surface. An attack surface management program can help.
An attack surface management program, or ASM program, has the following three primary goals:
Identify and then reduce the size of the IT ecosystem's attack surface.
Mitigate the security issues and vulnerabilities within the remaining attack surface.
Continuously monitor the attack surface for changes in both assets and threats and, by extension, trigger remediation actions to take place as needed.
What is an attack surface?
An organization's attack surface is the sum of all of its exposed IT assets, whether secure or vulnerable, known or unknown, or in active use or not. The attack surface includes both internal-facing assets -- e.g., private networks, devices and apps -- and external-facing assets -- e.g., web apps and public cloud services.
Essentially, an attack surface is everything cybercriminals can and will discover on premises, in the cloud, in subsidiary networks and in third-party providers' environments. It includes hardware, software, SaaS, cloud assets, IoT devices and more.
In the era of digital transformation, modern attack surfaces are immense and growing.
What is attack surface management and why is it important?
Identification, inventory, classification and monitoring all of an organization's digital assets, including internal and external assets.
Assessments of assets' exposure to cyberthreats.
Analysis and mitigation of potential attack vectors and vulnerabilities.
Attack surface management is essential in protecting sensitive data, achieving and maintaining a strong security posture, and preventing cyberattacks and data breaches.
How to build an attack surface management program
Plenty of ASM vendors promise their products can provide the framework needed to discover, inventory, prioritize and monitor every digital asset. But the truth is that a truly successful attack surface management program is a multistage, multidisciplinary effort requiring board-level support and the close cooperation of security, network, development and HR teams, as well as individual business unit managers.
Step 1. Understand your network and where it's vulnerable
First, security and network teams should tackle asset discovery, reviewing the digital assets threat actors could find should they probe the organization and identifying previously unknown assets.
A digital asset inventory should already exist, but now is a good time to revisit the risk management process, conducting risk assessments if necessary. Check with business units to determine if classifications, business criticality and risk scoring levels are up to date. This enables correct prioritization of asset remediation, based on cyber-risk. This is also an opportunity to identify and remove superfluous or duplicated applications and services -- one of the quickest ways to reduce the attack surface.
Take special care to review DevOps. Developers have a propensity to create and spin up new assets and workloads without necessarily adhering to security policies. They may use third-party services, code and infrastructure, all of which quickly extend the attack surface. Implementing infrastructure as code can contain and prevent many of these problems, as well as stop vulnerable configurations from leaving assets open to attack.
Network segmentation is another important way to reduce the attack surface. Dividing a network into segments splits its surface into smaller areas, making it easier to monitor and control access and traffic flow.
Step 2. Assess ASM platforms and what they should provide
Once the number of known and allowed assets is agreed upon, it is time to choose and deploy an ASM platform to provide continuous visibility into any security gaps that may exist or pop up as the threat landscape and IT environments change.
Take time to evaluate and test attack surface management vendors' capabilities. Key features to look for include the following:
Automated discovery. Any product should be able to establish the baseline of the attack surface, while limiting false positives. Discovery used to be a manual and time-consuming activity, so ensure there is no requirement for repetitive manual input and the process can be accomplished from just a domain name or IP address.
Continuous monitoring. Attack surfaces are dynamic, so real-time visibility is critical. Monitoring should prioritize the most urgent security risks, based on the following:
How likely an asset is to be attacked and its discoverability.
Threat intelligence and known exploits.
Ease of exploitation and how vulnerable it may be after it's attacked.
Complexity of the remediation required.
Smart ASM platforms can downgrade vulnerabilities -- even when publicly rated as highly critical -- if an asset resides in an environment where it cannot be exploited.
Outside-in viewpoint. To effectively defend their networks from attacks, security teams need to see the organization's digital footprint through the eyes of a potential intruder. This enables them to remediate any vulnerabilities or weaknesses before they can be exploited. Ensure the product being evaluated can deliver the ability to analyze the attack surface from a malicious hacker's perspective. This is the exposure that truly matters.
Actionable alerts. Context and remediation guidance should accompany every alert to aid vulnerability management, enabling security operations teams to focus on the most critical vulnerabilities and react appropriately. Information should include the asset affected, its IP address, its purpose, its owner, and whether it is active and has connections to other assets. This enables teams to assess the importance and the degree of exposure within the environment and determine if the asset should be taken offline, deleted, patched or just monitored.
Step 3. Put policies and training in place after ASM is introduced
Once the attack surface management program is deployed, assets that have remained hidden or unknown no doubt emerge. These need to be scrutinized and removed or protected with appropriate security controls if necessary. The security team must ascertain how and why these assets were created so processes and procedures can be put in place to prevent or control their future occurrence.
Take the time to explain ASM's role in protecting the company and the dangers of shadow IT, in addition to reinforcing data and asset protection rules for remote workers.
This is where HR, business unit managers and the team in charge of security awareness training play a crucial role. New processes and procedures have to be embedded into everyday workflows, with associated training tailored to explaining and validating their existence. Development teams need particular attention, especially if these new policies affect application and service development lifecycles.
Take the time to explain ASM's role in protecting the company and the dangers of shadow IT, in addition to reinforcing data and asset protection rules for remote workers. Remote working extends the attack surface and can easily spawn new digital assets.
Now is also an opportune time to revisit the principle of least privilege and ensure roles and privileges are correctly aligned. Ensure your organization has policies in place to prevent ex-employees from expanding the attack surface. These ASM procedures should be carried out following any type of merger, acquisition or takeover to incorporate inherited assets and attack surfaces, as well as when any new technology or services are introduced.
Step 4. Measure ASM platform and program success
After the ASM platform is launched, use metrics to measure its success. You should see a significant drop in the number of unexpected new assets appearing, as well as improved times to vulnerability detection and remediation. In addition, you should see a decline in the number of incidents that escalate to the level of serious or critical.
HR should continue to remind employees, especially those who work remotely, about their responsibility to keep attack surfaces to a minimum. That behavior should be reflected in HR assessments.
Today, an organization's attack surface is increasingly difficult to defend, thanks in part to the migration to cloud platforms and services and decentralized work environments. This is why a comprehensive ASM program is more important than ever before to keep IT ecosystems safe. An attack surface management program helps keep your organization more secure, satisfy many of the key elements of common security frameworks and meet important regulatory compliance standards.
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry.
