kras99 -


How to implement an attack surface management program

Keeping attackers away from corporate assets means keeping a constant vigilance over the organization's attack surface. An attack surface management program can help.

An attack surface management program, or ASM program, has three primary goals. The first is to identify and then reduce the size of the IT ecosystem's attack surface; second, to mitigate the vulnerabilities within the remaining attack surface; and third, to continuously monitor the attack surface for changes in both assets and threats and, by extension, trigger remediation actions to take place as needed.

Attack surfaces are immense. They are the sum of all of an organization's exposed IT assets. These assets may be secure or vulnerable, known or unknown, or in active use or not. Essentially, an attack surface is everything attackers can and will discover on premises, in the cloud, in subsidiary networks and in third-party vendors' environments.

Plenty of ASM vendors promise their products can provide the framework needed to discover, inventory, prioritize and monitor every digital asset. But the truth is that a truly successful attack surface management program is a multistage, multidisciplinary effort requiring board-level support and the close cooperation of security, network, development and HR teams, as well as individual business unit managers.

Step 1: Understand your network and where it's vulnerable

Security and network teams should review the digital assets attackers could discover should they probe the organization. A digital asset register should already exist, but now is a good time to revisit the risk management process. Check with business units to determine if classifications, business criticality and risk impact levels are up to date. This enables asset remediation to be prioritized correctly and based on the risk. This is also an opportunity to identify and remove superfluous or duplicated applications and services -- one of the quickest ways to reduce the attack surface.

Take special care to review DevOps. Developers have a propensity to create and spin up new assets and workloads without necessarily adhering to security policies. They may use third-party services, code and infrastructure, all of which quickly extend the attack surface. Implementing infrastructure as code can contain and prevent many of these problems, as well as stop vulnerable configurations from leaving assets open to attack.

Network segmentation is another important way to reduce the attack surface. By dividing a network into segments, its surface is split into smaller areas, making it easier to monitor and control access and traffic flow.

Step 2: Assess ASM platforms and what they should provide

Once the number of known and allowed assets is agreed upon, it is time to choose and deploy an ASM platform to provide continuous visibility into any security gaps that may exist or pop up as the threat landscape and IT environments change. Take time to evaluate and test vendors' capabilities. Among key features to look for are automated discovery, continuous monitoring, outside-in viewpoint, actionable alerts and easy integration.

New processes and procedures will have to be embedded into everyday workflows, with associated training tailored to explaining and validating their existence.

Automated discovery

Any product should be able to establish the baseline of the attack surface while limiting false positives. Discovery used to be a manual and time-consuming activity, so ensure there is no requirement for repetitive manual input and that the process can be accomplished from just a domain name or IP address.

Continuous monitoring

Attack surfaces are dynamic; real-time visibility is critical. Monitoring should prioritize the most urgent risks, based on how likely an asset is to be attacked and its discoverability, known exploits, ease of exploitation and how vulnerable it may be after it's attacked, and the complexity of the remediation required. Smart ASM platforms can downgrade vulnerabilities -- even when publicly rated as highly critical -- if an asset resides in an environment where it cannot be exploited.

Outside-in viewpoint

To effectively defend their networks from attacks, security teams need to see the organization's digital footprint through the eyes of a potential intruder. This enables them to remediate any vulnerabilities or weaknesses before they can be exploited. Ensure the product being evaluated can deliver the ability to analyze the attack surface from an external attacker's perspective. This is the exposure that truly matters.

Actionable alerts

Context and remediation guidance should accompany every alert to let security teams focus on the most critical vulnerabilities and react appropriately. Information should include the asset affected, its IP address, its purpose, its owner and whether it is active and has connections to other assets. This enables teams to assess the importance and the degree of exposure within the environment and determine if the asset should be taken offline, deleted, patched or just monitored.

Easy integration

The ASM product selected must integrate with existing cybersecurity platforms and services, such as SIEM, security orchestration, automation and response, and extended detection and response. APIs will make integration easier.

Step 3: Put policies and training in place after ASM is introduced

Once the attack surface management program is deployed, it will no doubt discover assets that have remained hidden or unknown. These will need to be scrutinized and removed or secured if required. The security team must ascertain how and why these assets were created so processes and procedures can be put in place to prevent or control their future occurrence.

This is where HR, business unit managers and the team in charge of security awareness training play a crucial role. New processes and procedures will have to be embedded into everyday workflows, with associated training tailored to explaining and validating their existence. Development teams need particular attention, especially if these new policies affect application and service development lifecycles.

Take the time to explain ASM's role in protecting the company and the dangers of shadow IT in addition to reinforcing data and asset protection rules for remote workers. Remote working extends the attack surface and can easily spawn new digital assets. Now is also an opportune time to revisit the principle of least privilege and ensure roles and privileges are correctly aligned. Ensure your organization has policies in place to prevent ex-employees from expanding the attack surface. These ASM procedures should be carried out following any type of merger, acquisition or takeover to incorporate inherited assets and attack surfaces, as well as when any new technology or services are introduced.

Step 4: Measure ASM platform and program success

After the ASM platform is launched, use metrics to measure its success. You should see a significant drop in the number of unexpected new assets appearing, as well as improved times to vulnerability detection and remediation. In addition, you should see a decline in the number of incidents that escalate to the level of serious or critical.

HR should continue to remind employees, especially those who work remotely, about their responsibility to keep attack surfaces to a minimum. That behavior should be reflected in HR assessments.

Today's organization's attack surface is increasingly difficult to defend, thanks in part to the migration to cloud platforms and services and decentralized work environments. This is why a comprehensive ASM program is more important than ever before to keep IT ecosystems safe. An attack surface management program helps keep your organization more secure and will satisfy many of the key elements of common security frameworks and meet important regulatory compliance standards.

This was last published in May 2022

Dig Deeper on Threat detection and response