How to reduce risk with cloud attack surface management
Attack surfaces continue to expand, fueled in part by the cloud. Attack surface management is a key way to identify vulnerable assets and reduce the risk to a corporate network.
Attack surface management is the group of controls and services engineered to reduce the risk of vulnerable enterprise assets and systems open to attack.
That vulnerability has increased significantly with the advent of cloud services, giving ASM an even more important role to play. The rapid deployment and proliferation of cloud infrastructure and related components -- among them identities, identity policies and storage nodes -- have substantially expanded the attack surface. As a result, cloud attack surface management can pose a challenge to security teams.
When addressing the cloud attack surface, consider the following:
- Exposed asset discovery and monitoring.
- Attack surface exposure and risk validation.
- Subsidiary and M&A risk -- often related to cloud services and deployments.
- Supply chain risk tracking -- also often tied to cloud services.
- Cloud-specific asset discovery and configuration management.
ASM: A comprehensive approach to security
ASM combines vulnerability discovery and risk management with an attacker perspective on assets exposed. Comprehensive cloud ASM encompasses cloud workloads and services exposed directly to the internet, as well as internal services that interact with each other.
Security teams can assess the potential of cloud-based threats and vulnerabilities in several ways. The first is to use cloud-native services capable of discovering assets and generating reports about configuration states and other risks.
All leading IaaS providers offer services that can help collect and report on asset risks, among them Amazon GuardDuty, Azure Security Center and Google Cloud Security Command Center. GuardDuty and Microsoft Sentinel also highlight attack capabilities and phases described in industry-leading frameworks, such as Mitre ATT&CK.
If it's economically feasible, enterprises should use these services to enable their security teams to assess potential vulnerabilities and risks and to compare them against leading industry benchmarks from the Center for Internet Security, Cloud Security Alliance and cloud providers themselves. Other services, such as AWS Systems Manager and AWS Config, supply deeper insight into configuration state, while Microsoft Defender for Cloud pinpoints cloud assets.
Other cloud ASM tools include Attack Surface Management for Google Cloud from Mandiant, part of Google Cloud, which lets customers identify potential attack opportunities. It also integrates with AWS and Azure to provide a central view of all the cloud services in use.
Features to look for in an ASM product
Teams assessing cloud ASM tools should keep the following factors in mind, particularly if they use multiple cloud providers:
- False positives. During asset discovery, it's possible to get results that are not completely accurate, especially for attack emulation without the use of dedicated credentials and access keys, which an anonymous attacker may not possess. Carefully review all findings, and confirm before remediating or performing any automated response or remediation actions.
- Completeness. Vendors offer varying degrees of breadth and depth in discovery of assets and security posture. For example, some are better at finding cloud assets in certain cloud service environments than others. Perform validation during any proof-of-concept testing.
- Risk scoring. Each provider uses its own models for developing and assigning risk scores, and not all of them are particularly complete or wholly accurate. Look for tools that let customers modify risk scoring and ranking based on context and other factors, as well as products that offer flexibility to test a variety of cloud configuration and vulnerability frameworks.
Cloud attack surface management is quickly dovetailing with other cloud management strategies, such as cloud security posture management and breach and attack simulation. To that end, don't just ask prospective vendors about their current capabilities. Instead, ask them about their projected roadmaps to expand and enhance their products' coverage, especially for organizations with multi-cloud deployments -- these kinds of tools are likely to become more important to both security and cloud engineering teams.