3 Critical Mistakes in Attack Surface Management and How to Resolve Them
January 17, 2023 No Commentsby Jeff Broth
Image: Pixabay
Attack surface management (ASM) has been one of the popular buzzwords in the field of cybersecurity recently. As the threat landscape rapidly evolves and organizations adapt to changing IT environments, it has become more important than ever to achieve the effective handling of attack surfaces.
Attack surfaces are anything that allows threat actors to gain unauthorized access to networks, devices, accounts, and other IT assets. These include workstations, network file servers, application servers, firewalls, switches, mobile and IoT devices, and various other endpoints. These potential attack targets increase as organizations grow and get entangled with more sophisticated technologies. Reportedly, endpoints were out of control in 2022 as the work-from-home setup and the use of nontraditional endpoints surged.
The growth of these attack surfaces makes it more difficult to manage threats, especially among large organizations with complex IT infrastructure and a broad range of IT assets. Organizations encounter major challenges, especially regarding security visibility, reliance on specific controls, and action plan.
Security visibility failure
Effective attack surface management calls for the ability to adequately account for all the IT assets, apps, accounts, security controls, and other related components in an organization’s network. All assets exposed to cyber risks should be known to the cybersecurity team. High-risk exploitable vulnerabilities must be identified, prioritized according to urgency, and addressed accordingly.
The Equifax attack in 2017, which exposed the personal information of over 150 million Americans, is one of the biggest examples of security visibility failure. The perpetrator of the attack managed to exploit various vulnerabilities Equifax was unaware of or was unable to remedy in a timely manner because of the lack of a full inventory of their attack surfaces. There was a failure to patch vulnerable servers and update their expired encryption certificates.
There is a prevalence of shadow IT among organizations, wherein many hardware, software, and connections are unaccounted for. This happens because of a number of reasons including the lack of meticulous IT security policies, a poorly executed digital transformation, poorly defined security procedures, and issues that emerge after mergers and acquisitions.
Companies that are new to remote work and BYOD setup, for example, have a hard time making sure that the devices, apps, cloud accounts, and connections used by employees are properly identified and monitored. Also, organizations that have decided to retire or replace some of their equipment and software fail to completely remove these endpoints from the network. They are left unmonitored but still usable as points of access in the network.
The visibility problem can be attributed to the tendency of most organizations to take an inside-out approach, which is generally driven by a defensive perspective. There are organizations that fixate on putting up as many security controls as possible, without examining if there are attack surfaces not covered by the controls. They fail to realize that unknown or unaccounted assets are unlikely to be protected because they are not visible to the defensive solutions meant to secure them.
Resolving the poor security visibility problem is possible with the help of advanced cybersecurity platforms designed to automate the discovery of IT assets and vulnerabilities. There is no need to look for these issues manually. The process can be automated and a risk-based approach can be implemented to emphasize the comprehensive and thorough discovery of attack surfaces.
Reliance on conventional security scanners
Many organizations continue to use traditional cybersecurity scanning systems. These may help automate tedious tasks, but they have significant limitations.
For one, conventional cybersecurity scanners are periodic and do not produce useful information in real-time. For instance, many ports open and close every so often. A periodic scan that reflects no vulnerabilities with the ports does not guarantee security, since these ports may be opened later and closed again once another test is undertaken.
Also, conventional scanners lack the ability to grasp context. Organizations use various security tools to tackle different aspects of operations. The information generated by these tools may appear harmless when viewed in isolation, but it may not be the case if context is added or when the alerts from one security tool are correlated with those of other tools.
Additionally, conventional security scanning tools are incapable of verifying findings and prioritizing alerts or security events. This creates situations wherein urgent alerts are buried in a deluge of less important or benign notifications and false positives. This leads to the inability to address vulnerabilities in a timely manner.
The solution to these limitations is to switch to advanced security scanners that integrate artificial intelligence or machine learning and authoritative threat intelligence source slike MITRE ATT&CK. Advanced cybersecurity validation platforms carry these features that broaden the scope of scans and harness up-to-date threat information and insights on how to efficiently detect and respond to current and emerging threats. Automation and access to up-to-date threat intelligence and security frameworks also enable continuous monitoring to dramatically reduce opportunities for vulnerabilities to be exploited.
Also, it helps to employ additional attack surface discovery approaches including ingenious human-driven assessments, the use of an asset reconnaissance solution, and an open-scope bug bounty program. Security should not be the only way to attack surface discovery and management.
Poor choice of attack surface management solution
A report on attack surface management challenges reveals that around 48 percent of organizations that use attack surface management solutions are planning to end their subscription to these tools. The top reasons for ending their subscription include the following: the cost of licensing the software, the cost of operation and maintenance, the amount of training and support needed, misaligned value to the business, and the inadequacy of the set of features and functions in the platform they are using.
To emphasize, nearly half of ASM platform users are planning to end the use of their current ASM tools. This is a notably large number of organizations that appear to have lost faith in ASM. However, a closer scrutiny of the survey reveals something interesting. Some 20 percent of the respondents say that they want to terminate their subscription to find alternatives while 28 percent say they want to stop without any replacement.
Many are optimistic (20 percent) that they can undertake attack surface management more efficiently with another platform. The survey shows that organizations consider the following as the most important features and functions in the ASM platform they want to use: integration with SOAR/SIEM platforms, dynamic risk and reputation evaluation, and IT asset inventory and classification.
However, more organizations (28 percent) seem to have given up on ASM. This disillusionment is largely driven by the ineffectiveness of the platform or tool they used. That’s why it is crucial to be meticulous with the selection of the ASM solution to acquire. An ineffective platform does not only eat away some funds from the IT budget but also exposes organizations to serious threats that can result in losses or serious reputational damage.
In conclusion
Attack surface management can be challenging, but it would be dangerous to regard it as optional. ASM is a crucial step in ensuring enterprise security, and refusing to make it a part of the overall security posture does not yield any benefit. Security visibility, the use of conventional scanners, and wrong choice of ASM platform are relatively easy-to-solve problems.
Sorry, the comment form is closed at this time.