The key to protecting your organization and preventing cyberattacks
What is attack surface management?
Attack surface management is the continuous process of discovering, classifying and assessing the security of all of an organization’s assets. This vital risk management process is now being aided by various attack surface management solutions available in the market.
With the rush to digital transformation, your attack surface has both grown exponentially and become immeasurably harder to define and defend. Add to that the rise in cyberattacks and breaches, and it’s evident why continuous attack surface management is imperative.
How to engage in attack surface management
Effective Attack surface monitoring and management is a process that enables you to continuously discover, classify and assess the security of your IT ecosystem. The process of attack surface management tools can be broadly divided into two categories:
Management activities on assets accessible only from within an organization
What is an attack surface?
An attack surface is the sum of an organization’s attacker-exposed IT assets, whether these digital assets are secure or vulnerable, known or unknown, in active use or not, and regardless of IT or security team awareness of them.
An organization’s attack surface changes continuously over time, and includes digital assets that are on-premises, in the cloud, and in subsidiary networks, as well as those in third-party vendors' environments. Due to this complex web, cyber asset attack surface management tools are becoming more critical.
84%
of business, IT, and security managers say that cyber-risk is greater than it was two years ago
68%
of organizations have experienced a cyber attack that began from an unknown, unmanaged, or poorly-managed company asset
75%
believe that they will experience this type of cyber attack again
Why is Attack Surface Management (ASM) important?
You don’t have to look far to find stories about the danger of ever-growing attack surfaces.
Take the SolarWinds attacks in which malware was introduced via organizations’ supply chains, routes that are often overlooked on the assumption that they are implicitly secure. This exploit continues to turn up victims, including the email systems of government and international aid agencies that have been critical of the alleged perpetrators.
Another oft-forgotten attack vector is out-of-date software and hardware that is still in use, such as the exploited remote code execution vulnerabilities that have existed on Microsoft Exchange servers as far back as 2010. Remote code execution vulnerabilities were also exploited in attacks against Accellion customers using the company’s legacy File Transfer Appliance (FTA).
Ransomware, as demonstrated by the recent Colonial Pipeline attack, is another example. The attack targeted remote services such as Citrix, Remote Desktop Web (RDWeb), or remote desktop protocol (RDP) to initially gain unauthorized access. Because organizations are working with largely-remote workforces due to the pandemic, the timing couldn’t have been worse.
In each of these breaches, attackers made their way in through a route that was either unknown by security or considered unimportant. Given the vast number of devices and services spanning your enterprise, it is easy to see how something could be overlooked, especially if you are examining your attack surface from the perspective of most security teams– that is to say, the inside out.
But that's not how attackers think.
Today’s sophisticated attacks involve extensive, automated reconnaissance efforts that analyze your attack surface from the outside in. This perspective often reveals a completely different picture of the only attack surface that matters – the one attackers can exploit.
The only way to effectively defend against attacks is to take an attack surface management approach that provides the same continuous visibility into your security gaps as attackers have – outside in – so you can remediate issues before they become exploited.
Summer 2023 Edition
Web Apps are Leaving PII Exposed
State of External Exposure Management Report
Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk.
When you are ready to go beyond legacy systems to manage your cybersecurity risks, the CyCognito attack surface management solutions can help elevate your continuous discovery, testing and vulnerability management. It preempts cyber attacks like ransomware and others and helps satisfy key elements of most common security frameworks and many regulatory compliance standards.
The attack surface management platform component achieves this by discovering and testing your entire security controls in digital attack surface by the attack surface management tools, prioritizing what needs to be fixed first, integrating with and orchestrating existing workflows, and automatically validating remediation.
How does attack surface management protect from cyberattacks?
Effective attack surface management is a continuous, five-step process used to keep your organization up-to-date with the most important attack vectors.
Discovery
Discover assets.
You can’t manage an asset if you don’t know it exists. Most enterprises have a surprising variety of “unknown unknowns,” such as assets housed on partner or third-party sites, workloads running in public cloud environments, IoT devices, abandoned or deprecated IP addresses and credentials, services enabled by Shadow IT, and more. Legacy tools and processes can easily miss these attack surface assets, but they can be found quickly by a modern attack surface management program and solution using the same sophisticated reconnaissance techniques as attackers.
Classification and attribution show the relationships of your assets.
Because not all attack vectors are created equal, business context and ownership are vital parts of attack surface management. However, legacy tools and processes don’t typically provide context in a consistent way, making it difficult to prioritize fixes. An effective attack surface management approach requires information such as IP address, device type, whether it is in current use, its purpose, its owner, its connections to other assets, and possible vulnerabilities contained within it. This can help your security team prioritize the cyber risk and determine if the asset should be taken down or deleted, patched, or simply monitored
You can’t just superficially test your cyber attack surface once. Every day it continues to grow as you add new devices, users, workloads and services. As it grows the security risk grows too. Not just the risk of new vulnerabilities, but also misconfigurations, data exposures or other security gaps. It’s important to test for all possible attack vectors, and it’s important to do it continuously to prevent your understanding from becoming outdated.
Intelligent prioritization assists in ruling your risks.
The list of potential attack vectors you discover is almost certain to be more than your security team can validate and your IT team can possibly remediate. That’s why it’s important that you’ve collected all of that context so you can use it to determine where to focus the remediation teams’ efforts. Use of criteria such as ease of exploitation, discoverability, attacker priority and remediation complexity, in addition to business context help ensure you prioritize the most urgent risks
Once your attack surface is thoroughly mapped and contextualized, you can then begin the work of remediation in order of priority. To make your remediation as effective as possible, it’s a best practice to find ways to facilitate (and even automate) information handoff from the tools and teams that understand the risks and their priorities (typically security operations teams) and those teams responsible for doing the work of eliminating them (IT operations teams). Sharing business context and how-to-fix information streamlines the process and helps establish trust.
You can’t manage an asset if you don’t know it exists. Most enterprises have a surprising variety of “unknown unknowns,” such as assets housed on partner or third-party sites, workloads running in public cloud environments, IoT devices, abandoned or deprecated IP addresses and credentials, services enabled by Shadow IT, and more. Legacy tools and processes can easily miss these attack surface assets, but they can be found quickly by a modern attack surface management program and solution using the same sophisticated reconnaissance techniques as attackers.
Classification and attribution show the relationships of your assets.
Because not all attack vectors are created equal, business context and ownership are vital parts of attack surface management. However, legacy tools and processes don’t typically provide context in a consistent way, making it difficult to prioritize fixes. An effective attack surface management approach requires information such as IP address, device type, whether it is in current use, its purpose, its owner, its connections to other assets, and possible vulnerabilities contained within it. This can help your security team prioritize the cyber risk and determine if the asset should be taken down or deleted, patched, or simply monitored
You can’t just superficially test your cyber attack surface once. Every day it continues to grow as you add new devices, users, workloads and services. As it grows the security risk grows too. Not just the risk of new vulnerabilities, but also misconfigurations, data exposures or other security gaps. It’s important to test for all possible attack vectors, and it’s important to do it continuously to prevent your understanding from becoming outdated.
Intelligent prioritization assists in ruling your risks.
The list of potential attack vectors you discover is almost certain to be more than your security team can validate and your IT team can possibly remediate. That’s why it’s important that you’ve collected all of that context so you can use it to determine where to focus the remediation teams’ efforts. Use of criteria such as ease of exploitation, discoverability, attacker priority and remediation complexity, in addition to business context help ensure you prioritize the most urgent risks
Once your attack surface is thoroughly mapped and contextualized, you can then begin the work of remediation in order of priority. To make your remediation as effective as possible, it’s a best practice to find ways to facilitate (and even automate) information handoff from the tools and teams that understand the risks and their priorities (typically security operations teams) and those teams responsible for doing the work of eliminating them (IT operations teams). Sharing business context and how-to-fix information streamlines the process and helps establish trust.
CyCognito provides our company with cutting-edge technology enabling my team to have global visibility into our web-facing assets in an easy-to-use interface.”
— Alex Schuchman | Chief Information Security Officer, Colgate-Palmolive Company
TAG Cyber Research Report
Advice on External Attack Surface Management Selection: Pure Play vs. Bundled
Enterprise teams must decide whether to select a pure-play or bundled solution for external attack surface management. This report outlines the respective pros and cons.
CyCognito is solving one of the most fundamental business problems in cybersecurity: the need to understand how attackers view your organization, where they are most likely to break in, and how you can efficiently analyze, monitor and eliminate risk.
