CyCognito_Landing Page_Mobile BG_Five Lessons

A Guide to Attack Surface Protection

The Best Way to Protect Your Complex IT Ecosystem and Prevent Breaches

What is Attack Surface Protection?Cover-ASProtection-ebook

Attack Surface Protection (ASP) is a systematic, four-phase approach to ensuring your organization stays
safe. It works by discovering your entire attacker-exposed IT ecosystem, including all of the organizations
that are owned by and related to yours, and all of their exposed IT assets. Then it tests those assets for
attack vectors that could provide malicious actors entry to your most critical assets. With ASP you can
better orchestrate your remediation workflows to maximize your security posture improvement.

Watch a short video to see how the CyCognito platform identifies attack vectors that might go undetected by other security solutions >>

Why is attack surface protection so important?

Think of it this way: imagine your house has ten windows and doors. Before you go to bed each night, you only check two out of the ten doors; if they were both locked, you assume everything is secure. Oh, did we mention there are three windows you forgot about, and your house is in a neighborhood where burglars are constantly on the prowl? While your spot checks tell you that your house should be safe, you’d likely have a hard time falling asleep, never knowing if that noise you heard at 2 a.m. was your imagination or the sound of someone coming through an unlocked window. Without checking each lock – on every door and window – before bed each night, there’s no way to be sure. Your organization’s external attack surface has similar issues, but at orders of magnitude greater size and complexity. Your attack surface is everything that connects your organization to the internet, whether those connections are intentionally exposed or not. This includes exposed servers, remote access and networking gear, web apps, cloud environments not owned by your company, subsidiaries, or third-party environments you rely on to run your business. If left unprotected, any one of these assets may be the means by which attackers access your networks and business data. By using the four-step approach of ASP, you can ensure your entire attack surface stays safe. Let’s look at each step, along with key considerations for success.

 

The 4 Steps of Attack Surface Protection:

01

DISCOVER

02

ASSESS

03

PRIORITIZE

04

REMEDIATE

ASP STEP 1 DISCOVER YOUR ATTACK SURFACE

You can't protect what you don't know about 

You can’t protect what you don’t know about In order to protect your entire attack surface, you must first know what your attack surface is. For a large enterprise, this can easily be hundreds of thousands of exposed assets including systems, applications, domains and certificates, all connected both to the internet and your organization’s internal network.

Most organizations approach the process of discovering their attack surface using a variety of siloed legacy tools. This only provides partial visibility into the assets that make up the attack surface while still requiring tens or hundreds of hours of work attributing assets to the appropriate platform, environment, business unit, or subsidiary. If you then attempt to protect your organization using that partial map of your attack surface, you still have gaps in protection due to the inadvertent omission of areas you aren’t directly and intentionally monitoring, and those “unknown unknowns” that you weren’t even aware of.

These gaps are more common than you’d think. According to a study we conducted with ESG, 47% of organizations don’t think to include SaaS applications in their attack surface, and 45% don’t think to include workloads running in the public cloud or thirdparty partners.

Don’t be one of those organizations. Instead, look at your attack surface using the perspective that matters: that of the attacker. It’s critical that you use automated tools to see everything in your organization that is internet-exposed, just like attackers do. Instead of relying on point products and manual processes that only look at a subset of assets and do not establish business context, fully automated solutions map your externally exposed assets and test for potential unseen security gaps.

In addition to discovering your complete attack surface, automation provides the advantage of time. The faster you can discover your entire attack surface – especially assets that aren’t regularly tested – the less time potential attackers will have to take advantage of easy paths of least resistance. Automation is also key in continuously monitoring to make sure that you have visibility into new attack surface assets that may be vulnerable to attack.

ASP STEP 2 ASSESS YOUR RISK

Where are the gaps?

Once you define the full scope of your attack surface, then you can accurately determine your risk. Most organizations do so using a motley crew of cyber risk assessment tools like port scanners, application security tests, vulnerability assessments, pen tests, and occasional red team exercises.

But because these assessments are labor intensive and costly you rarely get to test enough of your attack surface to help you identify all of its gaps and weaknesses. As a result, you will have a false sense of confidence that your attack surface is protected because you’ve only tested a small fraction of it. Our research with Dark Reading shows that only 38% pen test more than half of their organization’s entire attack surface annually, leaving the other 62% of organizations essentially blind to exposures in more than half of their attack surface.

Assessing a sample of assets isn’t enough. You must test 100% of your internet-exposed assets if you want to ensure 100% protection. Just like it only takes one unlocked door or window to get into your house, one security gap is all it takes for an attacker to breach your defenses.

Not only do you need to assess all your assets, but you must be able to do it quickly and consistently. As the size and scale of your attack surface continues to evolve and grow, you must automate testing and do it continuously to even begin to keep up with, much less stay ahead of, attackers who use their own automated tools to assess your attack surface 24/7.

Things to look for in security testing to assess risk

COVERAGE

Testing that spans your full attack surface, including subsidiaries, cloud and third parties.

CADENCE

Testing that is frequent enough to keep up with the pace of change.

AUTOMATION

Testing that is automated and requires little to no manual oversight.

ASP STEP 3 PRIORITIZE YOUR RESPONSE

Not all risks are created equal

Not all risks are created equal Here’s the good news: automation can help you discover your entire attack surface along with assets at risk for exploitation. Time to call it a day, right? Not quite. All this data can actually lead to alert fatigue as you try to figure out where to start. If you discover 1,000 issues and only have time to fix 10, where do you begin?

The answer is prioritization. By prioritizing risks, you can do the most good in the least amount of time so that your organization protects itself as efficiently as possible. To effectively prioritize your response, you really need a prioritization engine that uses contextual information to calculate an asset grade based on quantitative information about the issues on the asset like their severity and exploitability, and more qualitative criteria like the discoverability of the asset, its attractiveness to attackers, its importance, and the remediation effort involved in mitigating the problems.

Automated approaches should look at issues and include contextual information in the prioritization calculations, like what the asset does, who is responsible for it, and where it’s located. This will help separate the mission-critical risks (“there’s an exploitable vulnerability on our payment-processing server”) from the nice-to-haves (“our server hosting marketing videos has an expired certificate”).

Once you have this information, you can then create priority scores that reflect your unique operations to guide you on what to work on first. Scores should be based on an asset’s business context, and the risk’s potential impact, discoverability, ease of exploitation, and remediation complexity. There’s a vulnerability on your internet-exposed finance platform that has a publicly available exploit? That’s a score of 10 and gets an F grade. Find a certificate that is expired on a marketing server? Sounds like maybe a 75 with a C grade. In other words, it can wait.

Automation can also help you achieve a set goal, not just prioritize issues. Using the same context above, you can also guide teams based on what should be done to make the most efficient impact. For example, if your EMEA subsidiary has a large number of critical issues and currently has an “D” grade, what can be done to get them to a “C” grade ASAP?

Scoring and grading lets both technical and business teams understand what to work on and when, eliminating the time-consuming back and forth debate about priorities while ensuring the most important issues get resolved first.

ASP STEP 4 REMEDIATE HIGH-PRIORITY RISKS

Prevention is priceless

The easiest cybersecurity incidents to clean up are the ones that never occur in the first place. In this step, we get down to the work of fixing issues and closing attack vectors before they are exploited.

Just as before, time is of the essence. You’ve discovered your attack surface. You’ve uncovered issues, gaps, weaknesses, and their associated risk. You’ve uncovered issues, gaps, and weaknesses. You’ve prioritized based on numerous pieces of evidence and context. And if you used an automated platform to do all this your team is relaxed and ready at the starting line.

With legacy approaches, you are back down the manual rabbit hole. Tickets need to be created. Operations teams need to be notified. They are positioned in a queue. It will be picked up and addressed eventually. But when? Will the issue actually be fixed? To eliminate the back-and forth in a typical remediation cycle, use an automated, closed-loop process that integrates with and or even orchestrates your ticketing and communications platforms.

One more thing to keep in mind is that this step isn’t finished once a fix is applied. Use a continuous validation process to return to Step 2 and assess your risk to ensure you’re making the progress you expected.

Once again, automation can help reduce the time your remediation process takes by helping you validate that all of the issues have been effectively resolved while confirming if your remediation progress is improving, declining, or remaining constant. 

The need for speed

One of the commonalities of these lessons is that they involved vulnerable or unprotected software or systems that attackers were able to find and exploit. The solution might seem simple—just protect everything. The reality is much more complicated.

Today’s IT environment is extraordinarily complex, with remote access services, software and systems that are not new but are still in use, and an intricate chain of partners, suppliers and subsidiaries. And, of course that’s not all. In many cases, attackers can access organizations via routes that cyber security staff cannot protect because they are unaware that such routes exist. Breachable assets could belong to supply chain vendors, or even to those vendors’ vendors. They may have come from a well-meaning staffer that needed to solve an immediate problem then forgot to mention a new cloud service to IT. And sometimes the means to infiltrate an organization could originate with gear so buried in historical operations that the organization has just forgotten that it exists.

No matter the origin of your breachable points, and regardless of the size or your organization, your actual attack surface is almost certainly much larger than you think. In order to protect yourself well, you need to be able to identify your real vulnerabilities, and the only way to really do that is to see your organization through the lens of an attacker. Once you know what your actual attack surface looks like, you can prioritize your defenses, and stay out of the headlines..

 

CyCognito for Attack  Surface ProtectionCover-ASProtection-ebook

The CyCognito platform delivers attack surface protection by combining the market’s most advanced attack surface management capabilities with automated multi-factor testing to discover the paths of least resistance that attackers are most likely to use to compromise organizations. By automatically discovering and testing your entire internet-exposed attack surface, prioritizing what needs to be fixed first, and validating remediation, our platform can decrease the time it takes to remediate risks from months to hours, reducing your window of exposure.

Watch a short video to see how the CyCognito platform identifies attack vectors that might go undetected by other security solutions >>

mobile

SEE HOW WE DO IT

Watch our demo video to see how CyCognito can help you
automatically discover, prioritize and eliminate attack vectors.