The Platform

Enable your security and operations teams to proactively identify, prioritize, and remediate exposures to stay ahead of attackers.

Watch a Demo
GigaOm Radar for Attack Surface Management

The expansion of an organization's attack surface continues to present a critical business challenge. Download the GigaOm Radar for Attack Surface Management to get an overview of the available ASM solutions, identify leading offerings, and evaluate the best solution for you.  

Use Cases

The CyCognito platform helps you identify all of the attacker-exposed assets in your IT ecosystem for a complete view of your attack surface.

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk. 

Our Customers

External attack surface management is advancing cybersecurity into a new era. Learn how security experts across all industries benefit from using CyCognito’s platform.

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

About CyCognito

We believe all organizations should be able to protect themselves from even the most sophisticated attackers.

Contact us

The knowledge you need to manage and protect your attack surface.

What's New Blog

Debating Cybersecurity Defenses Against Rogue Servers

By CyCognito Staff
Rule Your Risk
November 5, 2019

In the world of cybersecurity, all too often it feels like “another day, another unprotected asset and another breach.” Last month’s breach of Ecuadoran data by Novaestrat1 stands out given that the breach seems to have affected almost the entire population of the country and an arrest has already been made2, but more importantly, it highlights how the introduction of IaaS+SaaS has destroyed the traditional perimeter concept upon which security has been based since the first data centers were built. A colleague and I were debating how best to configure defenses to detect a Novaestrat-esque data compromise, and we thought it worth sharing our discussion and thought process.

I’ve been privileged to have worked with many Fortune 500 and federal government entities whose budgets were, in a practical sense, empowered to buy whatever made a positive impact on their defensive posture, so we didn’t limit defensive selection. As a generalization, I’ve seen most defenses comprised of a series of capabilities like the following:

  1. Network Intrusion Detection Systems (IDS) deployed throughout data centers and in Amazon Web Services (AWS) using AWS port mirroring for all workloads;
  2. Host-based IDS, antivirus (AV), and endpoint detection and response (EDR) on all traditional workstations and servers, and all cloud workloads;
  3. Data loss prevention (DLP) at the network and host layers;
  4. Security Information and Event Management (SIEM) solutions which gather all logs from all security defenses and apply tailored correlation rules;
  5. Vulnerability scanning solutions, set to continuously scan all known assets all the time; and
  6. Breach and attack (BAS) solutions, integrated with security defenses and SIEMs, and configured to constantly run to detect defense deficiencies.

Given the solution selection, this would pose a relatively robust environment for detecting incidents. An argument can be made about adding more tactical details like firewalls, a web application firewall, etc., but we’ll use this as a baseline and a lens for discussing a Novaestrat-specific breed of breach. 

For those unfamiliar with it, the Novaestrat compromise involved an employee unintentionally exposing an (internal) Elasticsearch server in Florida to the internet, which contained millions of personally identifiable information (PII) records to the internet. Once exposed, it simply became a matter of time before someone (friendly or otherwise) would discover the host and its data. 

Let’s break the result down security defense by security defense:

  1. Network IDS – detects nothing, as there’s no active attack inbound to, or outbound from, the server. Note the emphasis on the need for an attack to trigger a defensive response, as it is a key aspect throughout the defensive analysis.
  2. Host IDS, AV, and EDR – assuming the server is properly managed (unlikely based on at least one misconfiguration and its accidental exposure to the internet) and has all the requisite agents on it, they’ll report nothing, as there are no active attacks associated with the host.
  3. DLP – might detect something after someone on the internet accesses the data, and that’s assuming the DLP agent or network tool is covering the unmanaged asset; in any case, it doesn’t necessarily prevent the legal entanglement unless the DLP:
    1. detects the data exfil,
    2. sits inline, and 
    3. has prevention/blocking enabled, which most organizations fear to do due to disruption of the business.
  4. SIEM – might detect something after someone on the internet accesses the data based on logged events from one of the defenses or the host, which again doesn’t save the data from compromise.
  5. Vulnerability Scanner – detects nothing, as this wasn’t the result of a vulnerability, and likely wouldn’t be scanning the host anyway because it only scans known assets.
  6. BAS – interestingly, BAS does nothing here as well, as it’s designed to test network defenses (see #1 and #3 just above), and it’s limited to testing the host-based defenses of a single image, not the full attack surface or assets of an organization (see #2 above regardless).

In sum, because the Elasticsearch server didn’t have a vulnerability that exposed the data, didn’t have an active attack associated with it, and couldn’t have been validated by a BAS solution, the only chance an organization like Novaestrat has of catching a data breach like this is after an adversary on the internet sees the data.

Despite unlimited funding, traditional defenses and detection methods are still almost certain to fail.

The term we’re using at CyCognito to describe risks like those posed by the rogue Novaestrat server is “shadow risk.” Shadow risk arises from the 21st century IT ecosystem that involves partners and subsidiaries who have your data, assets you own that are exposed to the internet (from workloads in the cloud to data-center servers to routers in offices), and IaaS and SaaS providers you use in the course of business. The level of technical control varies in each case, and critically, the level of visibility you have varies, creating types of risk that are new.

Going back in time with the knowledge that traditional tools couldn’t protect against this high-profile breach, what could an organization like Novaestrat have done to combat their shadow risk problem

The CyCognito platform is able to identify data exposures (as shown above) so that organizations can take action before a breach occurs.

To find attacker-exposed assets like the Elasticsearch server, organizations would need something that continuously scans the entire internet looking for misconfigured assets, exposed data, default configurations and credentials, and systems with vulnerabilities and other risks. That solution would then need to take that data it discovered from all areas of the modern IT ecosystem (traditional data centers, partners, subsidiaries, IaaS, SaaS, etc.), and accurately determine what belonged to their organization. This would be a new approach that matches the new reality of distributed IT ecosystems—and one that CyCognito is creating for its customers today. 



Recent Posts

Top Tags

CyCognito Research Report

State of External Exposure Management

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk.

Dummies Book

External Exposure & Attack Surface Management For Dummies

External Exposure & Attack Surface Management For Dummies

As your attack surface has grown to cloud infrastructures and across subsidiaries, attackers are looking for and finding unknown and unmanaged assets to serve as their entry points.

Interactive Demo

Ready to Rule Your Risk?

Request a personalized walkthrough of the CyCognito platform to see how we can help your company identify all its internet-exposed assets, focus on which are most vulnerable to attacks, and accelerate your time to remediating critical risks.