In my recent Reduce Your Attack Vectors, Not Your Attack Surface blog, I offered our view that you should focus on reducing the number of attack vectors in your attack surface, and not on reducing the size of your attack surface — which is something that’s likely driven by business demands, and outside the control of security teams. This is because taking the broadest view of your attack surface is a much stronger defensive strategy for your organization. You should define your organization’s attack surface as the sum of all of your attacker-exposed IT assets, whether secure or vulnerable, known and unknown, wherever they are: on-premises, in the cloud, in third-party or partner environments or in the networks of your subsidiaries.
Shadow risk in your IT ecosystem is often hidden in cloud,
partner and subsidiary environments and exists in on-premises assets as well.
Attackers are looking for the path of least resistance in your attack surface so that they can breach your high-value digital assets. And that path is often in the hidden shadow risk. To stay ahead, you have to think like an attacker too. That requires ongoing visibility of your attack surface, and there’s only one proven way to establish attack surface visibility: perform reconnaissance across your entire IT ecosystem, adopting an outside-in approach.
The need for attack surface analysis and management is universally recognized by security practitioners and vendors, but a critical point typically missed in these conversations is that managing your attack surface isn’t something you should start doing only after you have implemented your security stack. Instead, it must be a foundational step that guides your security program and resource investments. And instead of viewing it as a periodic process, you should consider the need for managing your attack surface and eliminating your shadow risk as a dynamic and continuous process.
Implement a Risk-Based Approach to Vulnerability Management*
What sets shadow risk elimination apart from some other approaches is that you are always starting with an awareness of attacker’s techniques and their search for the path of least resistance. It is common for sophisticated enterprises to spend millions of dollars on advanced security solutions while overlooking the easy paths of entry that attackers know how to identify.
Like you, attackers may use vulnerability scanning as a way to understand your organization’s weaknesses. But attackers go far beyond that, seeking assets associated with your organization but that you don’t see or manage, as well as your weaknesses in the cloud or with partner-connected IT assets.
Your team could spend all of its time fighting the long list of vulnerabilities that may be rated as “high” or “critical” using the Common Vulnerability Scoring System (CVSS), while completely missing potential cybersecurity attack vectors that go beyond known common vulnerabilities and exposures or have an impact that isn’t captured in isolated CVSS scores because the risk is specific to your organization’s attacker-exposed assets and the relevance of those assets to your business.
Even platforms that prioritize vulnerabilities, or provide risk-based vulnerability management, and go beyond basic CVSS scoring don’t close the risk assessment gap. Those solutions typically implement asset and risk scoring that require robust metadata to work effectively. However, when assets aren’t even seen or managed by an organization, that metadata is not going to exist.
The best practice is to manage your attack surface with the goal of eliminating shadow risk. You do this with an ongoing, continuous process of identifying and understanding your organization’s attacker-exposed assets, the business context of the assets, potential attacker entry points and a prioritization of which attack vectors to remediate first.
Effective attack surface management requires automatic and continuous:
- Visibility of your entire attack surface, particularly the unknown, abandoned and unmanaged assets that attackers seek as easy points of entry
- Understanding of the business context of each asset based on the type of business functions supported by the applications and data on the asset
- Determination of which group in your organization owns the asset, what IT environments it is part of, and whether it is part of a cloud, partner or third-party network
- Identification and prioritization of potential attack vectors in your attack surface so you know where your team should focus their efforts
- Security monitoring to maintain the full and current view of your attack surface
Learn more about how industry-leading organizations are eliminating their shadow risk with the CyCognito platform that enables you to discover, understand, prioritize and eliminate your organization’s shadow risk wherever it is, including cloud, partner and subsidiary environments.
* Gartner, Implement a Risk-Based Approach to Vulnerability Management
Prateek Bhajanka, Craig Lawson , ID: G00356414, Published: 21 August 2018