In my recent Reduce Your Attack Vectors, Not Your Attack Surface blog, I offered our view that you should focus on reducing the number of attack vectors in your attack surface, and not on reducing the size of your attack surface — which is something that’s likely driven by business demands, and outside the control of security teams. This is because taking the broadest view of your attack surface is a much stronger defensive strategy for your organization. You should define your organization’s attack surface as the sum of all of your attacker-exposed IT assets, whether secure or vulnerable, known and unknown, wherever they are: on-premises, in the cloud, in third-party or partner environments or in the networks of your subsidiaries.
Shadow risk in your IT ecosystem is often hidden in cloud,
partner and subsidiary environments and exists in on-premises assets as well.
Attackers are looking for the path of least resistance in your attack surface so that they can breach your high-value digital assets. And that path is often in the hidden shadow risk. To stay ahead, you have to think like an attacker too. That requires ongoing visibility of your attack surface, and there’s only one proven way to establish attack surface visibility: perform reconnaissance across your entire IT ecosystem, adopting an outside-in approach.
The need for attack surface analysis and management is universally recognized by security practitioners and vendors, but a critical point typically missed in these conversations is that managing your attack surface isn’t something you should start doing only after you have implemented your security stack. Instead, it must be a foundational step that guides your security program and resource investments. And instead of viewing it as a periodic process, you should consider the need for managing your attack surface and eliminating your shadow risk as a dynamic and continuous process.