Eliminate the Shadow Risk That Attackers Seek First

By Raphael Reich, Vice President Marketing | March 6, 2020
Share:

In my recent Reduce Your Attack Vectors, Not Your Attack Surface blog, I  offered our view that you should focus on reducing the number of attack vectors in your attack surface, and not on reducing the size of your attack surface — which is something that’s likely driven by business demands, and outside the control of security teams. This is because taking the broadest view of your attack surface is a much stronger defensive strategy for your organization. You should define your organization’s attack surface as the sum of all of your attacker-exposed IT assets, whether secure or vulnerable, known and unknown, wherever they are: on-premises, in the cloud, in third-party or partner environments or in the networks of your subsidiaries.

And visibility of your entire attack surface is critical to your ability to identify and eliminate your shadow risk. “Shadow risk” is the risk associated with your attacker-exposed assets. It is risk that most organizations are blind to but sophisticated attackers can easily exploit. Shadow risk includes the assets and attack vectors that are part of the organization’s IT ecosystem but may be unseen or unmanaged by the organization because the assets are in cloud, partner, subsidiary and abandoned environments. Read on to learn why this is critical to the security of your organization.

what-is-an-attack-surface
Shadow risk in your IT ecosystem is often hidden in cloud,
partner and subsidiary environments and exists in on-premises assets as well.


Attackers are looking for the path of least resistance in your attack surface so that they can breach your high-value digital assets. And that path is often in the hidden shadow risk. To stay ahead, you have to think like an attacker too. That requires ongoing visibility of your attack surface, and there’s only one proven way to establish attack surface visibility: perform reconnaissance across your entire IT ecosystem, adopting an outside-in approach.

The need for attack surface analysis and management is universally recognized by security practitioners and vendors, but a critical point typically missed in these conversations is that managing your attack surface isn’t something you should start doing only after you have implemented your security stack. Instead, it must be a foundational step that guides your security program and resource investments. And instead of viewing it as a periodic process, you should consider the need for managing your attack surface and eliminating your shadow risk as a dynamic and continuous process.

About Raphael Reich, Vice President Marketing

Raphael Reich, Vice President of Marketing, has helped bring innovative, category-defining security products to market for over two decades.

Contact Author:
  • linkedin
  • email
mobile

Start Eliminating Your Shadow Risk

Demo Request