Principles of Attack Surface Protection: Winning the Remediation Race

Risk remediation is a wildly unequal race between attackers with advanced processes and attack tools and defenders struggling to keep afloat with tedious, manual processes and 20-year-old technology. How cumbersome is it? Say a security team learns there’s a critical vulnerability in a web application. They may have to: check several asset management databases to determine who owns the application, run additional scanners to understand just how vulnerable the application is, gather details on how to remediate or mitigate and then log into their ticketing system or communications platform to send evidence and remediation requests to IT.

In contrast, attackers are supported by an entire hacker economy, use modern automated hunting tools (probably delivered as a SaaS platform), and are ready to exploit that vulnerability the instant they identify that application as a way in. To compete, defenders need to move beyond this manual process to one that makes hyper-efficient use of their time and energy. Here are four ways to vastly improve your cybersecurity remediation:

1. Set your team up with the right to-do list.n addition to requiring a laborious remediation process, legacy vulnerability scanners bombard security teams with thousands of “high” and “critical” common vulnerabilities and exposures (CVEs) that need remediation. This is because these legacy technologies ignore critical aspects such as an asset’s business importance, the kind of data that’s potentially at risk, and how discoverable or exploitable an asset is when determining the severity.

Unfortunately, thousand-plus serious to-dos can dull a team’s sense of urgency in addressing the risks. Previously, we reviewed assess and prioritize principles, which can dramatically reduce the list of prioritized risks to only those that are materially important to a company’s business. That shortlist should be the security and IT teams’ focus.

So, let’s assume your remediation list is more manageable. Items on the list will be for critical assets that are exploitable, which often amounts to 20 or 30 in a large company. Teams must then be ruthlessly efficient as they apply remedies to reduce risk as quickly as possible. Building the best, most targeted list not only helps with efficiency but also builds trust between the internal teams that need to come together to identify and then remediate risks: security, IT, engineering, and management.

2. Get contextual advice to fix critical risks. Context is always king, including in cybersecurity. The difference between an exploitable mainframe and an exploitable “empty” apache server makes a world of difference from a business perspective, yet the IP addresses for both can look exactly the same to a legacy CVE scanner. Security teams must leverage technologies that equip them with that context, and they must leverage that context in their communication with IT and engineering so critical issues can be remediated quickly.

Context-based insights are paramount for expediting the remediation of the most high-impact risks. Vulnerability alerts or ratings don’t provide enough data for useful context. The most important context to identify a potential attack path comes from associating IT assets — previously unrelated IP addresses, devices, apps, and certificates — with specific organizations that are part of your extended IT ecosystem. Having this context also accelerates remediation by informing teams about asset ownership.

For most organizations, the siloed nature of IT device controls and management often leads to the manual mapping of risk and vulnerability data to configuration management databases and other tools. Context acquired via such tools is helpful, but the manual processes of gathering, verifying, and synthesizing the data are too slow for efficient remediation, cost hundreds of hours per month, and cause security teams to miss critical security gaps that can’t easily be managed this way.

Context is also critical in helping teams apply the fix. One of the biggest challenges for security teams is finding the owner of an asset who can make a business-based decision about the risk and authorize a fix. It’s important to have a solution that automatically maps all exposed assets to the organization that owns them because knowing who’s responsible for a vulnerable asset will help teams fix material issues faster. It’s also important to have at hand the information about how to fix the risk.

3. Confirm fixes by continuous validation. You may be tempted to declare remediation done after fixes are applied. But it’s better to use a continuous validation process so you can not only confirm remediation was successful but that it remains so.

For example, if your organization’s validation tactic entails testing selected samples of IT assets, it means not all risks are being tested. Your team might perform penetration tests on, say, five or 10 web apps. But as a large organization usually owns hundreds of web apps, in this scenario, 95% of them are untested and potentially exposed.

Clearly, it’s easy to get a false sense of security by assuming one point of remediation will solve enterprise-wide exposure or by relying on small testing samples. Continuous validation of all remediation efforts for all material risks is a foundational element of security.

4. Leverage automation for efficient remediation. Our final point is about automation for efficient remediation. Think of the opening example of finding a dangerous vulnerability in a web app. Re-running scans, consulting asset management databases, figuring out who owns the app, and so forth takes hours upon hours — sometimes, even days — of manual effort. Manual, time-consuming processes give attackers too many openings and can lead to incident response instead of risk remediation.

Looking for ways to automate remediation processes is vital. A tangible payoff is substantial savings in operational costs. Rapid reduction of risk is another. With automation helping to connect the dots, your team can accelerate time-to-remediation from months or weeks to just days or hours.

Intrinsic to the concept of remediation efficiency is time. Time and its relationships with the four other principles of attack surface management is the concluding theme of this series in my next article.