The Platform

Enable your security and operations teams to proactively identify, prioritize, and remediate exposures to stay ahead of attackers.

Watch a Demo
GigaOm Radar for Attack Surface Management

The expansion of an organization's attack surface continues to present a critical business challenge. Download the GigaOm Radar for Attack Surface Management to get an overview of the available ASM solutions, identify leading offerings, and evaluate the best solution for you.  

Use Cases

The CyCognito platform helps you identify all of the attacker-exposed assets in your IT ecosystem for a complete view of your attack surface.

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk. 

Our Customers

External attack surface management is advancing cybersecurity into a new era. Learn how security experts across all industries benefit from using CyCognito’s platform.

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

About CyCognito

We believe all organizations should be able to protect themselves from even the most sophisticated attackers.

Contact us
Resources

The knowledge you need to manage and protect your attack surface.

What's New Blog
Perspectives

Principles of Attack Surface Protection: Discover Everything

Rob-Gurzeev
By Rob Gurzeev
CEO & Co-Founder
February 24, 2022

Imagine a cybersecurity team that is working hard with the usual tools and best practices. All seems on course for protecting the enterprise attack surface. But there’s an attractive path for attackers to assets the security team doesn’t manage and may not even be aware of.

In this case, which happens to be a true story, a Fortune 500 financial services company prevented exploitation of hidden danger from ransomware. Global operations entailed more than 200 subsidiaries and almost half a million IT assets. By using new techniques to probe hidden risks across the entire extended attack surface, this company found it was vulnerable to a critical Pulse Secure VPN CVE, CVE-2019-11510, in three of its 30 VPN gateways. One gateway was in a subsidiary and two came with an acquired company. Discovery was in the nick of time!

Scenarios like this are common and often undiscovered because security controls and their operators cannot see all risks to the entire external attack surface. Let’s take a closer look at how such exposure impacts most large organizations today.

Defining the Attack Surface

The concept of an “attack surface” includes any asset that an attacker may see on or with a path to your network. For a large enterprise, the modern externally exposed attack surface can include thousands of segmented networks, tens or hundreds of thousands of devices, thousands of applications and dozens or hundreds of connected partners. 

Talk about endless exposure! Some of these elements are not systematically addressed by typical security tools and processes. We call these omissions an area of “shadow risk.” 

Shadow risk is a huge lure for attackers who seek the path of least resistance to your assets and data. The main attraction is these targets are unlikely to have any protection from security controls — especially unknown or unmanaged assets. Let’s consider why shadow risk is a major unaddressed liability.

Why Legacy Approaches Don’t See the Extended Attack Surface

Security practitioners use a variety of tools and processes to map and assess risk exposure. For example, deployment of vulnerability scanners, penetration testing, threat intelligence feeds, security rating services and others are common — so much so that security frameworks and compliance regimes, such as the Payment Card Industry Data Security Standard (PCI DSS), specify their systematic use. Despite adherence to these requirements, we frequently read about successful exploits. Why?

I believe there are two reasons why popular tools are unhelpful in seeing the extended attack surface. The first reason is these tools are only good at seeing the targets you focus them on. 

Consider how you configure a legacy vulnerability scan: by entering a target range of IP addresses. That’s where the tool looks. If you want it to look somewhere else, you must tell it where to execute its processes, what to look for and when to run scans. A recent ESG study commissioned by our company offers clues on why many risks are unseen by organizations surveyed:

  • 47% don’t include SaaS application.
  • 45% don’t include workloads running in the public cloud.
  • 45% don’t include third parties.

Another reason for limited visibility is that tools are often used in “a stand-alone capacity and not holistically,” according to Gartner. For instance, a vulnerability scanner can easily spot thousands of potential vulnerabilities in a mid- to large-sized organization. However, a penetration testing team usually focuses on a tiny subset, manually creeping for hours through the “to-do” list that barely scratches the surface of potential exploits. Doing the usual run of one, two or even a handful of pen tests each year might provide low single-digit coverage of risks. The other 95% of shadow risks are very attractive to attackers.

Siloed tools are another major liability. The European Union Agency for Cybersecurity advises: “New approaches will be required during the next decade to stay away from silo analysis and move closer to a matrix-type of interconnected factors, variables and conditions.” 

Discovering All Risks Automatically

The manual aspects of using many security tools and processes may be the biggest challenge to the discovery of risk on the enterprise attack surface. Attackers use automation and the economy of scale it delivers to probe the attack surface for easily exploitable risks andto execute attacks. Their offensive strategy of using automation to pursue the path of least resistance is cost-effective and efficient. A viable strategy for getting ahead of continuous threats is to think and act like an attacker.

Note that attackers are not seeking just any unprotected asset. They don’t waste time on noncritical assets. An attacker’s fastest payoff is to find and penetrate critical assets, such as payment mechanisms or production databases. Breaching critical assets results in a faster, better payoff.

So, what does this mean for you and your security team? Your mission of protecting the attack surface requires discovering the same information sought by enemies. Unfortunately, reliance on legacy discovery techniques means organizations are often unaware of 30% or more of their assets. 

For enterprise security, managing risks requires the discovery of all risks on your attack surface. My next article will explore the second principle of attack surface protection: how to assess what you’ve discovered — and know if those risks are material to your business.


Topics





Recent Posts








Top Tags



CyCognito Research Report

State of External Exposure Management

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk.

Dummies Book

External Exposure & Attack Surface Management For Dummies

External Exposure & Attack Surface Management For Dummies

As your attack surface has grown to cloud infrastructures and across subsidiaries, attackers are looking for and finding unknown and unmanaged assets to serve as their entry points.

Interactive Demo

Ready to Rule Your Risk?

Request a personalized walkthrough of the CyCognito platform to see how we can help your company identify all its internet-exposed assets, focus on which are most vulnerable to attacks, and accelerate your time to remediating critical risks.