Three Actions to Reduce External Risk

IT security teams are well aware their organizations are under constant attack. Reconnaissance scans and initial access attempts – logged nearly every day on heavily monitored systems such as web servers, SSH gateways and VPN gateways – are harsh reminders of exposure and risk.

Information from these attacks is used to guide everything from budget decisions to daily work assignments. Unfortunately, the data at best represents a small slice of an organization’s overall external risk posture, leaving in its wake a false sense of security and often wasted resources and time. The result – organizations feel like they are working hard but not making forward progress.

Interestingly, many IT security professionals think external risk starts with digital asset discovery, typically accomplished via scanning known IP address ranges using Nmap or one of many similar tools. In reality, discovery of organizational structure – the parent company and all subsidiaries – is the real beginning. Only when an IT security team has a firm understanding of the entire business can they retroactively build a map of the external digital footprint and test for risk. It just takes one missing asset. A chain is only as strong as its weakest link.

On average, an organization’s attack surface fluctuates by 5.5% every month. Whether you are a security business leader, an IT security manager or a practitioner, here are several recommendations that you can use to positively shape your external risk profile.

Acknowledge gaps in your external risk metrics

Cybersecurity is data rich. Alerts from a myriad of network and endpoint security systems come in by the hundreds of thousands. It is easy to assume that somewhere, somehow, there are the answers you need to build a comprehensive understanding of external risk.

While security data from known, protected external-facing systems are an excellent indicator of threat volume and active attacks, these systems have zero visibility into unknown assets and known assets that are inadvertently exposed. That WordPress server that a dev team spun up and then abandoned. A web portal with remote access services left open. The list goes on. 

To compound the uncertainty, many IT security teams have low (or even zero) visibility into systems found on networks operated by their subsidiaries. These systems make up a significant proportion of external risk and often represent the largest gap.

The Answer

Review the maturity of your organizational understanding of external facing systems. Ask the difficult questions around frequency of review, tracking tools, and feedback mechanisms. Anything that points to a more than monthly review cadence, a manual approach to tracking, or informal communication suggests your gaps could be very large indeed.

Then acknowledge the gaps. While this may have an undesirable effect of raising more questions, it puts a magnifying glass on the issue while you then put the tools and processes in place to increase the accuracy of your measurements (and remediate the issues).

[For more discussion, see our blog Reduce Your Attack Vectors, Not Your Attack Surface]

Reduce uncertainty in your attack surface

Uncertainty is the Achilles heel of many external risk measurement programs; reliance on legacy discovery techniques means organizations are unaware of 10-to-30% of their subsidiaries. 

When we talk to companies about their attack surface, we seldom hear them express confidence about managing their digital assets. This is a large problem. With ESG research finding nearly 7 in 10 organizations report at least one breach from unknown or unmanaged assets, and Cybersecurity & Infrastructure Security Agency (CISA) reporting vulnerabilities are often exploited hours or days from disclosure, many IT security staff live with the feeling that a breach is not a matter of if but rather when.

The Answer

Organizations receive the greatest return for their efforts when they increase accuracy early in the process, the discovery phase.

Imagine the value to your team if they had the following information, continuously updated and easily accessible:

• An accurate map of your business structure
• A comprehensive list of external facing systems
• An understanding of the primary purpose of each system
• The owner of each system as it ties back to your business structure
• Vulnerabilities and test results on these external facing systems

Security and operations teams new to this level of detail may feel overwhelmed at first. Short term, the increased ticket volume for patch installation, system hardening and security toolset installation would hardly be celebrated in an already full work schedule. Long term, however, the new information, delivered automatically, will be recognized as supercharging their prioritization workflow; gaps close, ticket volume decreases and external risk is brought under control.

[For more insight into the importance of discovery, see our blog Principles Of Attack Surface Protection: Discover Everything].

Ensure you are using the right information to prioritize remediation activities

Risk reduction doesn’t happen overnight. Alert volume and legacy workflows means progress on reducing external risk can feel painfully slow. All the more reason to prioritize tasks so that the most impact can be had as early as possible.

Risk is a function of threat, vulnerability and consequence:

Risk = Threat x Vulnerability x Consequence

Many organizations turn to NIST CVSS security scoring to understand vulnerability severity, which they use to prioritize remediation activities. This is an excellent step, but does not provide insight into the threat (is there a weaponized exploit in the wild?) nor consequence (does the system with this vulnerability have access to sensitive business information?). 

If you are making prioritization decisions without considering threat and consequence, you are likely wasting staff time resolving important, but unfortunately, not urgent issues.

The Answer

In these days of staffing and skillset shortages, leaders need to apply their resources to the organization’s top risks. Review your remediation workflow to verify it is prioritized with threat intelligence and business context. Mature prioritization processes include even more data points; attacker priorities, system discoverability, ease of exploitation and remediation complexity. Together, this information provides an organization the confidence they are making significant progress with every closed ticket.

[For more insight on prioritization, see our blog Take Another Leap Beyond “Managing” Your Attack Surface].

Identify external risk and empower your teams with CyCognito

Tasked with managing cybersecurity risk, leaders and practitioners are frequently prioritizing work and building their path toward reduced external risk. Unfortunately, rapid change and fragmented information often slow their efforts. Gaps in understanding business structure, uncertainty in measurements, and lack of real-time data means wasted staff time and resources. 

Automated and continuous business structure mapping, external facing system discovery, system contextualization and system attribution is the rising tide that floats all ships, acting as a force multiplier that elevates teams and keeps them on track to resolve the most important and urgent activities. In addition to increasing accuracy and reducing gaps, it also removes a significant amount of tedious manual work, which frees IT security and operations professionals time to work on the more interesting security challenges.

CyCognito allows customers to discover exposure, address security gaps timely, and operate efficiently. To learn more about CyCognito’s approach to external risk management or if you have questions about this blog, please contact your CyCognito account representative.