An external attack surface is all of an organization’s IT assets and those closely related to the organization, as seen by attackers looking in from the outside. Managing that attack surface is the only way to ensure you stay secure. While organizations often define “attack surface” too narrowly, attackers do not make that mistake. Attackers simply want access to your data, applications and networks whether on-premises or in cloud, subsidiary, third-party, or partner environments. The best way to protect your organization, therefore, is to see, understand and manage all of the ways an attacker might get in to your organization.
The first step for external attack surface management is to find all the business and IT relationships your organization has including acquired companies, joint ventures, and cloud assets that are strongly related to your company. From there, you’ll want to discover the externally-exposed IT assets of those entities and identify additional connections between assets that are not clearly or traditionally related. These are the kinds of externally identifiable connections that, when discovered by attackers, provide an easy path into your data.
Once you’ve discovered the assets in your IT ecosystem, it’s time to assess those for exposures. Attackers just need one opportunity, be it from: misconfigured assets; network architecture flaws; data exposures, authentication and encryption weaknesses; or other risks including common vulnerabilities and exposures (CVEs). You too must detect these across your external attack surface using multiple security testing techniques, and then correlate the results to identify the attack vectors bad actors can use.
Prioritizing risks in the external attack surface makes it possible to know where to focus first. Without prioritization, it is nearly impossible to manage the volume of security issues and alerts organizations face. Importantly, prioritization must incorporate business context: which assets and data belong to what departments or subsidiaries within your organization, as well as the business processes associated with the assets.
Remediation is critical for attack surface protection, so operationalizing remediation is a crucial element of effective external attack surface management. Typically IT operations teams -- not security teams -- are tasked with remediation. To accelerate remediation workflows, security teams should provide detailed and actionable evidence along with remediation guidance for every identified risk. That enables operations teams to remediate with little-to-no additional investigation.
Executing the previous elements continuously is the only way to stay ahead of the ever-changing IT and threat environment. The organization keeps building, changing, and adding to the IT ecosystem and attackers never stop. External attack surface management must be equally continuous to discover, test and eliminate risk from the changing attack surface.