Tips and Best Practices to Get New
Security Leaders Up and Running

TIP 01
Begin with Attack Surface Management as Your Security Program Foundation

One of your first priorities as a CISO should be to assess your organization’s risks so you can effectively allocate and prioritize your security program resources. Based on the most common tactics attackers use to breach your organization, there are two broad areas of risk exposure you need to consider. These are your:

• Attack surface
• Users and endpoints

Most organizations have effective coverage against the second area with email security, endpoint security, and anti-phishing security and training solutions. But those same organizations —especially highly distributed organizations and those using cloud and as-a-service technologies — do not have full visibility to their attack surface and their attacker-exposed and soon-to-be-exploited assets. This paper focuses on the risk from your attack surface and how you can benefit from an assessment of your organization’s security posture by viewing your attack surface from an attacker’s point of view.

Figure 1. Your attack surface is the group of your attacker-exposed assets, known and unknown, wherever they are: in the cloud, in third-party environments, or in your subsidiaries.

Shadow risk, critical risk that is unseen or unmanaged by IT and security teams, is growing exponentially as applications, systems and infrastructure that used to sit within an organization’s well-defined perimeter are now shifting — in part or entirely — to cloud and partner networks. The implications of this change are profound because every small misconfiguration in a cloud environment or a partner’s network has the potential to open up access to your sensitive customer data, financial information and systems, application source code and intellectual property.

TIP 02
You Won't Find Shadow Risk Under a Streetlight

One approach popular among new CISOs  assessing their organizations’ security posture is to commission a penetration test. The challenge with penetration tests is that they are limited in:

• Coverage – providing visibility into a fraction of the entire attack surface
• Frequency – lasting just a few days or weeks and representing a point-in-time view
• Relevance – lacking an understanding of the business relevance of discovered issues
  

Likewise, vulnerability scanners are not designed to give you a complete picture and cannot help you identify unknown risks. They only know about the
assets they are configured to scan, such as particular IP ranges or assets with agents.

The first and foremost problem with these methods is that they ignore the way that attackers identify the blind spots in an organization’s defenses and thus leave them exposed. They are also designed to be point-in-time, as opposed to continuous, and only do in-depth examination on a portion of the attack surface — a portion identified explicitly by an internal team member.

Using penetration testing and vulnerability scanners to map your attack surface is like looking under the streetlight for lost keys — it doesn’t work well, it’s just convenient.

Figure 2. Attackers use advanced reconnaissance techniques that see more of your attack surface than the narrow view provided by legacy risk assessment solutions, depicted here as streetlights.