What is an Attack Surface?
Imagine you live in a house with two doors and five windows. Each night, you check each door and window to make sure it is locked. But what if there was a hidden sixth window, hiding behind a curtain, forgotten about? This window may not be locked, therefore is a prime opportunity for intruders to break into.
Attack surface works in a similar way. The attack surface is defined as “the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.” Attack Surface Management, also known as Cyber Attack Surface Management, is the process of defining, prioritizing, and acting on the attack surface, faster than your attackers.
The term “attack surface management” isn’t new, but it’s often mixed up with the terms “asset management” or “asset discovery.” Unlike these terms, attack surface management isn’t just about monitoring known asset inventory, nor about finding shadow and legacy IT, though those are both important and benefit from being well understood by organizations. Attack surface management covers aspects of both, but most importantly, it’s deployed within the context of real risk.
Another key thing to understand about an organization’s attack surface is the fact that it’s not static—it’s constantly evolving and increasing. On its own, this increase is not necessarily bad. As organizations mature, they naturally undertake normal growth activities like business transformation, attrition, hyper-growth, cloud and AI adoption, and mergers and acquisitions (M&A), all of which open up the potential for additional cyber threats. These initiatives expand their web of internet-facing assets, but with limited resources and dispersed accountability, the ability to maintain oversight wanes. Unfortunately, there is a long line of malicious attackers waiting and watching, looking for a way in.
Reducing Your Attack Surface
The simplest way to reduce your attack surface is to eliminate assets no longer relevant to your enterprise operations. Eliminating non-relevant assets requires a close and detailed understanding of the components within your technology stack and your asset inventory. You may discover assets previously assumed to have been eliminated. Many asset inventories still live on spreadsheets, which introduce errors and inaccuracy over time.
Basic data security mechanisms and risk assessment best practices that support them need to be in place. Encryption is an easy way to reduce potential vulnerabilities and your digital attack surface. Security controls such as data encryption should be in use across the organization.
Risk is a key metric to prioritize attack surface reduction. Addressing the assets which contain high indicators of risk can provide a good return on investment almost immediately. Risk indicators can include common vulnerabilities and exposures (CVE), a list of publicly disclosed computer security flaws. Other risk indicators can consist of invalid certificates, SSL scores, and more.
CVEs generally require immediate attention. It is best practice to track CVE’s against the organization’s asset inventory and then applying updates or other mitigation strategies with lightspeed. CVE’s identify exposure that an attacker can use to facilitate network penetration and data breach. Defenders must promptly update and patch identified software or determine adjustments to security controls to protect the identified CVEs.
In context, attackers are in a race with defenders to exploit newly discovered vulnerabilities. Remember that at some point these are publicly announced and at that moment, many organizations still have not implemented known mitigations. Exploitation happens both before the CVEs are announced but also within days of announcement.
Diversification helps reduce risk. Even if you have automated attack surface management tools, you can consider adding an active testing program such as Bugcrowd’s Managed Bug Bounty or Pen Testing as a Service solutions.
Don’t Skip the Security—Why Your Company Needs Attack Surface Management
As cybersecurity teams strive to stay ahead of attackers, visibility into the attack surface is crucial. How can you secure what you don’t know exists?
Unknown or unprioritized assets are ticking time-bombs when they fail to receive routine maintenance and vulnerability patching.
Don’t take our word for it—let’s take a look into one of the highest-profile data breaches of the century. In the 2017 Equifax breach involving the Apache Struts vulnerability, 147 million Americans had their personal details and sensitive information exposed. Equifax actually did know about the Apache Struts vulnerability before the now-infamous breach. Equifax relied heavily on automated vulnerability scanners, but failed to maintain a registry of the public-facing technology they owned. This means Equifax failed to find and patch the vulnerability in an unseen asset before the malicious exploit. The problem wasn’t just awareness of external risk, it was awareness of at-risk assets.
This situation illustrates one of the obvious reasons for attack surface management—protecting your organization’s reputation. A breach creates bad press and impacts customer retention.
The Difference Between External Attack Surface Management and Attack Surface Management
External Attack Surface Management (EASM) is slightly different from ASM. EASM focuses on monitoring external attack vectors outside entities can exploit to compromise an organization’s digital assets. EASM attempts to reduce risk from external threats. ASM is generally used to refer to both internal and external, or just internal ASM. Internal ASM prioritizes identifying (and mitigating) the vulnerabilities in an organization’s internal network, aka threats that originated from their own infrastructure.
The Difference Between Cloud Security Posture Management and Attack Surface Management
According to TechTarget, Cloud Security Posture Management (CPSM) is designed to identify misconfiguration issues and compliance risks in the cloud. It helps continuously monitor cloud infrastructure for gaps in security policy enforcement. CPSM tools are designed to detect and remediate issues caused by cloud misconfigurations.
A good EASM tool can help with that goal by including cloud environments in scope, as well as other external-facing environments.
What to Look for in Attack Surface Management Platforms
Traditionally, many organizations rely on attack surface scanners for attack surface management. However, there are some major limitations of these solutions, including:
1. Lag-time
Let’s start with something that might sound a bit counterintuitive. The fundamental value proposition for most tools is the ability to provide continual insight into your attack surface, saving time and resources in the process. It’s certain you will save hourly effort, but less certain that you’ll achieve rapid time-to-value. Unless the tool in question utilizes continually updated, pre-indexed data, you may be forced to wait up to a month for an initial scan to complete. This renders most tools useless for many critical use cases, including M&A.
2. Ability to assess and prioritize
While many scanners are tuned to identify assets that may be vulnerable, it is next to impossible for them to verify the accuracy of those initial assessments without serious risk. EASM tools often have no concept of scope, nor the implications of various tests across multiple scenarios, where proof of exploitation could cause significant business or security risk to production environments, and the false positive rate is typically high. As a result, these tools are also highly limited in their ability to truly prioritize discovered assets. A rollup of 3,000 newly discovered assets, pulled from the shadows, is only as useful as your ability to action them.
Instead, a good EASM solution will not only provide automated scanning capability to identify very common flaws, but the ability to assign a severity level (e.g. a CVSS score), as well.
3. Ability to include cloud in-scope
The use of CSPM tools is a trend in security, however, the last thing security teams need is another siloed solution in their tech stacks. It’s a best practice to combine all external attack surface management under one tool, including cloud monitoring capabilities.
4. Ability to easily combine with human-driven testing
It’s important to keep in mind that the best EASM tool has very limited value unless you can use it as a “springboard” for follow-on, human-driven testing – such as penetration testing or crowdsourced testing. In fact, EASM can be a force multiplier for such testing by amplifying its impact and productivity – providing valuable “attack surface intelligence” that helps refine scope, and by weeding out common, simple flaws that can be addressed with built-in scanning. If you can do all of the above in a single, unified environment, that saves a lot of time and resources.
5. Ability to keep stakeholders informed
The best EASM tools will provide alerts, notifications, and integrations with ticketing tools like JIRA and ServiceNow so that the current risk exposure is known by all stakeholders at all times. This helps the business make better decisions and helps the engineering team remediate faster by bringing continuous attack surface intelligence into their regular workflows.
ROI of Attack Surface Management
The SANS Institute created a comprehensive equation for assessing security investments that personalizes the math to reflect your unique environment, as well as the average impact of the solution in question. As such, this has become a popular method for demonstrating the risk reduction potential for your target investment.
The Return On Security Investment, or ROSI formula, requires a business to estimate their annualized loss expectancy (ALE), or the monetary loss from a single incident, multiplied by the number of times such an incident might occur, multiplied by the mitigation ratio, or the expected impact of risk-reduction activities, minus and then divided by cost of solution.
ROSI = (ALE x Mitigation Ratio – Cost of Solution) / Cost of Solution
Applying this to attack surface management, let’s use the Gartner estimate from earlier, assuming that one-third of successful attacks would be against unknown or unprioritized assets. If that has been, or could be true in your organization, then your ALE might be a little higher. It might also be higher if your entire attack surface has suddenly expanded due to digital transformation, M&A, or a host of other events that often lead to an explosion of unknown and potentially vulnerable assets.
By using the ROSI formula, you can quickly show security ROI in a way that will speak to your CFO. Another key piece to consider is the lower headcount needed internally.
Next Steps for Keeping Your Company Safe
As we said earlier in this blog, you can’t secure what you don’t know exists, which is why visibility into the attack surface is so crucial. Check out The Ultimate Guide to Attack Surface Management, which dives into the subject more in-depth, covering the outside-in approach, why automated discovery tools fall short, common attack surface management mistakes, the state of the attack surface, how to action on results, how to build the business case for attack surface management, and more.