Attack Surface Monitoring (ASM)

YOUR GREATEST STRENGTH IS KNOWING YOUR WEAKNESSES

With digital transformations well underway, digital footprints continue to expand, and so does digital risk. New cloud services, more work-from-home network connections, and a growing mobile workforce all contribute to the size of the attack surface – and the complexity of protecting it. To defend effectively against cyber-attacks, having a clear picture of your attack surface becomes essential- where the most significant risks are and how you can mitigate them.

Attack surface monitoring examines your software applications to check for entry points (vulnerabilities) that would give hackers access to your sensitive data. It continuously monitors and protects your company, brand, and assets from external adversaries, helping you understand your exposure, prioritize risk, and remediate issues before they turn into incidents. It forms the core of Attack Surface Management.

Before diving into Attack Surface Monitoring, let’s look at what exactly we mean by Attack Surface.

Attack Surface

In the simplest terms, your attack surface is all the hardware, software, SaaS, and cloud assets accessible from the Internet that store or process your data. It is the total number of attack vectors (pathways) cybercriminals can use to breach the system to extract data. An attack surface includes:

  • Known assets: Managed and inventoried assets such as your servers, corporate website, and the associated dependencies

  • Unknown assets: Such as orphaned IT infrastructure stood up outside of the purview of your security team like forgotten marketing sites

  • Vendors: Third-party and fourth-party vendors pose significant third-party risk and fourth-party risk

  • Rogue assets: Malicious infrastructure built by threat actors such as malware, a website, or mobile app that impersonates your domain

The graph below shows an attack surface.

The x-axis represents assets – everything from network infrastructures such as wifi access points and routers to IoT devices and cloud applications.

The y-axis represents attack vectors – ranging from simple things like weak passwords to more complex things like phishing, unpatched software, and encryption issues.


Couldn’t I simply reduce my Attack Surface?

Some frequent methods organizations employ consist of reducing the following:

  • The amount of code running

  • The number of Internet-facing mobile apps, web applications, and services running

  • Number of entry points accessible to untrusted users, e.g., the principle of least privilege and access control

Although this reduces the attack surface, it doesn’t prevent security controls failures. If an attacker finds vulnerabilities in your remaining web-facing assets before you do, they can still inflict damage by installing ransomware or causing data breaches.

So what can you do? Invest in tools that provide real-time attack surface monitoring and attack surface management.

ATTACK SURFACE MANAGEMENT

Attack surface management (ASM) is the cycle of discovery, inventory, classification, prioritization, and security monitoring of external digital assets that contain, process, or transmit sensitive data.

Attack Surface Management Use Cases

  • Vulnerable and outdated software

  • Legacy, IoT, and shadow IT assets

  • Large-scale attacks on your industry

  • Human mistakes such as phishing and data leaks

  • Unknown open-source software (OSS)

  • Targeted cyber attacks on your organization

  • Intellectual property infringement

  • IT inherited from M&A activities

  • Vendor managed assets

Components of a Robust Attack Surface Management Solution


DISCOVERY

The initial stage of any ASM solution is to discover all web-facing digital assets that contain or process sensitive data.

These assets may be owned or operated by your organization, third-parties such as suppliers, cloud providers, or business partners.

These are some examples of digital assets that should be identified and monitored by an attack surface management solution:

  • Cloud storage and network devices

  • Web applications, services, and APIs

  • Mobile applications and their backends

  • Email servers

  • Domain names, SSL certificates, and IP addresses

  • Public code repositories such as GitHub and GitLab

  • IoT and connected devices

INVENTORY AND CLASSIFICATION

Once your assets are discovered, the next step is to commence digital asset inventory and classification, also known as IT asset inventory. This process involves dispatching and classifying the assets based on their type, business criticality, owner, technical characteristics, compliance requirements.

A person or team accountable for regular asset maintenance, updates, and protection is essential.

RISK SCORING AND SECURITY RATINGS

Without actionable risk scoring and security ratings, attack surface management would be an impossible task- most organizations have millions of fluctuating digital assets.

Security rating software lets you understand what security issues each asset has and whether they expose information that could result in data leaks, data breaches, or other cyber attacks.

Thus digital assets must be continuously detected, analyzed, and scored so you can understand what risks need to be prioritized and mitigated.

Security ratings are a data-driven, dynamic, and objective measurement of an organization’s security posture.

Security ratings are derived from externally verifiable objective information, unlike traditional risk assessment techniques like penetration testing, security questionnaires, or on-site visits.

MALICIOUS ASSET AND INCIDENT MONITORING

The current threat landscape extends beyond legitimate corporate IT assets and can involve rogue or malicious assets deployed by cybercriminals or competitors.

These assets could include email spoofing, spear-phishing websites, ransomware, or a myriad of other cyber threats.

Threats could expose personally identifiable information, sensitive data, protected health information, biometrics, trade secrets, and passwords to the dark web in current data leaks or previous data breaches.

With the increasing number of third-party data breaches, continuous identity breach detection is crucial- and the volume of daily breaches can only be handled by specialized software.

CONTINUOUS SECURITY MONITORING

Continuous security monitoring is one of the crucial parts of an attack management solution. Increasing SaaS, open-source software, IaaS, and outsourcing have made vulnerability management and misconfiguration more complicated.

Attack surface management software monitors assets 24/7 for newly discovered security vulnerabilities, misconfiguration, and compliance issues.

Attack Surface Management vs. Vulnerability Management

Vulnerability management is a subset of ASM. It simulates the tactics, techniques, and procedures (TTPs) of real attackers, which provides insights into the robustness of a cybersecurity program and offers actionable solutions to prevent hackers from infiltrating systems.

Implementing regular vulnerability assessments is a critical step in helping your organization bulk up its cybersecurity posture.

Your attack surface includes all the internet-facing assets that store your data – from hardware to software. Any unknown, unprotected, and unmonitored asset is an attack vector for bad actors. Therefore, ASM planning must include everything bad actors can learn about vulnerable businesses as they investigate the threat landscape.

ATTACK SURFACE MANAGEMENT BEST PRACTICES


Source: Coalfire

1. Understand your attack surface:

Staying ahead of threats is challenging. Security teams are increasingly grappling with a sea of alerts and data – hoping they don’t miss something important. Simultaneously, security leaders struggle to validate their organizations’ digital footprints and understand where the most significant risk of exposure lies.

Attack Surface Analytics validates and manages digital footprints end to end – across various business units, geographies, cloud service providers, subsidiaries, and far-flung home offices. With a top-level view of your organization’s digital assets, it is easy to analyze the corresponding cyber risk, quickly remediate any risk exposure, allocate resources where they’re needed most, and drive continuous process improvements.

2. Continuously monitor your endpoints

Monitoring endpoints is a critical component of any attack surface management strategy. The growing number of external digital endpoints, accelerated by the pandemic, has increased the need for greater diligence.

Securing endpoints – particularly remote employees, new digital assets, and recently onboarded vendors– requires an independent monitoring process to identify threats and risky behavior before they cause harm. Accurately assessing your security risk requires having an external, unbiased viewpoint.

3. Benchmark your security program against your peers

In the cybersecurity landscape, assessing your security program performance and cyber risk exposure in the context of the industry and your peers is an effective strategy. You can then use these benchmarks to create data-driven remediation plans and meet security performance goals.

4. Establish acceptable risk thresholds

As cybersecurity threats rapidly evolve, it’s essential to acknowledge that 100% prevention is unattainable. And that’s perfectly natural. Cyber risk is relative to an organization, so it’s crucial to determine an acceptable level of risk.

Security ratings are data-driven, dynamic measurements of a company’s overall cybersecurity strength and range from 250 to 900, a higher rating implying a better security posture.

Independent research shows that companies with a rating of less than 500 are nearly five times more likely to experience a breach, so depending on your industry and risk tolerance, consider setting a threshold that matches where the vendor or tier needs to be.

Finally, since security ratings are updated frequently, you can use them to monitor for movement against your risk thresholds continuously and inform any remediation plans.

CONCLUSION

According to 98 percent of survey respondents in a study by CyCognito, attack surface monitoring is a “Top 10” security priority at organizations. But a deeper analysis of survey responses reveals significant gaps across attack surface monitoring coverage and cadence.

In reality, organizations struggle to get even limited visibility into their entire attack surface, despite investing resources across a broad range of individual solutions and processes. Organizations focus only on known assets and therefore are ignorant of significant portions of their attack surfaces. This makes them vulnerable to attackers targeting blind spots specifically because they are unmonitored. This practice of monitoring the known and ignoring the unknown is a form of “Security Theatre” where security teams are doing something, but that does little to eliminate vulnerabilities. Additionally, many organizations use an array of manual processes and tools for attack surface monitoring, making the system fraught with human error, operational complexity, and best-guess analysis.

The solution? A continuous closed-loop process between security testing and attack surface monitoring. The attack surface is continually evolving, leaving business systems exposed and opening new conduits for attackers to penetrate organizations. Thus, CISOs must create a closed loop that starts with attack surface monitoring, proceeds immediately to security testing and risk prioritization, and concludes with the proper remediation actions like new security investments or controls adjustments.