ao link
Business Reporter
Business Reporter
Business Reporter
Search Business Report
My Account
Remember Login
My Account
Remember Login

Roots run deep: how Attack Surface Management goes beyond the surface

Linked InTwitterFacebook

Sylvain Cortes at Hackuity argues for a view of attack surfaces that extends beyond the surface of organisations

 

Cyber-criminals are racing to set new records every year. In 2022, attacks increased by 38 percent globally, costing businesses an average of over $5 million.

 

Clearly, we are doing something wrong. Even though cyber-security investments and funding have increased significantly over the years, we are still failing as an industry to put a stop to breaches.

 

Getting ahead of these threats requires effective Attack Surface Management (ASM) for any organisation. However, businesses often make the mistake of believing that ASM is only limited to the surface.

 

By definition, we think that “surface” means the outer crust of our network or the external elements of the business. When it comes to cyber-security, this is a dangerous misconception. Businesses today have several internal assets that are facing or are connected to external domains.

 

Assets like public clouds, desktop machines, and IoT devices are inevitably linked to the public domain, which threat actors can identify, exploit, and use as a backdoor. Organisations must rethink their attack surfaces by understanding the core aspects of effective ASM.

 

The fundamentals of Attack Surface Management

Attack Surface Management is one of three distinct pillars under the umbrella of Exposure Management (EM), alongside Vulnerability Management and Validation Management. Confusion is common: that’s a lot of acronyms and overlapping terms.

 

ASM is frequently misunderstood as a specific solution or process, often due to over-zealous vendor marketing. Instead, it’s an approach that incorporates multiple solutions and activities.

 

An effective ASM strategy will break down organisational silos and should include three main components:

  • External Attack Surface Management (EASM), which focuses solely on public-facing assets such as public clouds. This area is often mistaken for ASM in general.
  • Digital Risk Protection Services (DRPS), which involve gathering intelligence about potential threats from sources like the deep web, social networks, and open data containers. This is a more advanced capability that requires a high level of cyber-maturity.
  • Cyber-Asset Attack Surface Management (CAASM), which is considered the cornerstone of the ASM practice. CAASM involves gathering data about an organisation’s vulnerabilities and managing them effectively.

 

Why is Attack Surface Management critical? 

As business leaders today continuously expand their services, technologies, and workforce, it’s imperative to achieve comprehensive visibility of all vulnerabilities threatening assets and operations. Without effective ASM strategies, businesses will be exposed to critical, unknown threats that can cause irreparable damage to their finances and reputation.

 

For businesses lacking a robust ASM approach, it’s more challenging to move beyond reactive security measures and focus on the bigger strategic picture. This also makes it difficult for CISOs to convey the value of their work to non-technical business leaders who are more concerned with the potential business impact of security vulnerabilities and their importance.

 

Companies that have yet to adopt an ASM approach tend to focus on individual vulnerabilities on a case-by-case basis rather than assessing business risk as a whole. This makes it significantly more challenging to comprehend and prioritise security efforts without the broader business context.

 

This is due to the ballooning number of vulnerabilities disclosed year over year. For example, in 2010, 4,653 CVEs were discovered, while in 2020, 18,325 CVEs were discovered. In ten years, the rate of CVEs discovered per year has nearly quadrupled. That’s exponential pain.

 

Some companies attempt to conduct proactive ASM activities but lack the tools and processes required to do so efficiently. Many organisations still use Excel spreadsheets to track internal and external risk management, which creates an unrealistic manual workload for all involved while increasing the likelihood of critical risks being overlooked.

 

There are, however, enterprises that have recognised the necessity of a more structured ASM approach and are ready to invest in the required tools and processes – but often face key challenges in terms of guidance and focus.

 

The key challenges of Attack Surface Management

The primary challenge is to determine the specific security requirements across the organisation and identify how ASM relates to similar but distinct practices such as exposure management (EM).

 

Security leaders need to communicate these variances to the board and obtain their agreement for the necessary investments. This is tough, considering that the average organisation currently has 76 security tools deployed.  Keep it simple. Emphasise the fact that ASM will identify and mitigate business risks while enhancing the overall security posture of the enterprise. The two are inseparable.

 

Next, organisations need to break down the barriers between security teams. These teams likely have different goals, tools, and processes. Even within the same one, there may be different solutions for different problems. To solve this, we need to establish a standard view across all areas of the business. All risk data should go to the same place and be visible in the same way for the CISO.

 

Shattering silos also helps identify where processes and tasks are being duplicated unnecessarily. As the internal ASM strategy becomes more advanced and automated, teams can move on to implementing CAASM – but only once these essentials are hammered into the organisation’s DNA.

 

For larger and older organisations, this can be tricky, as different departments often grow and evolve independently. Smaller firms with just a few people in IT and security will have an easier time getting everyone on the same page. Whenever possible, starting this process from the outset will save you time and money in the long run.

 

Unifying security under ASM

Having the right tools is important for collecting and structuring threat and vulnerability data. The end goal? Create a clear, centralised view of cyber-risk so your teams can tackle what matters most. Alignment starts with a shared understanding of organisation-specific risks and how to prioritise and mitigate them.

 

Above all, never settle for the “surface”.

 


 

Sylvain Cortes is VP Strategy at Hackuity and 17x Microsoft MVP

 

Main image courtesy of iStockPhoto.com

Linked InTwitterFacebook
Business Reporter

Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF

23-29 Hendon Lane, London, N3 1RT

020 8349 4363

© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543