Where is attack surface management headed?
Reactive cyber defense is a losing strategy. It’s something that’s been tolerated for many decades, but isn’t it more cost-effective, better for the brand, and more optimal to align with a proactive approach?
Attack surface management (ASM) is only the beginning of a notable shift toward an offensive—or proactive—security approach. Organizations are, for the first time, realizing they can see outside and far beyond their own borders, gain early insights on inbound threats, and take appropriate and proportionate actions to mitigate threats and reduce risks.
A proactive approach to security means that you must see your entire attack surface like an attacker sees it. Doing so will enable you to use continuous testing to prioritize and validate remediation and stay one step ahead of would-be attackers. However, most organizations don’t typically take that vantage point when thinking about security and aren’t yet looking to strategies like external attack surface management (EASM) to keep themselves safe.
EASM, though, should already play a critical role in an organization’s proactive security protection and will certainly play a role in the future of cyber security. Here’s how organizations can better understand the evolution of attack surface management and three ways they can prepare for the future of security.
Today’s attack surface management
Even with today’s sharper focus on security driven by ever-increasing cyber threats, growing attack surfaces make protecting critical assets and infrastructure complex. Shadow IT is a common problem, and many organizations have been compromised by unknown, unmanaged, or poorly managed internet-facing assets.
This deep concern about managing cyber risk has risen to the very highest levels of corporate leadership. Because of the heightened business risk stemming from cyberattacks, executives and corporate boards are increasingly asking for greater visibility into their organization’s security risk. Additionally, they’re asking for formal metrics via real-time data analysis and better program management.
Today, most security teams employ manual, multi-threaded ASM-like processes to help them manage risk by providing a series of snapshots of their external-facing assets and risk profile. EASM solutions assess the organization’s discoverable attack surface from the adversary’s perspective, yet in a continuous and autonomous way. In the end, EASM solutions enable teams to evaluate the likelihood of an attack and the impact of their weaknesses.
While ASM processes have contributed significant improvements to the overall security posture of organizations that have embraced it, there is still much that EASM solutions can and should do to be more effective and easier to use.
Organizations need contextual awareness, and unfortunately, the current approach to ASM falls short in this area. While today’s EASM solutions provide many asset-related insights, they do not enable organizations to make better risk-based decisions in real-time, which can isolate those organizations financially from direct threats and third-party risks. EASM solutions were not designed to manage digital business risk holistically, either.
3 predictions about the future of external attack surface management
EASM solutions will become a top priority investment for large enterprises. Gartner puts it succinctly in their Security Operations Primer for 2022; “To succeed, Security & Risk Management leaders must…gain a better understanding of the expanding attack surface.”
So what should business leaders expect for their investment in proactive attack surface management?
Prediction #1: EASM will integrate more digital business risk capabilities to increase its value and ROI.
Organizations increasingly suffer from a lack of visibility, drown in threat intelligence overload, and suffer due to inadequate tools. This means they struggle to discover, classify, prioritize, and manage internet-facing assets, which leaves them vulnerable to attack and incapable of defending their organization proactively.
As attack surfaces expand, organizations can’t afford to limit their efforts to just identify, discover, and monitor. They must improve their security management by adding continuous testing and validation.
More can and should be done to make EASM solutions more effective and reduce the number of tools teams need to manage. Solutions must also blend legacy EASM with vulnerability management and threat intelligence. This more comprehensive approach addresses business and IT risk from a single solution.
When vendors integrate threat intelligence and vulnerability management in an EASM solution, in addition to enabling lines of business within the organization to assign risk scores based on business value, the value increases exponentially. IT Security, Risk managers, and business leaders can then make joined-up and informed risk-based decisions to steer their organization through today’s hazardous business environment.
Prediction #2: EASM will bring automation to labor-intensive processes, saving time, money, and effort.
EASM solutions should take work off your plate. Because teams are already swimming in data, EASM solutions will, in the future, be designed to add value to your security team’s workflow, not volume to the amount of data they must sift through. You can accomplish this only with improved automation.
Automation helps to achieve clarity. It answers questions such as “How accurate is this data?” and “Am I being precise with my mitigation actions?”
Yet too many organizations still rely on spreadsheets to manage their attack surface. Manual updates can take place as little as once a year, and when attempts are made, it takes between 40 and 80 hours to compile an (in)complete inventory of their attack surface. Of course, it doesn’t take attackers nearly that long to find your exposed assets and compromise them. The gap between how long it currently takes you to identify your attack surface and how quickly your adversaries take to exploit vulnerabilities creates risk for your organization.
As they mature, EASMs will focus on business risk by automating the tedious work required to present a 360-degree view of your attack surface. The same solution will assist efforts to prioritize weaknesses by what is attackable, which you can then focus on to reduce business risk, in the order the business will benefit from the most.
Prediction #3: EASM solutions will integrate and automate more threat intelligence capabilities to further enable organizations to proactively defend against adversaries.
To clearly understand your risks, you need to integrate feeds from your threat intelligence sources with your EASM solution. In this way, you gain the transparency required to make decisions about how to prioritize assets, dependencies, and vulnerabilities.
Even though a good threat intelligence provider can tell you who is attacking you and even who is likely to attack you, that is only part of the picture. It still lacks context from a business risk perspective, which EASM solutions of the future will have.
Protection for the future
If anything, Log4j demonstrated to security practitioners just how little they knew about their external IT assets. If the frequency and rapidity with which threat actors have discovered and exploited this and other vulnerabilities taught us anything, it should be that organizations need to be proactive both in their attack surface management and their deployment of protective cyber tools.
Now is the time to use these and other informed predictions to formulate and act on a plan to understand and protect your attack surface—or you may find yourself the next victim.