CISOs’ strategies for managing a growing attack surface

In this Help Net Security interview, Rickard Carlsson, CEO at Detectify, discusses the evolution of attack surface management in the context of remote work and digital transformation.

Carlsson highlights the challenges CISOs face today, including maintaining visibility and managing compliance in an expanding attack surface, all while dealing with limited resources and rising business demands.

With the shift towards remote work and digital transformation, how has the traditional concept of attack surface management evolved? What are the biggest challenges CISOs face today compared to a few years ago?

Organizations should start forgetting about the old perimeter-based approach to security. There is virtually no difference between office work and remote work anymore. There is no inside and outside, just outside. What is to be secured now is a growing, dynamic, and sprawling mess of endpoints, cloud services, and third-party applications that form an external attack surface.

It is no wonder that CISOs face many challenges today related to attack surface expansion. They are constantly battling to maintain visibility, keep up with modern (and quickly evolving) tech changes, new attack vectors, and stay on top of a growing compliance and regulatory wave (like NIS2, DORA, or the Cyber Resilience Act in Europe). Plus, they need to do it all with limited resources and increasing pressure to bring business value.

Traditional attack surface management often needs help with incomplete and outdated inventories. What strategies and tools should organizations adopt to ensure their comprehensive and up-to-date asset inventories?

There has been a growing trend of organizations adopting multiple cloud providers, consequently expanding and decentralizing their attack surface. Inventories that aren’t continuously mapped and evaluated make it significantly easier for digital exposures and domain-related vulnerabilities (like subdomain takeover or server misconfigurations) in unknown assets to go unnoticed. Manual inventories are usually either outdated or incomplete, rarely reflecting the current state of the attack surface.

Attackers are well aware that there’s always a weak link, so the best strategy is to immediately identify and closely monitor changes in all internet-facing assets. Automatic and continuous scanning will help your team see what has changed in the attack surface beyond vulnerabilities and issues, and whether that change poses a risk, even if it’s just an IP, a port, or a cloud provider. The best tools will also empower security teams by allowing them to set their own policies to define what change should be considered a risk.

How vital are real-time monitoring and automation? How can CISOs leverage these tools to reduce manual efforts and improve security outcomes?

I’d recommend CISOs to look into tools that can actually help their team get their jobs done in the most empowering way, and that goes from streamlining attack surface discovery (with real-time, continuous mapping of assets) to yielding the most accurate and rigorous assessments (can’t stress this enough) and finally seamlessly integrating findings into existing workflows for quick remediation and reduced manual effort. When teams can’t trust their findings and have to look for false positives, incredibly valuable time that could be spent addressing actual risks or generating business value is wasted.

What metrics should CISOs focus on to measure the effectiveness of their attack surface management strategies?

Effectiveness is not measured by counting total fixed vulnerabilities. Pretending to have security teams address every vulnerability that comes their way is unrealistic and inefficient, especially considering that many CVEs don’t have an associated attack path in many organizations’ systems.

CISOs should define their risk based on their unique business context and focus on addressing those incidents and breaches that actually matter to their organization. It can also be useful and insightful to look at the detection and remediation time of those relevant issues. Assessing whether efforts are keeping up with compliance requirements and audit findings are also good indicators of the effectiveness of an attack surface management strategy and tooling.

With many organizations relying on third-party vendors and cloud service providers, how can CISOs manage and mitigate the risks associated with third-party partnerships and the extended attack surface they bring?

CISOs are painfully aware that digitalization efforts and modern tech stacks mean hybrid cloud and large third-party dependency, making the task of taking a gap-free attack surface picture very daunting. In mitigating those risks, they should look into tools that can bring automatic and real-time visibility and the capacity to manage issues in assets hosted across multiple cloud providers. Some degree of exposure is always assured, but it’s up to the CISO to determine what risk is too much risk. Acceptable risk always varies depending on the industry and the degree of digital maturity.