The SOC is blind to the attackable surface
A security operations center (SOC) is the central nervous system of any advanced cybersecurity program. Yet even the most well-funded, highly organized and properly equipped SOC is often no match for a simple misconfiguration error.
Organizations have piled security controls upon security controls, and still remain largely blind to the most serious threats they face. Why? Because they are often blind to the attackable surface.
Defenders think in lists, adversaries think in attack graphs
The organizations’ ability to detect and respond to threats is, in many cases, deeply inadequate. The reason for this isn’t a lack of tools or training, but an outmoded perspective.
Placing your faith in conventional security controls is a recipe for ruin. Firewalls, vulnerability management and endpoint tools may offer a base layer of protection, but they are inherently weak without an added layer that includes analysis of daily exposures caused by configuration errors, exploitable vulnerabilities, mismanaged credentials and other common points of risk.
Relying on conventional processes often leaves security staff in a familiar position: besieged with alerts and endless software updates and patches and operating without proper guidance as to how to approach remediation and risk.
A few key things are typically missing, including a laser-like focus on criticality and key risk context. For example, a scanner using standard CVSS scoring can tell you the severity of a vulnerability, but it cannot always go a step further and provide insight into the level of risk that vulnerability truly poses to your business-critical assets. This leaves security teams operating without essential risk context when approaching patching and other related activities.
To illuminate the realities of critical asset risk and protection, it makes sense to take the adversary’s perspective. Drop the lists and the box-ticking exercises and get a deeper look into emerging vulnerabilities and the risks they actually pose.
A layered approach provides better visibility
Conventional security controls have their place, yet they cannot provide the full perspective needed to effectively manage exposures and risk without some assistance.
By integrating attack-centric risk prioritization into their security environments, organizations will be able to gain deeper visibility by adopting the mindset of the attacker. Attack-based vulnerability management solutions launch automated and continuous simulated cyber-attacks in an effort to uncover vulnerabilities within a network, system or application. They work like a red team, but in an automated fashion, which allows for continuous visibility into security environments.
Platforms that use this underlying technology differ in how they approach mapping attack surfaces and defining criticality. Some begin by checking security controls for proper configuration; others take the savvier approach of immediately identifying the most critical assets and identifying all attack possibilities, connecting the dots from potential breach points to “crown jewel” assets. After this is concluded, guided remediation occurs.
The right attacker-based vulnerability management tools can provide the next generation of risk quantification for both cloud and on-premises environments. Choosing the right tool, however, is key.
When layering a risk-based vulnerability management tool into an existing security approach, one should consider a few important attributes:
- Security teams that are reliant on CVSS scoring for patching are often flying blind and waste time fixing issues that pose no real risk to business-sensitive assets. In addition to adding key risk context and evaluating the criticality of exposures, the right solution should direct teams to the most accurate and up-to-date vendor patches, saving hours of research.
- These platforms should also work seamlessly in hybrid environments, allowing for the fast identification of security issues during migrations and the discovery of on-prem attack paths that reach cloud assets.
- Another key attribute is the ability to audit configurations via an API and calculate different attack vectors to find misconfigurations leading to risks such from unmanaged privilege escalations or access token theft.
Gaining total visibility
Ultimately, hackers will bide their time as long as they need to, waiting for a slip up that leads to a breach and exposes a critical asset. Cybersecurity is an asymmetric game, where the onus is on the defenders to be perpetually perfect.
Given that perfection is impossible, it is imperative to maintain deep visibility into emerging vulnerabilities across all of your security environments. To do this you must be able to see the attackable surface through the eyes of an adversary and maintain that visibility on a 24/7 basis, and make sure to focus on protecting the most sensitive assets by highlighting the one percent of exposures that are truly exploitable.
Full visibility – and a deep appreciation of criticality and risk – are the keys to maintaining a SOC that runs smoothly and effectively.