Cortex Xpanse Researchers Identify Missing Metric for a Modern SOC

May 19, 2021
4 minutes
... views

This post is also available in: 日本語 (Japanese)

Adversaries are opportunistic predators, constantly searching for vulnerable targets to attack. Unfortunately for enterprises, these adversaries are much faster at finding vulnerable assets to attack than defenders are at finding those same assets to secure. It’s not just an arms race between adversaries and defenders in terms of conducting cyberattacks and protecting against them. There’s a sprint taking place as well in detecting systems with known vulnerabilities to cyberthreats.

The Cortex® Xpanse™ research team spent the first three months of 2021 monitoring the activities of attackers to better understand how much of an edge adversaries have in detecting systems that are vulnerable to attack. We followed a benchmark that we call “mean time to inventory” (MTTI), which is simply how long it takes somebody to start scanning for a vulnerability after it’s announced.

Most adversary scans observed between January and March began 15 to 60 minutes following announcements of Common Vulnerabilities and Exposures (CVEs). But, in some cases they were much faster. On March 2, threat actors started scanning for vulnerable Exchange Server systems within just five minutes of Microsoft’s disclosure of three zero-days.

Altogether, Xpanse monitored 50 million IP addresses associated with 50 global enterprises, including a subset of the Fortune 500. The research studied the race between threat actors and defenders, and we discovered threat actors have a significant speed advantage with MTTI.

While it used to take weeks or months to scan the global internet, it takes less than 45 minutes today to communicate with every public-facing IP address in the IPv4 space. By contrast, Xpanse research shows that enterprises experience two new serious exposures per day on average – or one every 12 hours.


Enterprises Tend to Be Slow in MTTI for Three Reasons

  1. The attack surface is growing with rapid transition to the cloud, supporting the recent addition of remote workers during the COVID-19 pandemic.
  2. Vulnerability scanners depend on timely CVE database updates, which query known assets.
  3. Enterprises only perform inventory checks quarterly, via pen tests or red teaming and may not be comprehensive enough. With the exception of red teaming, all these approaches focus on known assets – leaving unknown, unknown.

Xpanse research found 79% of observed exposures occurred in the cloud. The cloud is inherently connected to the internet and it’s surprisingly easy for new publicly accessible cloud deployments to spin up outside of normal IT processes, which means they often use insufficient default security settings and may even be forgotten.

Asset leak is likely inevitable when an expanding cloud attack surface is combined with more traditional factors that bypass change control (such as mergers and acquisitions), supply chain and the Internet of Things. But that doesn’t mean enterprises should accept the risk. Tracking an ever-changing infrastructure landscape is an almost impossible task for humans and requires an automated approach, both to discover unknown assets and ensure they are secure.


MTTI and Attack Surface Management

Enterprises need a system of record of every asset, system and service on the public internet, including across all major cloud service providers and dynamically leased ISP space. This inventory must be comprehensive (including commonly misconfigured assets) and definitively match the full and correct set of internet-facing systems and services back to a specific organization. Necessary security actions need to be routed to the necessary personnel or automated where applicable.

All of this can be accomplished more easily by using an attack surface management system such as Cortex Xpanse. Attack surface management enables enterprises to essentially operate in a constant state of scan. That allows security teams to view their entire attack surface through the eyes of an attacker, so they can identify and close gaps faster than their adversaries, who are working around the clock to find new vulnerabilities.

Adversaries are at work 24/7, so security must be as well. Cortex Xpanse is an automated internet collection and attribution Attack Surface Management (ASM) platform. It constantly monitors the global internet to map exposed and untracked assets that comprise customers' attack surfaces, evaluate and prioritize risk, and provide mitigation. Xpanse’s data provides chief information security officers (CISOs) with a view of the enterprise from the outside, representing the view an attacker sees while probing for points of weakness.

For more information on attack surface management and how to ensure your organization is secure, read the 2021 Cortex Xpanse Attack Surface Threat Report. Also watch for a keynote at RSA Conference 2021 by Tim Junio, senior vice president, Cortex, Palo Alto Networks, called, “The Internet Is Small: Own Your Attack Surface Before Somebody Else.”

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.