Editor's note: Expanse has since been rebranded as Cortex Xpanse.
In the supply chain discipline, inventory management has long been studied and optimized. Countless books, websites, and business school classes have been devoted to the art of inventory management. Yet, in information technology and security, inventory management remains elusive.
Case in point, one Expanse customer, a CISO, explained that having a complete and accurate inventory or “system of record” is the foundation of any security program. We’ve heard this statement repeated by security leaders across organizations of all shapes and sizes. “You can’t protect what you can't see” comes to mind and in 2020, this became a huge problem for technology and security teams. As a result of COVID-19, digital transformation within organizations has moved to light speed. Organizations' assets have rapidly moved externally, become fragmented, and in many cases ephemeral.
A recent Gartner report summarizes the trend:
Most businesses have complex interconnections of servers, cloud instances, desktops, laptops, mobile devices, Internet of Things (IoT) and more. These assets are dynamic, seemingly borderless, and continuously moving and growing. As this footprint increases, so does the organization’s threat exposure. Maintaining asset inventory is fundamental to any robust cybersecurity program and being cognizant of this inventory is fundamental to a vulnerability management program.
(Source: The Essential Elements of Effective Vulnerability Management, October 2020)
Let’s explore the inventory problem in more depth. The enterprise shift from inside to outside has been driven by a set of rapid digital transformations, presenting unique opportunities and challenges:
There is one more thing to add into the mix. What are malicious actors doing? Take VPN as an example. Threat actors actively scan for issues. In fact, there have been reports coming from the U.S. government highlighting how nation-state threat actors exploit the VPN vector. Even ransomware gangs are exploiting vulnerable VPN infrastructure and RDP exposures to distribute their malware to exposed workstations. Our own research shows that attacks correlate with external exposures as well.
In security terms, this boils down to a CISO’s worst nightmare, an ephemeral attack surface. Worse, the rate of flux for this attack surface is driven by cloud workloads being spun up and down, remote employees traversing networks with variable protection, and shadow IT. Protection remains elusive. As CISOs tell us, the rapid rate of change means that even organizations with mature vulnerability management programs can only identify around 80 percent of their attack surface. This situation leaves security teams struggling to answer “Where are my assets?” never-mind even asking, “How do I secure my assets?” In an increasingly common scenario, CISOs face going before the Board of Directors after a breach occurs and have to say, “I didn’t know about that asset.”
Here are some sample assets we’ve seen:
So what is the prescription? Today, most major compliance mandates require a basic step one: asset inventory. In today’s fast moving environment, this starts with the recognition that you have to look for externally facing assets and that you can see, at best, 80% of what you actually have. This requires first understanding what you have exposed externally by building a complete external asset inventory including:
Inventory management has been a deeply studied area in supply chain management which teaches some valuable lessons for cybersecurity. As one noted supply chain expert put it, “‘You can’t improve what you can’t measure’ exemplifies the backbone of a sound inventory management system.” Only with cybersecurity, the equivalent is: you can’t secure what you can’t see.
You can learn more through our white paper here about how to defend your attack surface by continuously discovering, tracking, and managing assets.