Imagine you just received information that an intercontinental ballistic missile is three minutes out, and you’re at the grocery store…What do you do? The honest truth is that if all you know is there is a problem, the barriers to action can be immense. This is the problem with most attack surface management (ASM) products today.
Our infrastructures used to be restricted to known internet protocol (IP) space, which made it “easy” to point vulnerability scanners at this known attack surface and monitor for exposures and vulnerabilities. The challenges of digital transformation and cloud adoption have made it less obvious where the boundaries of your infrastructure lie, which is the problem many ASM products are trying to solve – identifying problems and discovering unknown assets. Unfortunately, this is where most of these products then leave you off on your own to figure out how to fix these issues they so helpfully identified.
Earlier, I had “easy” in quotes when talking about vulnerability management, because as simple as it may seem, getting systems patched in a timely fashion is one of the enduring challenges in cybersecurity. One reference point for this that stands out from my years as an analyst was the Wannacry attack. Microsoft had released a patch for the world-ending vulnerabilities Wannacry had targeted two months earlier, and yet many organizations were unable to get the patch deployed.
Vulnerability management doesn’t even begin to scratch the surface of this problem, however, because a primary use case for ASM is to identify unknown infrastructure. Once you know about an exposure or vulnerability that’s been introduced into your attack surface, it often becomes a race to answer questions such as:
- Who owns this asset?
- Does the business need outweigh the risk of leaving this asset up?
- How would you secure this asset or mitigate the exposed risk?
Meanwhile, you may find yourself back at the imaginary grocery store, staring at the frozen orange juice and waiting for people to reply to emails so you can start to figure out what to do.
Maybe you’re standing in the candy aisle, eating something you’re never going to have to pay for, thinking about how things could have been different. We have been too. Here’s how:
- Helping determine asset ownership. Querying systems of record to determine ownership and failing that, leveraging other means of determining who is responsible for that asset sitting in someone’s cloud is a critical first step toward enabling customers to react to new information. In the grand scheme of things, this is a no-risk effort on the part of an ASM solution that can prove invaluable in terms of time saved.
- Understanding asset tags from other technologies. Sometimes you do have information about a particular asset that may be able to help you understand the production value of an asset, and whether taking it down will cause an outage. We also understand that this information may not all be in the same place. Being able to understand asset tags from other technologies can help provide information about business criticality.
- Providing a mechanism for remediation. Often security doesn’t have the ability to make changes in the production environment, but there are critical exposures, such as publicly accessible RDP services, that just have no good reason for existing. In these situations, having an ASM solution that can deliver these remediations enables you to secure the environment in a timely manner.
These are just a few ways Palo Alto Networks has improved our Cortex Xpanse product with Active ASM to enable you, our customer. For more information on this and other exciting content, register for Cortex Symphony 2023 here.