A CISO’s Guide to Attack Surface Management
Attack surfaces have been irrevocably altered in recent years. The traditional view of an attack surface has imploded with the rise of remote work and digital transformation into the cloud, and so the view of attack surface management must also change to meet these challenges.
Traditionally, changes to an organization’s attack surface happened intentionally and in relatively controlled settings. Because of this, it was acceptable to rely on manual inventory performed relatively infrequently and based on an inside-out view of an organization’s assets.
Unfortunately, modern attack surfaces are constantly moving, changing, shifting, and growing more complex. The idea that cybersecurity teams can track these changes manually isn’t just wishful thinking; it’s dangerous.
What Is Modern Attack Surface Management?
Staff and work are distributed geographically, new cloud assets can be generated in seconds, and organizations are far more connected to third-party partners who could increase risks. New assets are often connected to the internet by default, and the idea of isolating needs to be an active decision. This means that a change in configuration or general asset leak can lead to unknown assets putting organizations at risk if organizations aren't constantly monitoring.
Attack surface management (ASM) processes need to change to meet these challenges. The solution is a continuously updated and data-rich inventory of all internet-connected assets viewed from the outside-in. This comprehensive asset inventory becomes the foundation for all security processes because if you don’t have complete visibility, it’s impossible to discover, evaluate, and mitigate risks to your organization.
To make the situation more urgent, attackers have undergone their own digital transformation. According to Cortex® Xpanse™ research, an attacker can scan the entire internet for vulnerable systems in less than an hour and will begin scanning just minutes after a critical vulnerability is disclosed.1 Further data from MIT Technology Review showed that half of global execs admit to being victims of attacks on previously unknown assets.2
Security operations need to be able to identify exposures fast in order to protect against this kind of speed, so modern ASM must work at the speed and scale of the internet to continuously discover, identify, and mitigate risks across all public-facing assets, whether they are on-premises, in the cloud, or operated by subsidiaries and critical suppliers.
An attack surface is like shifting sand. Between multicloud, private and public clouds, inheriting assets via mergers and acquisitions (M&A), and access from supply chain partners and remote workers, it’s impossible for IT experts alone to gain footing and keep track of all assets and the people responsible for them.
The Value of Modern ASM
By scanning the internet multiple times per day, Xpanse provides a complete inventory of all assets—including IP addresses, domains, certificates, cloud infrastructure, and physical systems—connected to an organization’s network and maps who in the organization is responsible for each asset. This data not only ensures complete visibility but also becomes the foundation for security processes and managing risk.
Consider SecOps Running off of a Traditional Asset Inventory
Vulnerability or antivirus/antimalware scanners cannot run at peak performance because the scan can only be as good as the asset inventory it relies on. Unknown assets or assets belonging to third-party partners will not be scanned and, therefore, will still present risks.
When an unknown asset is discovered under this old way, it often leads to a manual investigation to discover where the asset originated, who was responsible for it, and what exposures or risks might be present on that asset. This type of investigation greatly increases the time needed to prioritize and remediate issues.
Xpanse is agentless and automatic. It continuously discovers, evaluates, and helps mitigate risks on your attack surface. This starts with scanning the entirety of IPv4 space for assets connected to an organization’s network and determining which ones need patching, have insecure remote access implementations, exposed databases, or other risks. When a previously unknown asset is found, the notification should be routed to the team or individual responsible for securing that asset.
A quality ASM solution provides cybersecurity value in multiple ways. It reduces the human effort required to build an asset inventory, understands the threat landscape, evaluates risks, and—with the help of automation, like that in Cortex XSOAR—can automatically route alerts to the relevant stakeholders for remediation.
Don’t Focus on Old Metrics
With this in mind, the focus shouldn’t be on reactive metrics like mean time to detect (MTTD) or mean time to respond (MTTR). These are important metrics, but they hide an important fact of security: Reaction time can be infinite when an attack occurs on an unknown asset.
Before MTTR can have value, SecOps must ensure their mean time to inventory (MTTI) assets are as fast as possible in order to remediate exposures before they can become attack vectors.
On average, Cortex Xpanse customers find 35% more assets than they previously tracked. That’s a lot of unknown assets, but it represents a risk that CISOs and their boards can understand: You can’t secure what you don’t know exists.
Proactive Security, Not Reactive Security
Cybersecurity practitioners have a hard enough job without spending unnecessary time and energy on processes that can be automated, so perhaps the most obvious value of ASM is forming the basis of transitioning a security operations center (SOC) from being reactive to being proactive and saving time and money in the process.
ASM helps make your SOC more efficient, reducing human effort to inventory assets, evaluate risks, and investigate stakeholder information, as well as eliminating the need for point-in-time analysis programs. A major concern for CISOs is the downtime and remediation associated with ransomware in particular and data breaches more generally. ASM can be incredibly valuable in reducing the costs associated with cyberattacks by helping discover exposures, prioritize risk management, and ensure risks are remediated before they can be exploited.
Modern attack surfaces have grown beyond the ability to track manually, and asset leak is a fact of life for security teams moving forward. Taking this to heart and striving to put an attack surface management plan in place will make the path forward clearer:
- Generate an automated and continuously updated single source of truth for all internet-connected assets.
- Decommission or isolate assets that don’t need to be internet-facing to reduce your attack surface.
- Discover and identify account owners for all previously known and unknown assets.
- Find all exposures—vulnerabilities, expired certificates, unsecured remote access protocols, etc.
- Automate risk remediation and reporting with a quality security orchestration, automation, and response (SOAR) platform.
- Continue to monitor, discover, evaluate and mitigate risks as the attack surface changes.
These are the baseline ASM features an organization should expect, but with Cortex Xpanse, CISOs will find all of them, plus have the ability to:
- Configure according to company policies to reduce noise in alerts.
- Operationalize via integrations and two-way APIs.
- Better understand assets with internal/external data.
- Automate via XSOAR.
- Automatically and rapidly build new fingerprints/policies according to events in the news.
Attack surfaces are constantly evolving, and cloud infrastructure is constantly changing. Organizations need an automated attack surface management solution that provides a complete and accurate inventory of their global internet-facing assets and potential misconfigurations to continuously discover, evaluate, and mitigate the risks on an attack surface.
1 2021 Cortex Xpanse Attack Surface Threat Report, Palo Alto Networks, May 2021, https://start.paloaltonetworks.com/asm-report/.
2 A game changer in IT security, MIT Technology Review Insights, September 8, 2021, https://start.paloaltonetworks.com/asm-game-changer-in-security-operations.html.