How Does a CISO Effectively Manage the Attack Surface?

The traditional view of attack surface management (ASM) has changed with remote work and digital transformation. Attack surfaces are now dynamic, complex, and opaque. With this shift, the CISO’s view of attack surface management must also change.

An effective cybersecurity strategy requires every CISO to prioritize the exposure that comes with an eroded perimeter. A modern cybersecurity approach is required, one that can handle the ever-increasing challenge of gaining insight into an evolving threat landscape and the associated risk of cyberattacks.

Modern attack surface management solutions give CISOs the support needed to significantly enhance their security posture. Most ASM's external attack management capabilities automate real-time monitoring to provide the insight needed to measure cybersecurity efficacy across the entire threat landscape.

The Value of Modern ASM Solutions

Many organizations have geographically distributed teams, with each team member using multiple connected devices that increase the risk of cyber attacks. In addition, there is a growing number of IoT devices, new cloud assets that can be quickly brought online, and more connections to third-party partners.

Traditional ASM approaches are no longer sufficient in today's rapidly evolving threat landscape. Organizations relying on irregular, piecemeal inventory and time-consuming manual processes must catch up. Attackers are moving faster, and security teams need to keep pace.

A quality ASM solution provides cybersecurity value in multiple ways. It reduces the human effort required to build an asset inventory, understands the threat landscape, evaluates risks, and—with the help of automation, like that in Cortex XSOAR—can automatically route alerts to the relevant stakeholders for remediation.

Here's why organizations need to shift to more comprehensive, modern ASM solutions:

1. Outdated and Incomplete Inventory:
   Traditional ASM relies on irregular, manual inventory, which can lead to incomplete and outdated information. CISOs need more visibility to make informed risk mitigation and resource allocation decisions.
2. Inability to Keep Pace with the Fluid Attack Surface:
   The attack surface is constantly evolving, especially in cloud environments. Traditional ASM approaches cannot keep pace with these changes, leaving organizations vulnerable to new threats.
3. Lack of Context and Insights:
   Traditional ASM provides limited context and insights into the attack surface. This makes it difficult for CISOs to understand the true risk associated with vulnerabilities and prioritize remediation efforts.
4. Time-Consuming Manual Processes:
   Traditional ASM relies on time-consuming manual processes, which are inefficient and error-prone. This slows security operations and makes responding quickly to new threats difficult.
5. Increased Cyber Risk:
   By failing to address these limitations, organizations using traditional ASM are at increased risk of cyberattacks. Attackers can exploit vulnerabilities and misconfigurations that are not being identified or addressed.

Consider SecOps Running Off of a Traditional Asset Inventory

Vulnerability or antivirus/antimalware scanners cannot run at peak performance because the scan can only be as good as the asset inventory it relies on. Unknown assets or assets belonging to third-party partners will not be scanned and, therefore, will still present risks.

When an unknown asset is discovered under this old way, it often leads to a manual investigation to discover where the asset originated, who was responsible for it, and what exposures or risks might be present on that asset. This type of investigation greatly increases the time needed to prioritize and remediate issues.

Xpanse is agentless and automatic. It continuously discovers, evaluates, and helps mitigate risks on your attack surface. This starts with scanning the entirety of IPv4 space for assets connected to an organization’s network and determining which ones need patching, have insecure remote access implementations, exposed databases, or other risks. When a previously unknown asset is found, the notification should be routed to the team or individual responsible for securing that asset.

A quality ASM solution provides cybersecurity value in multiple ways. It reduces the human effort required to build an asset inventory, understands the threat landscape, evaluates risks, and—with the help of automation, like that in Cortex XSOAR—can automatically route alerts to the relevant stakeholders for remediation.

Don’t Focus on Old Metrics

With this in mind, the focus shouldn’t be on reactive metrics like mean time to detect (MTTD) or mean time to respond (MTTR). These are important metrics, but they hide an important fact of security: Reaction time can be infinite when an attack occurs on an unknown asset.

Before MTTR can have value, SecOps must ensure their mean time to inventory (MTTI) assets are as fast as possible in order to remediate exposures before they can become attack vectors.

On average, Cortex Xpanse customers find 35% more assets than they previously tracked. That’s a lot of unknown assets, but it represents a risk that CISOs and their boards can understand: You can’t secure what you don’t know exists.

The Scale of Threats

An attacker has no shortage of entry points between cloud environments (e.g., multi-cloud, private, public clouds, and hybrid) and many other connected devices and services. What is worse, they can easily find them.

Cyber attacks have also become more sophisticated, involving advanced techniques such as zero-day exploits, ransomware, and nation-state-sponsored attacks. Organizations face a relentless barrage of cyber threats, requiring constant vigilance and rapid response capabilities. The use of automated tools by attackers accelerates the pace and scale of attacks, making it challenging for CISOs to keep up.

Understanding the Components of an Attack Surface

From a CISO’s perspective, the attack surface never seems to cease growing and changing. Components are added by IT teams as part of routine operations, by users (e.g., shadow IT), from mergers and acquisitions (M&A), and by a third party (e.g., supply chain partners, vendors, and contractors).

In modern cybersecurity, the scope of an attack surface encompasses all the points where an unauthorized user (i.e., the attacker) can try to enter data to or extract data from an environment. A CISO must consider all the accessible interfaces that could be exploited for malicious purposes, including the following:

• Hardware: Physical devices, such as servers, computers, switches, routers, and IoT devices
• Software: Applications, including desktop-based, web-based, or mobile
• Networks: All network points, such as IP addresses, ports, and protocols
• APIs: Any of the many that connect different software systems
• Cloud services and data: Cloud-based applications, storage, and services
• Humans: Anyone with access is susceptible to an attack, such as social engineering attacks, phishing emails, and ransomware, and can also be a threat themselves (e.g., insider threats that can be accidental or malicious)

Compliance Pressures

Data protection regulations and Laws such as GDPR and CCPA impose stringent requirements on data protection and breach notification, increasing the pressure on CISOs to secure sensitive information. Compliance with industry standards like PCI-DSS, HIPAA, and others adds to the complexity of managing cyber threats.

Resource Constraints

CISOs face significant challenges in building and maintaining effective security teams due to a shortage of skilled cybersecurity professionals and budget limitations. The talent shortage makes it difficult to find and retain qualified personnel, while budget constraints require balancing necessary security investments with other business priorities, often leading to resource allocation struggles and potential gaps in the organization's defense capabilities.

A Comprehensive Approach to ASM

Modern attack surface management addresses the challenge of the increasingly dynamic attack surface. Effective attack surface management solutions help CISOs take a proactive cybersecurity approach with continuous monitoring and real time insight into the complete attack surface. This guides security teams, helping them efficiently and effectively identify, assess, and prioritize risk.

This proactive and adaptive security strategy must include the following:

• Continuous Monitoring: Implementing real-time monitoring and threat intelligence to promptly detect and respond to threats.
• Automation and AI: Leveraging automation and artificial intelligence to enhance threat detection, response, and mitigation efforts.
• Risk-Based Prioritization: To optimize resource allocation, focus on the most critical assets and vulnerabilities.
• Collaboration and Training: Promoting a security-aware culture within the organization and collaborating with external partners and vendors to strengthen defenses.

Proactive, Not Reactive, Security

Cybersecurity practitioners have a hard enough job without spending unnecessary time and energy on processes that can be automated, so perhaps the most obvious value of ASM is forming the basis of transitioning a security operations center (SOC) from being reactive to being proactive and saving time and money in the process.

ASM helps make your SOC more efficient, reducing human effort to inventory assets, evaluate risks, and investigate stakeholder information, as well as eliminating the need for point-in-time analysis programs. A major concern for CISOs is the downtime and remediation associated with ransomware in particular and data breaches more generally.

ASM can be incredibly valuable in reducing the costs associated with cyberattacks by helping discover exposures, prioritize risk management, and ensure risks are remediated before they can be exploited.

What is Attack Surface Measurement?

Attack surface measurement refers to the process of identifying, quantifying, and assessing all potential points of unauthorized access or vulnerability within an organization's IT environment. This includes all hardware, software, network components, cloud services, and human factors that could be exploited by cyber attackers.

The primary goal is to understand the extent and complexity of the attack surface to effectively manage and reduce potential security risks. Here are the key aspects of attack surface measurement:

1. Asset Inventory:
   • Hardware: Cataloging all physical devices such as servers, workstations, mobile devices, IoT devices, and network infrastructure.
   • Software: Listing all applications, operating systems, and software components in use, including versions and patch levels.
   • Data: Identifying sensitive and critical data, its location, and how it is accessed and stored.
2. Network Mapping:
   • Internal Network: Mapping the internal network architecture, including subnets, VLANs, and communication paths.
   • External Interfaces: Identifying all points of external connectivity, such as firewalls, VPNs, web servers, and APIs.
3. Configuration Analysis:
   • Security Configurations: Evaluating the security settings and configurations of systems and applications to identify potential misconfigurations or weaknesses.
   • Access Controls: Reviewing user permissions, roles, and access controls to ensure they are appropriately set.
4. Vulnerability Assessment:
   • Scanning and Testing: Conducting regular vulnerability scans and penetration tests to discover and assess known vulnerabilities and potential attack vectors.
   • Threat Intelligence: Integrating threat intelligence to stay informed about emerging threats and vulnerabilities relevant to the organization’s environment.
5. Behavioral Monitoring:
   • User Activity: Monitoring user behavior to detect anomalies that could indicate compromised accounts or insider threats.
   • Network Traffic: Analyzing network traffic for unusual patterns that may signify malicious activity.
6. Policy and Compliance Review:
   • Security Policies: Ensuring that security policies and procedures are in place and enforced across the organization.
   • Regulatory Compliance: Verifying adherence to relevant regulatory and industry standards to mitigate compliance-related risks.

By continuously measuring the attack surface, organizations can identify areas of high risk, prioritize mitigation efforts, and strengthen their overall security posture.

5 Core Capabilities of Modern Attack Surface Management

The modern ASM has become an invaluable element of cybersecurity strategy, powered by five core elements. These core capabilities of modern attack surface management are used in concert to secure all points of vulnerability across an organization’s digital presence.

Asset Discovery
Identify all cyber assets across the organization, including those in the cloud, on-premises, or managed by third parties, to create a comprehensive inventory. This comprehensive asset discovery capability is essential because of the dynamic nature of assets in cloud environments where instances, containers, databases, and services can be spun up and down rapidly, making the attack surface highly fluid.

Risk assessment
Evaluate the vulnerabilities and misconfigurations that attackers could exploit. A risk assessment conducted with a modern ASM leverages automated tools for vulnerability discovery and to stay updated on threat intelligence, like common vulnerabilities and exposures (CVEs). CVEs provide standardized identifiers for known vulnerabilities, offering a reliable way to evaluate and prioritize threats.

Prioritization
Assign risk scores to each discovered vulnerability. These take into account potential impact and exploitability. Several methodologies are used to quantify and prioritize risk, including risk scoring models (e.g., common vulnerability scoring system or CVSS), risk matrices for visual representation, quantitative risk analysis techniques (e.g., Monte Carlo simulations), and threat modeling to identify potential threats and evaluate current controls.

Remediation Tactics
A modern ASM can provide recommended remediation tactics. In some cases, remediation can be automated. Remediation tactics include:

• Automating risk remediation and reporting with a security orchestration, automation, and response (SOAR) platform
• Deploying intrusion detection and prevention systems
• Implementing a process for regular audits and tests to verify the effectiveness of each security measure Regularly reviewing and updating access controls to minimize unauthorized access
• Setting secure configurations for hardware and software
• Using a SIEM to aggregate and analyze data across the attack surface

Continuous Monitoring
Security operations require modern attack surface management solutions that can scan the attack surface for new assets, changes, and emerging threats at the speed and scale of the internet.
Continuous monitoring enables proactive strategic decision-making for a CISO. It ensures that the security team can continuously discover, identify, and mitigate risks across all public-facing assets, whether they are on-premises, in the cloud, or operated by subsidiaries and critical suppliers. In some cases, external attack surface management solutions are used.
Moreover, modern attack surface management allows for timely detection and mitigation of threats, reducing the likelihood and impact of successful attacks. This proactive approach to security aligns with business objectives, ensuring uninterrupted operations and trust among stakeholders. Ultimately, effective attack surface management empowers a CISO to drive a robust, resilient cybersecurity strategy that adapts to the evolving threat landscape.

A CISO’s Guide to Attack Surface Management FAQs