An attack surface management program, or ASM program, has three primary goals. The first is to identify and then reduce the size of the attack surface of the IT ecosystem; second, to mitigate vulnerabilities within the remaining attack surface; and third, continuously monitor the attack surface to detect asset and threat changes and, by extension, trigger corrective actions as needed.
The attack surfaces are huge. They are the sum of all exposed IT assets of an organization. These assets can be secure or vulnerable, known or unknown, in use or not. Essentially, an attack surface is anything attackers can and will discover on-premises, in the cloud, in subsidiary networks, and in third-party vendor environments.
Many ASM vendors promise that their products can provide the framework needed to discover, inventory, prioritize, and monitor every digital asset. But the truth is that a truly successful attack surface management program is a multi-disciplinary, multi-step effort requiring board-level support and the close cooperation of security, network, development, and business teams. human resources, as well as managers of individual business units.
Step 1: Understand your network and determine where it is vulnerable
Security and network teams should review digital assets that attackers might discover if they probe the organization. A digital asset registry should already exist, but now is the time to revisit the risk management process. Check with business units to determine if classifications, business criticality and risk impact levels are up to date. This allows correct prioritization of asset and risk correction. This is also an opportunity to identify and remove unnecessary or duplicate applications and services, one of the fastest ways to reduce the attack surface.
Pay special attention to the DevOps review. Developers tend to create and develop new assets and workloads without necessarily adhering to security policies. They can use third-party services, code, and infrastructure, all of which rapidly expand the attack surface. Implementing infrastructure as code can contain and prevent many of these issues, as well as prevent vulnerable configurations from leaving assets exposed to attack.
Network segmentation is another important way to reduce the attack surface. By dividing a network into segments, its surface is divided into smaller areas, making it easier to monitor and control access and traffic flow.
Step 2: Evaluate ASM platforms and what they should provide
Once the number of known and authorized assets is agreed upon, it is time to select and deploy an ASM platform to provide continuous visibility into security vulnerabilities that may exist or emerge as the threat landscape and IT environments are changing. Take the time to assess and test vendor capabilities. Some of the key features to look for include automated discovery, continuous monitoring, outside perspective, actionable alerts, and easy integration.
Any product should be able to establish the baseline of the attack surface while limiting false positives. Previously, discovery was a manual and time-consuming activity. So make sure that no repetitive manual entry is required and that the process can be accomplished from a simple domain name or IP address.
Attack surfaces are dynamic; real-time visibility is essential. Monitoring should prioritize the most pressing risks, based on an asset’s likelihood of being attacked and discoverable, known exploits, ease of exploitation, and vulnerability it may have after having been attacked, as well as the complexity of the correction required. Smart ASM platforms can downgrade vulnerabilities – even when publicly rated as highly critical – if an asset resides in an environment where it cannot be exploited.
To effectively defend their networks from attack, security teams need to see the organization’s digital footprint through the eyes of a potential intruder. This allows them to fix any vulnerabilities or weaknesses before they can be exploited. Ensure that the evaluated product can provide the ability to analyze the attack surface from the perspective of an external attacker. It’s the exposure that really matters.
Contextual and remediation guidance should accompany each alert to enable security teams to focus on the most critical vulnerabilities and respond appropriately. The information should include the relevant asset, its IP address, purpose, owner, and whether it is active and has connections to other assets. This allows teams to assess the importance and degree of exposure within the environment and determine whether the asset should be taken offline, deleted, remediated, or simply monitored.
The selected ASM product must integrate with existing cybersecurity platforms and services, such as SIEM, security orchestration, automation and response, and extended detection and response. APIs will facilitate integration.
Step 3: Implement policies and training after ASM introduction
Once the attack surface management program is deployed, it will likely uncover hidden or unknown assets. These will need to be examined and removed or secured if necessary. The security team should determine how and why these assets were created so that processes and procedures can be put in place to prevent or control their future appearance.
This is where HR, business unit managers and the security awareness training team play a crucial role. New processes and procedures will need to be integrated into daily workflows, with appropriate associated training to explain and validate their existence. Development teams require special attention, especially if these new policies affect the development lifecycles of applications and services.
Take the time to explain ASM’s role in protecting the business and the dangers of shadow IT in addition to reinforcing data and asset protection rules for remote workers. Remote work expands the attack surface and can easily spawn new digital assets. Now is also the time to revisit the principle of least privilege and ensure that roles and privileges are properly aligned. Make sure your organization has policies in place to prevent former employees from expanding the attack surface. These ASM procedures should be performed after any type of merger, acquisition, or takeover to incorporate legacy assets and attack surfaces, as well as when introducing any new technology or services.
Step 4: Measure the success of the ASM platform and program
Once the ASM platform is launched, use metrics to measure its success. You should see a significant drop in the number of unexpected new assets appearing, as well as an improvement in vulnerability detection and remediation times. Additionally, you should see a decrease in the number of incidents that escalate to serious or critical.
HR should continue to remind employees, especially those working remotely, of their responsibility to minimize attack surfaces. This behavior should be reflected in HR reviews.
The attack surface of today’s organization is increasingly difficult to defend, in part due to the migration to cloud platforms and services and decentralized work environments. That’s why a comprehensive ASM program is more important than ever to keep IT ecosystems secure. An attack surface management program helps strengthen your organization’s security and will satisfy many key elements of common security frameworks and meet important regulatory compliance standards.