Attack Surface: 5 Fixes to Mitigate Your Organization’s Risk

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Nick Merritt of Halo Security offers insights on attack surface management and reducing risk to your organization’s assets.

The evolving landscape of cybersecurity has left organizations vulnerable to attack– even the ones that exist to defend others. Security is a complex undertaking; every organization should consider improving its posture. Some don’t start that self-reflection process until they’ve suffered a breach. Others take a more proactive approach, like hiring an experienced security engineer like a chief information security officer (CISO) to offer a new perspective.

But what should those organizations be looking for, exactly? How can they improve their security programs in a meaningful way? The answer is rarely the shiniest new toy that vendors push out; it’s more important to go back to basics and understand how to mitigate risk.

Attack Surface: 5 Strategies to Reducing Risk

Let’s look at five ways to plug gaps in your security program so you can reduce your risk.

Consider All Assets– Internal and External

Most organizations scan for vulnerabilities, but they’re not looking in all the right places. They focus on internal assets at the expense of external assets, which offers attackers an equal opportunity to breach your network. Even though organizations realize they’re not comprehensively scanning external vulnerabilities as well as internal ones, they struggle to find a discovery engine that can complete the task. Just because an asset lives outside your internal infrastructure doesn’t mean it can’t access it. Existing vendors that offer vulnerability management typically aren’t positioned to find those third-party assets or recognize what your attack surface truly looks like. According to a recent study by Trend Micro, 73 percent of organizations are worried about their growing attack surface, and 43 percent believe it is “spiraling out of control.” By investing in an attack surface management (ASM) platform, you can get a deeper insight into just how many internet-facing doors offer access to your infrastructure.

Forget the Notion of ‘Out of Scope’ Assets

It’s not enough to recognize that your attack surface may be larger than you think. Too many organizations don’t understand why that’s a problem. They mistakenly believe that some assets are “out of scope,” when in reality, there’s no such thing. Take the rise of subdomain takeovers, for example. Many security practitioners would consider third-party platforms or development and staging environments associated with a subdomain to be non-critical, but attackers see it as an opportunity.

An orphaned DNS record pointing at a subdomain may be a nuance that organizations turn a blind eye to because they don’t understand how an attacker might leverage that open back door to move laterally throughout a network until they can get to the crown jewels. Penetration testers shake their heads at scenarios like that because they can foresee the risk and how it could quickly morph into a business dilemma that leadership isn’t considering. Other examples of supposed “out-of-scope assets” are third-party marketing and support platforms, legacy environments, partner tools, and forgotten projects. They all pose a risk– 69 percent of organizations have suffered an attack that began with an unknown, unmanaged, or misconfigured asset, according to ESG Research.

Redefine Success in Remediation

Sure, finding and remediating 20 vulnerabilities sounds like a productive day. But it isn’t about the quantity of what you find. Even if the number is zero, it could mean you’re not looking in the right places. What does success look like in vulnerability management?

It’s about remediating the vulnerabilities that pose the most significant risk. Suppose a piece of hardware on your network has a severe vulnerability. In that case, it might pose less of a risk than a moderate vulnerability that’s internet facing, because few people can actually access it. Considering risk in remediating vulnerabilities is the best strategy, and it’s quickly gaining steam. Gartner forecasts that integrated risk management will show double-digit growth through 2024. This practice is tied so closely to security because it highlights the mistakes many organizations make and don’t realize the consequences of.

Implement Continuous Monitoring

Business isn’t exactly booming in the tech industry amid layoffs and budget restrictions. As CIOs spend less on security, it can be tempting to cut services like pentesting. If you’re doing manual assessments, those costly exercises only serve as point-in-time analyses and don’t account for future risks. By leveraging automation, you can get better results without the high costs. Continuous monitoring provides greater transparency into the risks happening at any given time than the periodic analysis many boardrooms require (but don’t accurately depict).

Right-Size Your Assets So Oversight Isn’t So Hard

As an organization grows, so too does its amount of assets. Projects come and go and are often left forgotten on a network. Large enterprises that don’t address the backlog of projects are shocked when a risk assessment shows just how many internet-facing assets are active.

Traditional attack surface management suggests the winning strategy is to take as many assets off the internet as possible, but that’s not feasible either. By doing a periodic review of all assets, and creating a structure where someone has to be accountable for assets, you can get a better handle on what should still be connected and what can come off the network to reduce risk. With each new breach that creates a headline, more organizations hold their breath and wonder, “Am I next?” By taking a proactive approach and assessing your security program in a way that mitigates risk, you can best protect your organization in a landscape that’s constantly in flux.