Think of all the different points within your organization that provide access to information. That could be your website, the mobile version of your application, your Slack instance, and so much more. It’s a list that gets very long, very quickly.
All of those endpoints, both physical and digital, make up the attack surface of your organization. Basically, each endpoint is an element that could be compromised in some way to gain access to sensitive information which could negatively affect your business or customers. Having full visibility into your attack surface, and the capabilities to manage it effectively, is imperative for companies that want to build resilience into their business.
To help companies better manage their attack surfaces, Fortra recently published the titled Managing Your Attack Surface guide. The guide contains 4 key insights that every organization can benefit from.
Building Clarity Around the Attack Surface
Before we dive into best practices for managing your attack surface, it’s important to define it further. Your attack surface encompasses all the assets within your organization that process or stores sensitive information. This includes assets that are on-premises, in the cloud, or external to the business.
Each of these are potential points of vulnerability that cybercriminals can exploit, so companies need to be on top of their assets in order to protect them. By virtue of how they’re structured, external and cloud-based assets are harder to protect, so businesses need to implement risk mitigation strategies to reduce potential compromises.
To better protect themselves against attacks, businesses need to generate more awareness and visibility within their tech ecosystem. This should happen at two levels:
- Assets: Do you know what all your assets are? How many handle sensitive information? How many are on-premises versus cloud-based? These and other questions can help you establish a robust asset inventory and implement protections appropriately.
- Your attack surface: As your business adopts new tools and deploys new features, the attack surface is always evolving. Defining and reviewing the scope of your attack surface should therefore be a continuous effort.
As part of these reviews, your business should also be considering the types of attacks that could be executed on the different assets within your organization and how you can mitigate their impacts.
Implementing Effective Attack Surface Management Practices
According to Gartner, there are a set of core functions that define Attack Surface Management (ASM): continuous monitoring, discovery, inventory, classification, and the prioritization of sensitive external assets. Having an effective ASM program requires taking concerted efforts to effectively address each of these elements.
Some of the core systems that should be top of mind when it comes to your organization’s attack surface are the following:
- Cloud resources: servers, workloads, SaaS apps, and cloud databases.
- Internal resources: on-premises servers and hardware. (These can be compromised even if they are not externally facing or protected by a VPN.)
- Shadow IT: temporary systems that are not fully decommissioned after use, therefore leaving a door open into the organization.
- Externally provided sources: services provided by external vendors that host your data, including insurance processors, contracted IT services, or auditors.
Due to the evolving nature of each component in the attack surface, some of the best practices in managing it include creating a baseline of the attack surface and continually reviewing it for changes — and adjusting controls and policies to account for those changes.
Aligning Vulnerability Management with ASM
As part of your cybersecurity efforts, you may already have a vulnerability management program that feels reflective of ASM best practices. Since there are a lot of overlaps in these approaches, it’s worth aligning both programs in a shared effort to reduce the attack surface. As you do this, it’s important to clarify where your vulnerability management efforts might have limitations.
For example, whereas ASM should have a capability for identifying new attack surfaces internally and externally, vulnerability management solutions might not include this feature. Vulnerability management solutions are also limited when it comes to creating a robust inventory of assets, as they typically only focus on assets maintained by the organization.
When it comes to leveraging vulnerability management solutions for ASM, there may also be gaps in risk classification and prioritization. In addition, teams will need to have a consolidated and documented approach for any remediation efforts that account for both programs.
Reducing Your Attack Surface
Reducing or hardening your attack surface should be an ongoing goal for your security organization. If an attacker can compromise any of your assets, the damage can have far-reaching consequences. For example, if you are a regulated industry or part of critical infrastructure, there could be legal penalties to overcome.
Beyond adopting and reinforcing a vulnerability management solution, there are other key tactics that your team can deploy. These include:
- Penetration testing
- Dynamic application security testing (DAST)
- Red teaming
- Dark web monitoring
Are you ready to learn more about these best practices and how they could benefit your organization? The Fortra team has covered all these in detail in their Managing Your Attack Surface guide. Download it here.
About the Author:
Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.