Attack Surface Management: Why Maturity Models Matter – Part I
The challenges of asset discovery, the unknown, and ad-hoc vulnerability scans
Attack surface management gets adopted because security leaders have a mandate to know their attack surface, measure and manage digital risks, and improve defense against persistent threat actors. Like most, you have adapted some of the attack surface management tenets; for example, you must “know thyself “and that means having a good handle on assets that need to be protected.
Most start out with the assets they know about:crown jewel assets that represent significant revenue to the company through sales or operational efficiency. That is the very beginning of the road to discovery, as the business is always changing. You must evolve your efforts to uncover a wide range of new asset possibilities. Most vexing is that you must know what it is that you currently do not know. This is no small challenge; you must come to terms with how to keep up with applications that spin up faster than you could ever record in a spreadsheet.
It’s a given that business units are going to go rogue and implement their own systems, cloud data repositories, and grant access to outside or untrusted third parties; without ever talking to you. Nevertheless, you must discover and defend these unknowns, identify application owners, and justify the very important cybersecurity actions that must take place to keep things secure by reducing digital risk.
You may have an idea of what your attack surface is made of, but every customer walks away from a POC with us learning something significant that they did not know.
To highlight the Shadow IT challenge, our ASM customers typically discover between 30% more assets than what they thought made up their attack surface, this figure has risen as high as 500%. Rogue applications, forgotten web servers, historical portals - for an attacker they all count as legitimate targets Other times, customer POC results are truly startling and enlightening to them in equal measure. Large environments continuously breed new applications and other unknowns that get stood up every day.
You already know Step One is discovery, but how do you understand where you are overall?
Maturity models pinpoint your place in time and justify elevating your capabilities. You can look at where you are now, and know the capabilities needed to get where you need. Your end game; so to speak
But this isn’t easy, especially if you are beginning with a legacy spreadsheet that has been passed down with little context. If you are a mid to large sized organization with applications being stood up all the time, heavy M&A activity, and or a supply chain a mile long, the unknown becomes a more acute challenge.
If discovery is the ‘what’, then the ‘how’ you go about discovering assets is another capability on the maturity model for attack surface management. Often, companies start by contracting with a company to perform quarterly scans. This is a good start. But if you work in an environment that has applications being continuously stood up, a dynamic supply chain, and consistent M&A activity, then you are constantly behind the curve ball and are acting on yesterday’s news.
When you factor in the multitude of vulnerabilities being introduced on the regular, threat actor techniques and targets changing on a whim, you quickly realize how out of touch efforts from quarterly scanning can become.
To break through, you must get ahead of what is happening to your attack surface (all of it) and react faster. With this thought in mind, our customers quickly realize that only continuous real-time monitoring will help them keep up. It must be passive, must not affect service levels and above all, it must be continuous and supply you with information on new instances and possible malicious intent in real time.
It’s not an easy transition for any team to meet these objectives and groom their analysts to take on an offensive security posture. Even with the benefit of working with real-time tools. Without a roadmap and the right intelligence, anyone would be off to a rough start. That is why it is important to look at a maturity model to give you outside perspective and a path to get from one end of the capability spectrum to the other.
Keep reading to find out how referring to a maturity model will help you evolve your attack surface management practice to where it needs to go. If you want to fast forward your knowledge of external assets and curious to know how many you really have, click here for our free report.