Attack Surface Management: Why Maturity Models Matter – Part II
The challenges of prioritization, the threat landscape and contextualizing risk for the business
In our last post we talked about the realities of asset discovery. We also talked about the benefits of continuous real-time discovery of assets. Now let’s talk about discovering and prioritizing vulnerabilities across the external threat landscape. Then we will discuss contextualizing digital risk with your business counterparts and how a maturity model can help you communicate risk and justify the business case.
Managing your response to vulnerabilities is a whole other part of attack surface management, but first you must discover them. Your approach to discovering assets is likely to correlate with your method of identifying vulnerabilities. From manual, occasional and sporadic all the way to automated, continuous, and structured, the knowledge you gain from differing methods can vary widely. How you discover vulnerabilities today is another useful data point to map to the Attack Surface Maturity Model. It will enable you to understand where and how you need to improve, or if what you are doing is already optimal.
To improve your responses to emerging and newly discovered vulnerabilities, you must expand your knowledge of external risks and threats, then pair that knowledge with your critical assets. This is how you build the contextual knowledge to prioritize vulnerabilities by digital risk, weed out what is not critical for another time, and quickly identify false positives.
Resolving vulnerabilities by deciphering quarterly scanning reports and creating service tickets is a less than optimal way to address vulnerabilities, it takes time. Time is an advantage to attackers, as the longer you leave gaps, the more they will be exploited and help adversaries achieve their objectives. CVSS scores help, but only when you know that vulnerability matches something in your environment. You can prioritize high ranking vulnerabilities, but without continuous scanning you are still operating several months too late, and in some cases your assets may not even be exploitable.
And if that were not enough, then you must meet with business stakeholders to plan for scheduled downtime of applications. At least if you could communicate vulnerabilities in real time, it would cut out at least two or three weeks of time for potential threats to dwell before being identified and managed. The good news is that if you are already prioritizing vulnerabilities, you are on the way towards benefitting sooner from new attack surface management capabilities and improving communication.
Realizing the top end of the spectrum of capabilities of ASM maturity will not only support continuously scanning, but it will automatically prioritize response based of the digital risk involved. No manual intervention involved except one-time tasks of rating existing and newly discovered assets by digital risk.
Ultimately you need to answer the question of what should I preemptively be looking for? This can seem like a near Houdini like feat, but there is no reason why you can’t get there by evolving your practice with real-time threat intelligence.
Houdini-likeAnother important area of attack surface management that is difficult to navigate is understanding and applying knowledge of external attacks. To catch up to the top range of capabilities, you must factor in what is being actively exploited and understand what is going on in the external threat environment. You need to be able to have an answer for; Who is attacking us? What is their infrastructure? What is currently being exploited by threat actors?
Finally, you need to take this newfound knowledge and apply it to your supply chain partners and M&A targets. We don’t have to tell you that your supply chain offer a key opportunity for exploiting business systems to siphon-off data or money to threat actors. They represent another, much wider and deeper attack surface that must become a part of your security strategy. The top end of the ASM maturity model scale requires the capability to discover assets and scan your business partners and M&A infrastructure.
These newfound capabilities and insights must be contextualized for the business. Part of that is accomplished by measuring your results against industry standards. Gauge your efforts and benchmark it against your framework of choice, (NIST, FEDRAMP, PCI, CIS Top 18, etc.) This offers you a way to start conversations with business counterparts, so they operate with a clear picture of risk. It will help you justify remediation actions, budget, and your overall security strategy in your conversations.
Beyond these capabilities, a mature attack surface management program saves you time. It should enable you to evolve your prioritized response to include automated communications for real-time stakeholder notification. Integration with IT Ops platforms like ServiceNow or Agile platforms like JIRA can pay back further dividends towards reducing manual processes, remediation scheduling, and help your team focus on strategic initiatives.
By following a model to mature your attack surface management practice, you will find opportunities to further consolidate tools, optimize communication, respond faster, and reduce digital corporate risk.
To start maturing your knowledge of the risks and threats external to your organization, sign up here for a free trial of our Attack Surface Management platform.