Managing attack surface management

Attack surfaces have changed. Dr Srinivas Mukkamala at Ivanti argues that your attack surface management plan must change, too

 

You may have spent weeks, months or years perfecting your Attack Surface Management (ASM) plan. It’s the result of extensive collaboration, surveys and testing. It’s well-documented. Everyone knows it. Everyone is trained on it.

 

…and that perfect plan may land you in a lot of trouble.

 

I know, I know. It’s not exactly what you wanted to read today. Please hear me out.

 

The rules for ASM have changed

Since you’re reading this, I’ll safely assume you’re no stranger to the concept of an attack surface. But in recent years, the scale and complexity of these attack surfaces have grown exponentially. The rapid adoption of cloud services, IoT devices and remote work tools has created a vast new frontier for cyber-criminals to exploit.

 

To function correctly, ASM plans must be dynamic to the point of staying three steps ahead. The “perfect plans” of the past don’t cut it anymore. Static plans are ripe for exploitation, even if they were finalised as recently as a year ago. Cyber-criminals move fast. You need to, too.

 

Ivanti’s recent Attack Surface Management report highlights the scope of the challenge: 

• Over half of IT professionals lack confidence in preventing a serious breach in the next year.
• 33% feel less prepared to detect and respond to threats than they did a year ago.
• Almost 40% of employees admit to using personal devices for work despite BYOD bans. 

These numbers underscore a harsh reality: traditional attack surface management (ASM) approaches are no longer sufficient. As our IT ecosystems grow more complex in this Everywhere Work era, strategies must evolve to keep pace.

 

ASM in the age of Everywhere Work

The shift to remote and hybrid work models has sent attack surfaces into mind-numbing heights of volume and complexity. With employees accessing corporate resources from a wide range of devices and locations, the perimeter has all but disappeared. Shadow IT and blurred lines of BYOD compliance make for constantly evolving entry points. This new reality demands a fresh approach to ASM.

 

What should an effective ASM strategy look like today? I’m not embedded in your company, so I won’t presume to know exactly what you need, but in general, an effective ASM strategy is: 

• Comprehensive. Instead of a patchwork approach with specialised solutions for different areas of your business, look for a comprehensive, end-to-end platform with continuous monitoring that closes gaps and eliminates rework.
• Proactive. A security team can no longer measure success by how quickly they can react. Remediation is important, but prevention reigns supreme. It’s impossible to proactively guard against every conceivable threat, so that’s why forward-thinking leaders are adopting automated, risk-based prioritisation.
• Locked down. Zero-trust architecture, which assumes bad actors are always on your network, goes a long way toward mitigating risks. Remember that exposure doesn’t always result from malice; it’s often attributable to inadvertent errors from well-meaning employees.
• Employee-centric. Security and digital employee experience shouldn’t be mutually exclusive. An effective ASM strategy, as with any technology adoption, should make the employee experience more secure and productive. This might sound like it conflicts with the point above, but today’s most robust ASM solutions balance strict access control with positive digital employee experiences.

 

Extending ASM across the organisation

A patchwork approach isn’t only a problem in ASM tools; it’s also a problem in organisational structure. The persistent presence of silos within organisations is a key obstacle to effective ASM. Too often, IT and security teams operate in isolation, leading to gaps in visibility and response capabilities.

 

A comprehensive platform can help mitigate these gaps, but you still need to get everyone working from the same POV. Case in point: Ivanti’s research shows that 82% of cyber-security professionals say their productivity suffers due to siloed data, while 40% report that these silos slow incident response times.

 

To overcome these challenges, CISOs and CIOs must foster a culture of collaboration and shared responsibility. This means you should: 

• Establish clear lines of communication between IT, security and business units.
• Define roles and responsibilities for ASM across the organisation.
• Leverage tools and platforms that enable real-time data sharing and analysis. 

Getting everyone within your own organisation on board with your ASM strategy is a phenomenal step, but it’s still not enough. As organisations become increasingly interconnected, the attack surface expands beyond the traditional corporate perimeter. Today, a company’s cyber-security posture is only as strong as its weakest vendor or partner.

 

To extend your ASM strategies across your entire supply chain, consider the following: 

• Conduct thorough risk assessments of vendors and partners.
• Establish clear security requirements and SLAs in contracts.
• Continuously monitor third-party networks and systems for vulnerabilities.

 

Now it’s your turn

You’re the expert on your organisation. While these guidelines should give you a place to start — and the alarming statistics may equip you with the leverage you need to get others on board — you’ll need to adapt these recommendations to your organisation’s unique risk profile, industry and IT ecosystem. However, one thing is clear: legacy ASM strategies are no longer an option.

 

Not sure if your current ASM strategy is up to par? Threat actors will be happy to test it for you and expose vulnerabilities. But my guess is you’d rather get ahead of things and direct valuable resources toward proactive tools and strategies instead of filling the pockets of cyber-criminals.

 

Start by assessing where things are now. And when adopting a new strategy, ensure it will adapt and scale with your organisation and the evolving threat landscape. (Otherwise, you’ll be back at square one before you know it.)

 

As I said before, cyber-criminals move fast. They adapt, scale and evolve. Shouldn’t you?

 

---

 

Dr Srinivas Mukkamala is Chief Product Officer at Ivanti

 

Main image courtesy of iStockPhoto.com and RerF