Too complex to control

David Brown at FireMon argues that attack surface sprawl is undermining enterprise security

 

Enterprise infrastructure doesn’t stand still. It grows, adapts, overlaps. Often, new systems are added before old ones are fully retired. Third-party integrations multiply. Shadow IT expands in the background. What this creates is a far cry from a streamlined digital environment. Instead, it’s a sprawling, loosely coupled network of assets, users, and entry points.

 

This is the modern attack surface: less a defined perimeter than a collection of shifting exposures that organisations struggle to see clearly, let alone secure. The problem isn’t scale in and of itself. It’s unmanaged sprawl. And in that sprawl, risk accumulates, not just through endpoints or identities, but through the often-overlooked complexity of policy.

 

Every tool deployed to increase productivity, every endpoint added for convenience, every permission granted in haste—each becomes part of a surface that attackers can probe, map, and exploit. Not because the defences aren’t there, but because the environment has become too complex and unwieldy to defend comprehensively. 

 

As the number of policy rules increases and access structures evolve in isolation, they quietly expand what we can call the policy surface area–an invisible layer of risk that few organisations actively measure or manage.

 

So, how should security leaders go about managing this risk? I believe policy complexity at scale is hard; but managing it doesn’t have to be.

 

Mapping isn’t enough

Most organizations understand the need for visibility. They invest in asset discovery tools, maintain inventories, and generate reports. These are useful exercises, but only up to a point. Visibility is not the same as risk reduction. Mapping what’s out there doesn’t shrink the risk; it just confirms how much surface area there is to manage.

 

The typical enterprise attack surface includes a mix of known and unknown components: legacy applications are still running in the background; unused user accounts with high-level privileges; third-party software linked through forgotten APIs; IoT devices with no clear owner. Each element expands the available attack surface, often without triggering any immediate concern.

 

In many cases, the risk is entirely visible. But in environments shaped by fragmentation and inconsistent policy enforcement, visibility doesn’t necessarily translate into action. Not when ownership is unclear, accountability is distributed, and policies themselves have become as sprawling as the systems they govern. And so the sprawl remains—mapped, monitored, but largely untouched.

 

Risk at the edges

What makes attack surface sprawl particularly dangerous is its subtlety. It doesn’t always announce itself through glaring vulnerabilities. Instead, it creates the conditions under which minor oversights can escalate into major incidents.

 

In a complex environment, even small gaps can become viable entry points—especially when attackers are looking for exactly this kind of drift.

 

According to a 2024 report, the average cost of recovering from a ransomware attack—excluding the ransom payment itself—now exceeds $1.8 million. Many of these breaches begin not with advanced techniques, but with the exploitation of common, unmanaged assets or overly permissive policies.

 

Even when monitoring tools flag potential issues, security teams are often overwhelmed by volume. In sprawling environments, every alert looks urgent. Every anomaly demands investigation. Prioritisation becomes reactive, and response times suffer.

 

Reduction as a security strategy

Attack surface reduction is not a feature or a toolset. It’s a strategic approach to controlling complexity—and, by extension, minimising risk. CISOs and security leaders need this mindset to restore structure and accountability to environments where complexity often obscures real exposure and risk.

 

The first step is continuous asset discovery. This must go beyond a quarterly audit and become a live process embedded into security operations. Enterprises change constantly, and without real-time visibility into what’s being introduced, the surface will continue to expand unnoticed.

 

But discovery alone is insufficient. What matters most is what happens next.

 

Assets and access must be evaluated not just for risk, but for relevance. If a system, policy, or integration isn’t actively serving the business, it becomes a liability. Legacy software, orphaned applications, and outdated endpoints contribute to sprawl, but so too do outdated policy rules, redundant controls, and role definitions that no longer reflect actual behaviour.

 

Here, benchmarking and continuous visibility become key, not simply to document what exists, but to prioritise and act on exposure. Mature security programs recognise that knowing where the risk lies is only the beginning; measurable improvement depends on the ability to reduce both technical and policy-driven surface area in a consistent, accountable way.

 

Access controls need to reflect reality, not just policy. Role-based permissions, regularly reviewed and updated, prevent lateral movement in the event of a breach. When employees leave or change roles, credentials must be removed or reassigned.

 

Authentication protocols should follow suit. Multi-factor authentication, VPN access, and secure password management are security baselines. However, they’re still inconsistently applied, especially across legacy systems and third-party integrations.

 

System hardening must go hand in hand with asset and policy reduction. This includes patching known vulnerabilities, closing unused ports, and eliminating default configurations that remain long after deployment. It also means investing in endpoint security that can scale with the environment.

 

And at the centre of all of this is the human factor. Social engineering continues to succeed because it exploits behaviour, not code. Training, awareness, and cultural alignment around reporting are essential components of any reduction strategy that aims to include the full spectrum of enterprise risk.

 

Less to watch, more to trust

The benefits of attack surface reduction extend far beyond lowering the probability of a breach. Reducing the attack surface, both in terms of systems and policies, can also speed up incident response, simplify reporting, and reduce the compliance burden. When there are fewer systems to monitor, fewer credentials in circulation, and fewer uncontrolled rules or exceptions, the entire security posture becomes more manageable and more resilient.

 

Reducing the attack surface sets off a chain of multiplying benefits. As organisations gain tighter control, they reduce their exposure to uncertainty. With reduced uncertainty comes clearer accountability. With clearer accountability comes faster, more decisive action. Each improvement reinforces the next, creating a more responsive and disciplined security model.

 

This is particularly relevant for hybrid and remote enterprises, where users, devices, and services are distributed across locations and networks. In such environments, traditional boundaries no longer apply, but discipline still can.

 

For CISOs, attack surface reduction isn’t about doing less; it’s about doing what matters and doing it well. The more sprawling and complex the environment becomes, the more critical it is to focus limited resources on shrinking exposure, not just documenting it.

 

That is why the question isn’t how to monitor everything. It’s about reducing the things that demand attention in the first place, including the invisible policy surface that quietly expands risk without ever triggering an alert.

 

---

 

David Brown is SVP International Business at FireMon

 

Main image courtesy of iStockPhoto.com and Mykola Kaplun