{"id":16789,"date":"2023-01-31T17:32:15","date_gmt":"2023-01-31T16:32:15","guid":{"rendered":"https:\/\/www.show.it\/cyber-insights-2023-attack-surface-management\/"},"modified":"2023-01-31T17:32:15","modified_gmt":"2023-01-31T16:32:15","slug":"cyber-insights-2023-attack-surface-management","status":"publish","type":"post","link":"https:\/\/www.show.it\/en\/cyber-insights-2023-attack-surface-management\/","title":{"rendered":"Cyber Insights 2023: Attack Surface Management"},"content":{"rendered":"
\n
\n
\n

About SecurityWeek Cyber Insights |<\/strong> At the end of 2022,\u00a0SecurityWeek\u00a0liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today \u2013 and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.<\/em><\/p>\n<\/div>\n<\/div>\n

\"Cyber<\/figure>\n<\/div>\n

SecurityWeek Cyber Insights 2023 | Attack Surface Management <\/strong>\u2013 Attack surface management (ASM) is an approach for delivering cybersecurity. IBM describes the attack surface as \u201cthe sum of vulnerabilities, pathways or methods \u2013 sometimes called attack vectors \u2013 that hackers can use to gain unauthorized access to the network or sensitive data, or to carry out a cyberattack.\u201d<\/p>\n

ASM requires \u201cthe continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization\u2019s attack surface. Unlike other cybersecurity disciplines, ASM is conducted entirely from a hacker\u2019s perspective, rather than the perspective of the defender. It identifies targets and assesses risks based on the opportunities they present to a malicious attacker.\u201d<\/p>\n

ASM is consequently predicated on total visibility of assets, vulnerabilities, and exploits.<\/p>\n

Demise of the perimeter and growth of complexity<\/strong><\/h2>\n

Attack surface management is not a new concept, notes Mark Stamford, founder and CEO at OccamSec. \u201cAs long as there has been a thing to attack, there has been an attack surface to manage (for example, the walls of a castle and the people in it).\u201d The castle is a good analogy. If you can see the wall, you can attack it. You can batter it down, you can employ the original Trojan Horse to gain access through the front door, you can find a forgotten and unprotected entrance, or you can persuade an insider to leave a side gate unlocked.<\/p>\n

For the defender, relying on the wall and being aware of any weak areas is not enough. People are also part of the attack surface, and the defender needs to have total visibility of the entirety of the attack surface and how it could be exploited. But the wall is a perimeter, and we no longer have perimeters to defend \u2013 or at least every single asset held anywhere in the world has its own perimeter.<\/p>\n

\u201cThe attack surface,\u201d continued Stamford, \u201cis anything tied to an organization that could be a vector to get to a target. What this means in practice is all your applications that face the Internet, all the services (beyond applications) that are reachable, cloud-based systems, SaaS solutions you use (depending on what the bad guys\u2019 target is), third parties\/supply chain, mobile devices, IOT, and your employees. All of that and more is your attack surface and all of it needs to somehow be monitored for exposures and dealt with.\u201d<\/p>\n

The need for ASM, like other current approaches to cybersecurity (such as zero trust, which itself can be viewed as part of ASM), comes from the demise of a major defensible perimeter. Migration to the cloud, expanding business transformation, and remote working all add complexity to the modern infrastructure. If anything touches the internet, it can be attacked. Even the addition of new security controls that send data to and from the cloud add to the attack surface.<\/p>\n

\u201cThe adoption of multi-cloud and hybrid cloud will continue to rise in 2023,\u201d comments Aditi Mukherjee, director of product marketing management at Lacework. \u201cAs enterprises continue their cloud migration and digital transformation, they will realize that traditional approaches with siloed tools, rules-based policies, and disparate security data actually introduce more security risks, creating an expanded attack surface for bad actors.\u201d<\/p>\n

But ASM goes beyond the cloud alone. \u201cThe traditional attack surfaces are physical, digital and social,\u201d explains Sam Curry, CSO Cybereason; \u201cbut digital really needs to be broken down into subdomains for classical environments and networks, legacy data centers, cloud infrastructure and the aggregate software-as-a-service topography.\u201d\u00a0<\/p>\n

He doesn\u2019t believe ASM will provide a complete answer, but is a solid doctrine for minimizing the exposure in each domain, giving least options and succor to attackers. \u201cThere are also key existing and emerging control planes around identity, application governance and data-centrism that need to be strongly protected and managed in a similar manner, even before thinking of the advanced techniques around obfuscation and deception.\u201d<\/p>\n

All security strategies, he says, should think about both reducing complexity in each attack surface and control plane, about gaining leverage in each, about reducing vulnerabilities and exposure in each and about how to bring the full security game to bear in each.<\/p>\n

Attack surfaces will get more complex and more distributed throughout 2023; and effective ASM will be more complicated.<\/p>\n

Management is the key word in ASM<\/strong><\/h2>\n

The complexity of the modern infrastructure makes the complete elimination of threats an impossible task. ASM is not about the elimination of all threats, but the reduction of threat to an acceptable level. It\u2019s a question of risk management.<\/p>\n

\u201cThe idea behind attack surface management is to \u2018reduce\u2019 the \u2018area\u2019 available to attackers to exploit. The more you \u2018reduce the attack surface\u2019 the more you limit and minimize attackers\u2019 opportunities to cause harm,\u201d says Christopher Budd, senior manager of threat research at Sophos.<\/p>\n

He believes that ASM will be more challenging in 2023 because of the attackers\u2019 increasingly aggressive and successful misuse of legitimate files and utilities in their attacks \u2013 living off the land \u2013 making the detection of a malicious presence challenging. \u201cWe can expect this trend to continue to evolve in 2023, making it more important that defenders update their detection and prevention tactics to counter this particularly challenging tactic,\u201d he says.<\/p>\n

Part of reducing risk comes from understanding what vulnerabilities exist within the infrastructure, and which of them are exploitable. Omer Gafni, VP surface at Pentera, reminds us that ASM looks at threats from the attacker\u2019s perspective. To effectively reduce risk, you need to understand not only what vulnerabilities exist, but also which are exploitable and serve the hackers\u2019 end goals.<\/p>\n

\u201cWith the number of annual reported vulnerabilities now exceeding 20,000 per year, companies cannot remediate every alert, and need to become more surgical with their remediation strategies,\u201d he says. \u201cTo achieve this, we will start to see a shift from a focus on vulnerability to exploitability. Companies will start to put a major emphasis on understanding which targets are most impactful from the hacker\u2019s perspective, and therefore the most exploitable targets.\u201d<\/p>\n

CISA\u2019s Known Exploited Vulnerabilities Catalog (the KEV list<\/a>) can help here. Focusing remediation on exploited vulnerabilities is a key part of ASM, and the catalog is described by many as \u2018CISA\u2019s must patch list\u2019. This list will continue to grow through 2023.<\/p>\n

Pentesting and red teaming are also effective ways of locating exploitable vulnerabilities, but in the past, they have not been used effectively. \u201cOne of the most frustrating things as a pentester is when you return to organizations a year later and see the same issues as before,\u201d says Ed Williams, director of Trustwave SpiderLabs EMEA. \u201cThere is no value to this for the clients. They are not maturing. In fact, they are regressing.\u201d<\/p>\n

But he expects an improvement \u2013 perhaps encouraged by the growing acceptance of ASM \u2013 in 2023. \u201cI expect an unprecedented appreciation for how pentesting effectively exposes gaps in security, and this in turn will help to reinforce the importance of those all-important security basics. In 2023 I implore organizations to work with pentesters for the best, year on year result.\u201d<\/p>\n

Chad Peterson, MD at NetSPI, believes the nature and effectiveness of pentesting will evolve over 2023, \u201cThe attack surface has become more fluid, so you have to be able to scan for new assets and entry points continuously,\u201d he says. \u201cIn 2023, organizations will combine traditional pentesting, which in many cases will still be required for regulatory needs, with the proactive approach of more continuous assessment of their attack surface. The result will be better awareness of the attack surface and more comprehensive traditional pentesting as there is more information about the true attack surface.\u201d<\/p>\n

Sample problem areas<\/strong><\/h2>\n

SaaS<\/strong><\/h3>\n

Ben Johnson, CTO and co-founder of Obsidian, chooses SaaS. \u201c2023 will be the year of SSPM [SaaS security posture management] and securing SaaS,\u201d he says. \u201cBut for that to happen, we must continue educating organizations on the risks of SaaS. In doing so, organizations must ensure their left-of-boom teams (vulnerability management and GRC) are able to reduce SaaS risk while ensuring their right-of-boom teams (security operations, incident response, threat hunting) have continuous threat management capabilities.\u201d\u00a0<\/p>\n

SaaS security has given organizations the ability to scale applied security, not just awareness. \u201cNow is the time to distribute security hardening and operations to go with the distributed technology and distributed responsibility. As we know, the pandemic sped up the hybrid work model, and organizations that prioritized endpoint or public cloud security over the past couple years are now ready to secure SaaS and the modern workflow.\u201d<\/p>\n

The browser<\/strong><\/h3>\n

Jonathan Lee, senior product manager at Menlo Security, focuses on the browser, which is possibly the biggest single threat surface. This is where users spend most of their time. \u201cVendors are now looking at ways to add security controls directly inside the browser,\u201d he said. \u201cTraditionally, this was done either as a separate endpoint agent or at the network edge, using a firewall or secure web gateway.\u201d<\/p>\n

The big players, Google and Microsoft, are also in on the act, providing built-in controls inside Chrome and Edge to secure at a browser level rather than the network edge, he added. \u201cBut browser attacks are increasing, with attackers exploiting new and old vulnerabilities, and developing new attack methods like HTTP smuggling<\/a>. Remote browser isolation is becoming one of the key principles of zero trust security where no device or user \u2013 not even the browser \u2013 can be trusted.\u201d<\/p>\n

Noticeably, 2022 has already seen investor interest in startups developing secure browsers \u2013 such as Red Access<\/a> and LayerX<\/a>.<\/p>\n

The user<\/strong><\/h3>\n

Ed Williams highlights a failure in using and accounting for the user \u2013 and uses ransomware as an example. \u201cCyber threats, including ransomware, will never be prevented by implementing shiny new products and solutions unless the underlying security issues are addressed. Therefore, in 2023,\u201d he added, \u201cI hope organizations shift their mindset away from feeling as though they need the latest tempting tech, and instead focus on consistently achieving the human-centric security basics. These basics include patching, strong passwords, and a detailed security policy.\u201d<\/p>\n

Visibility<\/strong><\/h2>\n

If \u2018management\u2019 is the key word in ASM, \u2018visibility\u2019 is the key enabler. You can only manage what you can see. \u201cIn 2023, organizations should embrace the mindset of empowering their teams with visibility into assets and relationships and overcoming data silos between AppSec, infrastructure, and data security teams,\u201d suggests Erkang Zheng, founder and CEO at JupiterOne.<\/p>\n

He recalls the words of John Lambert: \u201cDefenders think in lists. Attackers think in graphs. As long as this is true, attackers will win.\u201d Attackers will win, especially if cybersecurity defenders cannot quickly understand graph-based relationships between data, networks, and user accounts in their own networks to limit the blast radius when they are under attack.<\/p>\n

\u201cContextual intelligence is likely necessary to win in a threat vector where organizations face more complex, destructive, and irreversible threats than ever before,\u201d he says. \u201cThis visibility and understanding are the primary benefits of attack surface management technologies and practices, along with secondary benefits such as compliance and evidence automation.\u201d<\/p>\n

Marcus Fowler, CEO of Darktrace Federal, has no doubt that ASM will be a top priority for organizations in 2023. The problem is the attack surface is never static; it\u2019s constantly evolving with the level of risk changing daily. \u201cTracking down the full extent of the attack surface is not something that can be left to human resources. It requires real-time data from an AI engine taking a hacker\u2019s approach,\u201d he says. He believes that most organizations currently miss as much as 50% of their true attack surface.\u00a0<\/p>\n

\u201cThat\u2019s where seeing AI take on the key ASM functions of discovery, assessment and prioritization, risk prevention and integration can expose the true level of exposed risk,\u201d he added. \u201cOnly the automation and scalability of AI can provide the up-to-date, continuous copy of the internet that CISOs need to get a grip on the attack surface. Paired with AI\u2019s unique understanding of an organization\u2019s digital estate, you get an outside-in, inside-out risk management program that will be vital for the CISOs of tomorrow.\u201d<\/p>\n

Part of ASM is external attack surface management (EASM). Microsoft defines the external attack surface as \u201cthe entire area of an organization or system that is susceptible to an attack from an external source.\u201d We should note that this excludes malicious or naive insiders, who should also be considered as part of a full ASM approach to cybersecurity. Nevertheless, there will be a growing number of EASM support systems released by security vendors during 2023. CrowdStrike, for example, announced in September 2022 that it would be buying EASM company Reposify<\/a>, with an expectation to close during CrowdStrike\u2019s fiscal third quarter.<\/p>\n

\u201cIn response to evolving attack tactics and an expanded attack surface,\u201d comments Karin Shopen, VP of cybersecurity solutions and services at Fortinet, \u201cwe expect a shift in the tools CISOs consider in 2023. When it comes to attack surface management, CISOs will shift from one-time assessments to constant and continuous early evaluation of their organization\u2019s external attack surface. EASM solutions, which help provide organizations with an adversary\u2019s view of their attack surface, will be at the top of their lists, as will machine learning and the use of seasoned threat hunters that offer takedown services.\u201d<\/p>\n

Furthermore, she added, \u201cCISOs and security teams will more closely evaluate EASM solutions based on their ability to not only detect but prioritize and remediate threats using machine learning to help resource-depleted SOC teams.\u201d<\/p>\n

Chris Morales, CISO at Netenrich, describes his own approach. \u201cI have one priority for 2023 \u2013 to be data driven for risk making decisions,\u201d he says. \u201cMy commitment starting fiscal year 2023 is to be data driven with quantitative risk management practices. That means providing the business units with a dashboard and trending metrics to the state of assets, vulnerabilities and threats that comprise their attack surface. From this we can continually score threat likelihood and business impact to make informed decisions on where to best focus resources.\u201d<\/p>\n

It isn\u2019t simple, but worth the effort. \u201cMaking this happen requires a tightly integrated security stack that shares data into a single aggregated data lake to threat model and answer questions.\u201d<\/p>\n

The concept is supported by Shira Shamban, CEO at Solvo. \u201cIn 2023, we are going to see a data-centric approach to cybersecurity emerge and grow,\u201d she says. \u201cAt its core, cybersecurity is a problem of managing all the data, assets, and sensitive resources an organization has, and determining how to protect it. This sensitive data can often include PII, PHI or IP. This is the top concern for CISOs and security practitioners, so security approaches and products will begin to put data at the center, rather than focusing solely on the environments the data is in.\u201d<\/p>\n

The way forward in 2023<\/strong><\/h2>\n

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn\u2019t seek to protect everything, but concentrates on those areas of the IT infrastructure that can be attacked. There is no product that can provide ASM, but a growing number of products that can help. It requires complete visibility of all assets, and detailed knowledge of exploits so that assets can be protected. It is, like zero trust, a journey \u2013 one that is gaining traction and will gain more traction in 2023.<\/p>\n

Mark Stamford describes the problem and offers his own route for the journey. \u201cASM tools produce a lot of noise that can send a security group down an endless number of rabbit holes. In the rush to simplify the problem everything gets reported on and all kinds of vulnerability data gets included. There\u2019s usually some shoddy logic applied which seems to state if you have a lot of stuff facing the Internet you are more at risk, which piles further pressure on the security group. I\u2019ve seen ASM tools which report on old SSL certs, low level vulnerabilities, all kinds of stuff that really, poses little to no risk.\u201d<\/p>\n

The route he proposes is to start by discovering all the assets, organizations, devices, and people that could create a problem. Then assess which could have a harmful impact. \u201cA web server hosting some static pages in AWS, that connect to nothing, may cause a headache, but is probably not going to lead to a breach,\u201d he says. \u201cOn the flip side, your Internet accessible financial system is a key component.\u201d<\/p>\n

Next assess how everything is connected \u2013 could an attacker get from A to B and cause an impact. \u201cDraw a circle around that and start looking at how you protect it.\u201d But importantly, \u201cAccept that you don\u2019t need to protect everything and move from there.\u201d<\/p>\n

The real problem, he concludes, is that data is everywhere. \u201cThis really does expand the attack surface, so you have to use a logical, risk-based approach which considers the context of your business \u2013 how you achieve what you are trying to achieve \u2013 and then protect it.\u201d<\/p>\n

\n
\n
\n

About SecurityWeek Cyber Insights |<\/strong> At the end of 2022,\u00a0SecurityWeek\u00a0liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today \u2013 and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.<\/em><\/p>\n<\/div>\n<\/div>\n

\"Cyber<\/figure>\n<\/div>\n

Related<\/strong>: The Rise of Continuous Attack Surface Management<\/a><\/p>\n

Related<\/strong>: Investors Bet on Cyberpion in Attack Surface Management Space<\/a><\/p>\n

Related<\/strong>: IBM to Acquire Randori for Attack Surface Management Tech<\/a><\/p>\n

Related<\/strong>: Attack Surface Management Play Censys Scores $35M Investment<\/a><\/p>\n

The post Cyber Insights 2023: Attack Surface Management<\/a> appeared first on SecurityWeek<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

About SecurityWeek Cyber Insights | At the end of 2022,\u00a0SecurityWeek\u00a0liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today \u2013 and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum […]<\/p>\n","protected":false},"author":2,"featured_media":16790,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[144,143,34,22],"tags":[],"class_list":["post-16789","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-attack-surface-management","category-cyberinsights2023","category-network-security","category-security-architecture"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16789","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/comments?post=16789"}],"version-history":[{"count":0,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16789\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media\/16790"}],"wp:attachment":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media?parent=16789"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/categories?post=16789"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/tags?post=16789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}