The number of security threats continues to grow rapidly with each passing year.
Security teams work tirelessly to mitigate every alert labeled high priority, but there are too many, and it is tough to tell which are true from the false positives.
So how can we tell one from another and protect ourselves, or more specifically, protect our attack surfaces?
The average enterprise today identifies 345 new ‘critical’ threats every month.
Threats originate from many sources. They can arise when hackers adopt new attack techniques, which happens daily. Other threats stem from the ever-growing enterprise tech stack.
But the leading factor is the sheer number of systems and networks exposed to the Internet, and the dynamic nature of the cloud and the threat landscape — which, according to CyCognito, can cause attack surfaces to fluctuate by about 9% monthly.
This has been a major challenge for security teams. The larger and more complex an attack surface becomes, the harder it is to discover hidden and unmanaged assets, which account for over 50% of breaches today.
As a result, threats often go unnoticed, and remediation becomes a moving target. One day your attack surface is compromised, customer data is exfiltrated and the cost to business becomes real. Here’s a case in point: The average data breach today costs $4.35 million per incident.
Finding the sharpest needles in the haystack
It is no secret that security teams have a limited ability to discover every asset. Yet they are inundated with thousands of alerts. But how many are actually critical? A better question would be how do they know which alerts to prioritize?
Isolating the truly critical issues first requires visibility across the attack surface, but even more importantly, it requires a thorough understanding of the context and purpose of the assets affected. Once that is established, security teams can calculate attack paths and predict which specific threats matter — perhaps those that are likely to cause serious monetary or reputational damage to the business. Following this, the organization can prioritize correctly and remediate for maximum impact.
However, all of this is easier said than done. In the past, security teams tried to seal off weaknesses by acquiring point solutions for specific issues. They piled tools onto their security stack, which led to stack bloat. Some of these legacy threat detection solutions have worked, but only on a small scale.
Cycognito conducted a study with ESG and found that security professionals do not include workloads running in the public cloud or third-party assets when defining their attack surface. This means many issues go unaccounted for. Yet, external attack surfaces are vast and complex. A single organization can have hundreds and thousands of systems, applications, cloud instances, supply chains, IoT devices and data exposed to the Internet, often sprawling across subsidiaries, multiple clouds, and assets managed by third parties.
Attackers are aware of this. They relentlessly explore the attack surface, hunting for the path of least resistance and that one gap which security teams do not monitor. Unfortunately, this is all they need to break in. Meanwhile, security teams have the difficult task of identifying exposures that make their organizations most vulnerable, and then taking action to protect those entry points.
Technology is only one piece of the puzzle. Organizations need to take a step back and rethink their approach to protecting their attack surface.
The rise of exposure management
Exposure management as a discipline has been growing in popularity among security leaders and analyst groups such as Gartner and Forrester. It takes cyber threat intelligence (CTI) into account but offers a more comprehensive approach to protecting the attack surface. It adapts to the constantly evolving threat landscape, operating on the principle that today’s low-risk exposure can become high-risk tomorrow, and all it takes is a new type of attack or a misconfiguration to create an opening.
Exposure management starts with visibility. In 2022, Gartner recommended a constantly updated “inventory of the expanding enterprise attack surface” and pointed out that “even small, seemingly inconsequential additions to the digital footprint can weaken an organization’s security controls and data protection efforts.”
The other critical pillar of exposure management is prioritization of threats based on their potential for real-world risk and damage. Measuring the business risk of any given threat requires a full understanding of the context of each exposed asset.
For example, what is its purpose? Does it handle valuable data? Contextualization is tedious and painstaking, but organizations can achieve the necessary scale by leaning on automation, which enables security teams to identify, prioritize, and manage threats without adding headcount.
Adopting an exposure management approach can transform how security teams:
- Discover virtually all exposed assets, both internal and external, automatically and then provide vital, actionable data about them.
- Automatically determine the business importance of exposed assets and attribute them to the correct owner in the organization.
- Determine potential attack paths (exploitability) for each asset.
- Prioritize risks based on the asset’s importance, its exploitability and the probability of attack based on intel about known threat actors.
- Remediate threats efficiently.
To recap, effective risk mitigation is enabled by automated discovery of assets and their ownership, threat detection, contextualized threat intel, ticket creation, and mitigation, where feasible, automated validation of each remediation action is the ideal finisher.
The role of managed services
For security organizations charged with doing more with constrained resources, rolling out a full exposure management program on their own could seem daunting.
Managed service providers (MSPs) can help here. They have played a key role in security for decades. MSPs can cover the spectrum of exposure management, from the latest detection and response services to threat intelligence, vulnerability management, and CERT services.
Their business requires them to keep up with new technologies, which they tie together with services as packaged offerings. They can also help offload day-to-day operations of the exposure management systems and protocols.
It is worth noting that implementing exposure management via an MSP provides what is perhaps the fastest possible deployment.
Exposure management is the future
Attackers have proven their approach works. They seek to operate where there is a lack of visibility. To stay ahead of them, organizations need to think like them. External exposure management takes a holistic approach to managing the entire attack surface — from exposure visibility, prioritization, and remediation.
But making the leap requires a shift in mindset and resources. MSPs can be great partners on this journey. They can help implement a program that includes everything from redefining an organization’s attack surface and risk management policies, to choosing the technologies that will safeguard valuable assets effectively against threats.
About the author
CEO and Co-Founder of CyCognito
Rob Gurzeev is CEO and Co-Founder of CyCognito,
Rob has led the development of offensive security solutions for both the private sector and intelligence agencies.
Prior to founding CyCognito, he was Director of Offensive Security and head of R&D at C4 Security (acquired by Elbit Systems) and the CTO of the Product Department of the 8200 Israeli Intelligence Corps.
Honors that he received as an Israel Defense Forces Officer included Award for Excellence, the Creative Thinking Award and the Source of Life Award.