The rapid evolution of cloud computing, the shift to remote work during the COVID-19 pandemic and the proliferation of privately owned devices on company networks has created a digital workspace landscape far different from that of even 10 years ago.
Many of the cybersecurity defenses that relied on well-defined network perimeters and company-managed devices are no longer applicable. Today's cybersecurity tools, platforms and procedures need to be proactive as well as reactive, to be able to anticipate and mitigate potential threats before they become problems.
"Prevention is better than cure," says Paul Murray, Senior Director of Cybersecurity Products and Services at Sophos. "It's better to stop something happening in the first place where you can than just spending resources and time detecting a breach and repairing the damage after it's done."
Getting ahead of the situation
One of the best-known proactive practices is vulnerability management (VM), a process that scans and analyzes an organization's software and network environments to first detect potential security flaws and other weaknesses, and then suggest ways of remediating and mitigating those flaws.
Modern VM platforms generally carry out these tasks automatically and present their findings for human review before taking action. They may also prioritize each vulnerability according to the immediate risk it poses to the organization.
However, vulnerability management itself is a product of the old, perimeter-based cybersecurity mindset. It largely limits its scope to well-defined and well-understood company assets, such as authorized applications, known endpoint devices and catalogued networking gear.
A decade or so ago, an adversary would have needed to penetrate one of those assets to successfully attack an organization. But with the advent of the cloud, of software as a service, of software-defined infrastructure, of website portals that reach deep into company databases, and of "shadow" IT and "shadow" clouds, the number of ways in which an attacker can penetrate defenses — the "attack surface" — has ballooned.
As a result, many organizations are currently vulnerable to attack in ways that they don't even know about, let alone fully understand.
"It's staggering how many external assets, internet-facing assets, organizations don't even know they own, let alone actually understand whether they're vulnerable or not," Murray says.
Widening the scope
To respond to this multiplication of threats, the concept of vulnerability management was expanded into a new set of practices: attack-surface management (ASM).
Attack surface management goes beyond software and on-prem networks. It extends its scope to provide visibility into hardware, endpoints, websites, virtual networks and infrastructure, including cloud-based assets. It also analyzes the communications and interfaces among an organization's various digital assets, such as how in-house web apps might connect to cloud-based resources.
"Large enterprises with complex IT/OT environments ... often have a huge attack surface due to the sheer number of potential entry points for cyber threats," says Pablo Ruiz, a Managing Offensive Security Consultant at EY. "ASM helps these organizations keep control and continuously discover and monitor their assets."
ASM makes sure that the entire attack surface is mapped out, the potential flaws and weaknesses are catalogued, and the flaws are analyzed, categorized and prioritized in order of risk so that the organization can deal with the most urgent ones first.
This is especially valuable for companies that use extensive resources contributed by third parties, or that give vendors access to their networks.
"Organizations that rely on several third-party vendors can face additional risks due to the potential vulnerabilities introduced by these external entities,” says Ruiz. “By leveraging ASM, they can assess the security posture of these third parties and how they impact the organization's overall attack surface."
Yet attack surface management should not replace, but rather augment, vulnerability management.
Vulnerability management still works very well within its limited scope and employs a widely used and well-understood set of standards. The common vulnerability and exposure (CVE) system and the common vulnerability scoring system (CVSS) have been developed to, respectively, catalog vulnerabilities and categorize them according to severity.
Furthermore, having a familiar VM platform and showing that it is regularly used will greatly assist a company that needs to comply with financial or privacy rules and regulations.
"If it's an organization that's small, that doesn't necessarily have a lot of risk out there, then it may not make financial sense" for an organization to use a VM system, says Matt Walker, Managing Director of IT Security & Compliance at Goosehead Insurance.
"But if it's a large, publicly traded organization, you need it, " Walker adds. "Being able to show how you're actually managing your attack surface, how you're actually running your vulnerability program, helps to clarify a lot of those concerns that come up during that audit cycle."
Deploying and running a VM/ASM program
Each organization needs to decide how it can implement and manage its VM/ASM program. Large enterprises may be able to keep such procedures in-house, as their SOC teams will often have the budget, resources, manpower and experience to deploy and supervise such a program.
But other organizations may find it desirable to outsource their VM/ASM programs to external firms — managed security service providers (MSSPs) or managed detection and response providers (MDRs) — whose core business is supplying cybersecurity.
Staffers at MSSPs and MDR providers will know more about current threats and exposures, and have more experience remediating them, than almost all in-house security operations center teams. The third-party providers can also free up the in-house teams to spend more time on core needs.
"Many organizations don't have the people, or if they have the people, they don't necessarily have the skills to monitor and respond to threats," explains Murray. "If they do have the people, they're perhaps wanting to focus them on business enablement rather than on security and managed response."
Even large enterprises may rely on MSSPs and MDR providers to augment their SOC teams, such as during off hours, weekends or holidays. They will also have to think about how many resources they can commit to managing an ASM/VM program.
"It all comes down to how much blood and sweat you want to invest into it," says Walker. "You're going to have to have enough manpower and enough staff cycles to actually ensure that the program runs smoothly and that you're achieving those metrics that you've set for yourself."
