Does the concept of Attack Surface Management vs. Attack Surface Analysis make sense to you?
My goal is to keep the attack surface as tiny as possible. This is the driving force behind a great many defensive policies.
- Every port on every IP is scanned at least once a week.
- Any changes are investigated as though it were a breach. We find the offender and 'meet' with them and their supervisor.
- Cloud services have a nice report of every single port and IP. This is reviewed automatically every day.
- For the known and accepted open ports, a full vuln scan is performed once a week. Any change is banners or detected version is escalated as a breach. Another 'meeting'.
Keep the attack surface tiny, make every effort to secure those service that must be exposed.
This is a good perspective! Let me add my 2 cents:
I totally understand what you meant by "keeping the surface tiny", but let's face it – the surface is growing and will keep growing, as companies expand their usage of cloud technologies, build their own cloud apps and adopt and interconnect SaaS systems. Yes, we still need to be persistent when it comes to minimization, but the scale keeps growing exponentially and this should lead to changes in paradigms.
Great insights about the need to scan / do a compliance review often, isolate and investigate the exceptions. Automation is the key, and configuration as a code a critical success factor to drive this at scale.
Ajet got it right. You need to continually assess your surface ("Analysis") and have a risk-based response strategy ("Management"). Of course this is interconnected, without a proper analysis, you will be managing wrong risks, but these are two separate disciplines.
While I agree with Ajet’s positioning statement, I would have to nudge Tom Currie’s point around their reliance on tools providing a minimized attack surface. From my experience, it is the alignment of those tools concentrated into a single lens that reduces perceived / known attack surface, and not the other way around. Far too often I have seen the emphasis on “tell” tools and not enough on “show” tools, that provide an incomplete view of the ground truth. I trust that explanation makes sense.
WRT - Tomas Honzak’s point around shadowIT, I would agree that automation plays a role, however I also helps to enable teams to “drill down” into the sources in that same analysis platform to explore the key indicators that are present. While ASA and ASM have connective tissues, in my experience the two (when done properly) provide a greater value.
Great responses everyone! Thanks for that - Let’s keep the momentum going!
_J
Any suggestions Neal regarding the Internal attack surface. Defence in depth is great, but if I can "see" it, how am I going to fight it? I assume that makes sense.
Great point Joe - and that is where we shine with managed XDR. If you can't identify gaps in your cyber hygiene then as you said so well, there's no fighting it. Security operation's job 1 is engineering, implementing, caring, and nurturing cyber hygiene. The only way to "see it" is to continuously assess cyber hygiene via a wide body of internal and external assessments. The data from assessments is the enrichment for your 24x7 monitoring service for correlation with threat intelligence, mapping to ATT&CK, threat hunting, gaps identification, and configuration and compliance drifts, and wait for it ---- automated response! And hence I say, SIEM is dead, long live XDR.
1000% - sounds like we're reading the same content.
From my experience, you'd be surprised.
A reliance on a managment dashboard has been pointed to as an example of a clear understanding of the attack posture of the enterprise.
Attack Surface Analysis. This looks at the attack surface for vulnerabilities and in helpful analysis, suggests options for addressing any vulnerabilities found. A good ASA, will take a risk based and realistic approach in reporting the vulnerabilities identified.
Thanks Andrew, I've yet to witness in my research a managment product that clearly represents/ synthesizes an all encompassing view of the environment.
I do wholeheartedly agree that a solid Attack Surface Analysis platforms on the other hand, can clearly define the blurred lines. Granted I do have some bias in this domain.
Content you might like
Poor efficiency of the detection and threat hunting solution (SIEM/SOAR, EDR solutions)49%
Too much time wasted on false positive alerts64%
Lack of security skills and defined processes46%
Not enough demand in the market6%
Adding MDR and other advanced security28%
Consolidating vendors48%
Expanding product breadth33%
Automating processes52%
Outsourcing strategies (ex: SOC or NOC)19%
Differentiating from competitors25%
Focusing on reputation building14%
Moving more to the cloud17%
Redefining MSP metrics3%
Attack Surface Analysis is an analysis of the number of exploitable vulnerabilities. It can be used by both sides to discover weaknesses in a system. You start by scanning the target for vulnerabilities and then checking which ones have exploits available, and you choose the attack vector. OWASP has an attack surface analysis cheat sheet.
Attack Surface Management is the process of, discovering/resonance, inventorying, classification and monitoring of the systems. This is more on the offensive (attacker) side point of view. You are looking at what IT assets are exposed inside the organization and to the internet.
Agree with Ajet, but with an addition. The result of an analysis is some kind of report, which may or may not be acted upon. The result of management has to be a specific action. Neither one is better, you need both ;-)
I'll agree with you that the reports generated by most tools aren't looked at or validated, but I'm sure you would agree that if the technology "shows" rather than "tells" me where the issue is, relative to the sensitivity of the network, I'm more likely as an operator / owner to engage with the vulnerability.
Thanks Joe. 100% agree