Post-Covid hybrid work force and the proliferation of Cloud and SaaS based consumption models are expanding an organization’s digital footprint. Mobile applications, eComm platforms and ERP solutions are extensively using public and custom API’s as part of their digital transformation strategy. Parity improvements in Operational Technologies (OT) are allowing continuous monitoring and on-demand remote management. Phygital experiences are introducing a highly interactive and distributed digital environment to personalize brand experiences. For the security teams, these technology advances and subsequent capabilities introduce an increasing number of attack vectors and a substantial expansion of the attack surface they are responsible for. Attack surface management can help mitigate threats to the digital footprint through continuous visibility and effective compensating controls.
What constitutes a digital attack surface ?
An organizations digital attack surface is the sum total of pathways that can be exploited to gain access to an organization’s sensitive data. The largest attack surface for an organization are the users and the assets they use to access data. An often overlooked attack surface are the users themselves. User credentials, MFA tokens and even their social personas are potential targets for an adversary. Next up are the consumer facing and business enabling compute environments. As digital transformation gets underway, Cloud compute and SaaS consumption introduces additional pathways to sensitive stored data. Public and custom API gateway’s allow interactivity between these platforms, allowing access to services and enables data sharing. Consumer facing eComm and loyalty platforms require minimal friction while allowing customers to reach services, stored data and user profiles hosted by the services. With advancements in technology, OT enabled devices are capable of continuously uploading telemetry for monitoring and requires on-demand access for remote management. All of these are in addition to the traditional internet gateway’s and WAN edge access required for everyday business operations.
Operationalizing Attack Surface Management
It is beneficial to have a comprehensive view of your attack surface. It further adds value, if you can decouple the views into external and internal, allowing two separate teams to continuously assess the threat surface and use the Threat intel team to bring the views together. Since Security is an overlay for most business enabling technologies, this exercise becomes a team effort, with continuous support from cross functional IT partners.
Start with the fundamentals and know what you have. Your Architecture and Engineering teams should be your first stop. With changes in technology, IT teams are constantly revamping their abilities to gain efficiencies. Ensure your architecture diagrams stay updated with clear documentation of your externally exposed interfaces and associated network paths, regardless of whether it is consumer facing or business enabling. Asset management programs should stay aligned with these changes and should include details on your applications, cloud compute assets and your SaaS consumptions. Since cloud compute assets and the applications they host are dynamic in nature, tagging and tracking them through their lifecycle is important for current asset awareness. Your data storage and backup solutions must also be clearly documented with ingress and egress data flows, transport mechanisms, as well as their security and privacy controls. Continuous vulnerability management is important for assets that are currently under management. Having clear policies/standards and an established vulnerability scanning and mitigation process across your exposed surface are critical in understanding known threats to your attack surface. This is your internal view.
3rd parties could provide an impartial and objective external view of your attack surface. Services that offer discovery scans allowing quick detection of new domains/subdomains being registered or new endpoints going live in your managed IP ranges are extremely valuable. Free and open-source resources like Shodan provides continuous exposure data and are a great starting point. Engaging and operationalizing a bug bounty team helps with crowdsourced, bounty incentivized individuals to engage and identify logic errors in your applications and vulnerabilities in your interfaces. 3rd party pen testing your environment after major changes and revisions can surface vulnerabilities overlooked during development and or missed by QA. Continuous risk monitoring of your SaaS providers can help teams to adjust their defensive postures if the risk scores trend in the wrong direction. External threat intelligence services can follow “chatter” about your organization and alert if data is up for sale or data access is being sold.
So, what’s next ?
As technology evolves, sensitive data will be accessed, hosted, and transported across various multi-tenant platforms and geographic locations, resulting in an increased attack surface. Tracking data flows, along with collecting, storing, and analyzing telemetry on infrastructure management, configuration drift and data access (on-prem data center, cloud compute environment, mobile applications, and SaaS applications) at scale is becoming table stakes. Introducing SSO/MFA along with session controls for management and user access can significantly reduce the attack surface. Technology that integrates and enables automated response for the various aspects of attack surface management can bring immense value for Security teams. A well-integrated platform brings comprehensive attack surface visibility, detects configuration drift, alerts for new and emerging vulnerabilities, and automates the mitigation process – without much human intervention. Now, that is worth investing in.
In closing, the post pandemic hybrid work environment and the acceleration of Cloud & SaaS consumption model have introduced an exponential growth in an organization’s attack surface. Security teams must constantly be aware of their attack surface and mitigate security risk to their organization. Technologies developed to address this new focus area must unify the various aspects of attack surface management to help reduce time to detection while improving response time.