It seems a cybersecurity team’s work is never done. 

Whether they originate within a company’s network or outside of it, cybersecurity experts need to prevent known vulnerabilities from becoming exploited resulting in a breach as well as anticipate unknown threats from compromising the company’s security, reputation, and revenue. “Holistic” is the name of the game — from top to bottom these teams need to consider everything that could go wrong, then implement an effective plan to push back against it.

However, it’s hard to take initial action when your scope only includes your internal network, which is the case with far too many security teams. That’s why we’ve outlined the top five priorities for all companies to manage their entire attack surface for maximum efficacy. The timeless adage tells us that a journey of a thousand miles begins with a single step, and it’s no different in this case either.

So while some organizations have developed a mature attack surface management program, others are just starting on the journey, evaluating the scope of their program and identifying where to start. For those organizations, it’s important not to get overwhelmed when considering the cybersecurity health of your business. Just start here and take action. 

  1. Map your attack surface

It’s crucial nowadays to understand which digital assets belonging to your organization are exposed to the internet; in other words, what your organization looks like to customers and would-be attackers. A business’s internet presence consists of known, unknown, unsanctioned, and often poorly maintained internet-facing assets. You need to catalog all of them! Shadow IT, M&A, and a lack of standard commissioning processes mean that security teams have an incomplete view of their attack surface and its weaknesses.

Regardless of their efforts, they can’t protect what they don’t know about. Attackers perform reconnaissance to exploit unknown, vulnerable, and unmonitored websites, as well as their applications, forms, and underlying infrastructure.

According to Verizon, 70% of all successful breaches today originate on the internet. That’s why companies should do what the bad guys are already doing: map their attack surface in pursuit of potential vulnerabilities.

  1. Minimize your attack surface

With your attack surface mapped and your vulnerabilities identified, it’s time to reduce them and make yourself a smaller target for hackers. Your team must first have an accurate inventory of assets exposed to the internet, then enrich that information by tagging geographical locations, business units, and owners. This exercise will let you systematically improve your security posture by addressing specific types of weaknesses, including:

  • Frameworks
  • Certificates
  • Mobile apps
  • Third-party components
  • End-of-life infrastructure
  • Critical common vulnerabilities and exposures (CVEs)
  • Open ports
  1. Get compliant

It no longer matters if an asset lives within a network or beyond the firewall. If it belongs to your organization, it’s imperative that you maintain its compliance with internal standards and third-party regulations. Organizations are already facing fines for breaches that originate outside the firewall.

Consider British Airways: its website was breached by the card-skimming crime syndicate Magecart, which used its own malicious JavaScript to steal credit card information from thousands of customers. Because of the airline’s lack of visibility beyond its own firewall, it was subject to the first post-GDPR fine of £183 million ($230 million), representing 1.5% of the company’s 2017 revenue. The largest fine levied by the UK’s Information Commissioner’s Office (ICO) before GDPR legislation existed was £500,000 ($626,000).

More regulations will be put in place to protect customers from threat actors targeting businesses going forward. Organizations need to be able to stay within GDPR, OWASP, and internal compliance guidelines to avoid potentially devastating penalties.

  1. Protect your customers

Your customers fundamentally interact with your business outside your firewall. As indicated by the massive GDPR fine against British Airways, you’re responsible for their safety and online experience. This obligation includes protecting them from threats that belong to you but reside outside the network, like crypto miners, malicious code injections, and Magecart.

But this responsibility also extends to assets that don’t belong to you. These rogue assets mimic your brand and target your customers. Even though your organization didn’t develop them, they’re a part of your attack surface anyway. These include typo-squatting on various domains and subdomains, developing fraudulent mobile apps, publishing phishing sites, and operating infringing social media accounts.

  1. Get the most out of your other security programs

Organizations require rich internet data to be automatically accessible by their other security tools to give them full visibility of their attack surface and add an “outside the firewall” context to other security functions. By enhancing existing systems and processes with this data, organizations can bring internet visibility to a range of additional security and IT operations tools to enrich the information they deliver, accelerate response or mitigation, and improve the organization’s cyber effectiveness.

Some common applications are:

  • Pen testing: Having visibility and an always up-to-date inventory of exposed assets and their risks, pen-testing teams can focus their efforts on addressing the attack surface areas with the highest levels of risk. 
  • Vul-scanning: Identifying unknown assets and assets with weaknesses as a priority for scanning. As with pen-testing, you can only scan those assets your security team has visibility of. 
  • SIEM enrichment: A SIEM (security information and event management) tool can only see as far as the edge of the corporate network — the data that feeds it comes from devices and applications hosted on that network. For malicious activities that originate on the open internet, SIEM correlation and detection may find the effects of a threat, but often there is no information available to determine the cause. This is where outside-the-firewall visibility comes into play.

Now is the Time to Begin

Due to cloud server migration, hosting, and other digital media initiatives, millions of assets appear on the internet every day, and they’re entirely outside the scope of firewalls and endpoint protection. A business’s attack surface extends from the internal network to the farthest reaches of the internet, where attackers have all the visibility. Security teams are now responsible for defending this enormous swath of digital real estate with the same scrutiny as their internal networks. 

Fortunately, despite this drastic increase in what security teams are now tasked with protecting, basic tenets of cybersecurity haven’t changed. With the right tools, security teams can apply the same rules that keep their internal networks safe to their entire attack surface.

Don’t get overwhelmed on your way to a robust attack surface management plan. Just get started!


Connect with us
Featured Post

RiskIQ’s 2019 Evil Internet Minute: All the Cyber Threats Jammed Into 60 Seconds