External Threat Management

The Top 5 Priorities for Digital Attack Surface Management

It seems a cybersecurity team's work is never done.

Whether they originate within a company's network or outside of it, cybersecurity experts need to prevent known vulnerabilities from becoming exploited resulting in a breach as well as anticipate unknown cyber threats from compromising the company's security, reputation, and revenue. "Holistic" is the name of the game — from top to bottom these teams need to consider everything that could go wrong, then implement an effective plan to push back against it.

However, it’s hard to take initial action when your scope only includes your internal network, which is the case with far too many cybersecurity teams. That’s why we’ve outlined the top five priorities for all companies to manage their entire digital attack surface for maximum efficacy. The timeless adage tells us that a journey of a thousand miles begins with a single step, and it’s no different in this case either.

So while some organizations have developed a mature digital attack surface management program, others are just starting on the journey, evaluating the scope of their program and identifying where to start. For those organizations, it's important not to get overwhelmed when considering the cybersecurity health of your business. Just start here and take action.

  1. Map your digital attack surface It’s crucial nowadays to understand which digital assets belonging to your organization are exposed to the internet; in other words, what your organization looks like to customers and would-be cyber attackers. A business’s internet presence consists of known, unknown, unsanctioned, and often poorly maintained internet-facing assets. You need to catalog all of them! Shadow IT, M&A, and a lack of standard commissioning processes mean that cybersecurity teams have an incomplete view of their digital attack surface and its weaknesses.Regardless of their efforts, they can't protect what they don't know about. Cyber attackers perform reconnaissance to exploit unknown, vulnerable, and unmonitored websites, as well as their applications, forms, and underlying infrastructure.According to Verizon, 70% of all successful breaches today originate on the internet. That's why companies should do what the bad guys are already doing: map their digital attack surface in pursuit of potential vulnerabilities.
  2. Minimize your digital attack surfaceWith your digital attack surface mapped and your vulnerabilities identified, it's time to reduce them and make yourself a smaller target for hackers. Your team must first have an accurate inventory of assets exposed to the internet, then enrich that information by tagging geographical locations, business units, and owners. This exercise will let you systematically improve your cybersecurity posture by addressing specific types of weaknesses, including:
  • Frameworks
  • Certificates
  • Mobile apps
  • Third-party components
  • End-of-life infrastructure
  • Critical common vulnerabilities and exposures (CVEs)
  • Open ports
  1. Get compliantIt no longer matters if an asset lives within a network or beyond the firewall. If it belongs to your organization, it's imperative that you maintain its compliance with internal standards and third-party regulations. Organizations are already facing fines for breaches that originate outside the firewall.Consider British Airways: its website was breached by the card-skimming crime syndicate Magecart, which used its own malicious JavaScript to steal credit card information from thousands of customers. Because of the airline's lack of visibility beyond its own firewall, it was subject to the first post-GDPR fine of £183 million ($230 million), representing 1.5% of the company's 2017 revenue. The largest fine levied by the UK's Information Commissioner's Office (ICO) before GDPR legislation existed was £500,000 ($626,000).More regulations will be put in place to protect customers from cyber threat actors targeting businesses going forward. Organizations need to be able to stay within GDPR, OWASP, and internal compliance guidelines to avoid potentially devastating penalties.
  2. Protect your customers Your customers fundamentally interact with your business outside your firewall. As indicated by the massive GDPR fine against British Airways, you're responsible for their safety and online experience. This obligation includes protecting them from cyber threats that belong to you but reside outside the network, like crypto miners, malicious code injections, and Magecart.But this responsibility also extends to assets that don't belong to you. These rogue assets mimic your brand and target your customers. Even though your organization didn't develop them, they're a part of your digital attack surface anyway. These include typo-squatting on various domains and subdomains, developing fraudulent mobile apps, publishing phishing sites, and operating infringing social media accounts.
  3. Get the most out of your other cybersecurity programsOrganizations require rich internet data to be automatically accessible by their other cybersecurity tools to give them full visibility of their digital attack surface and add an "outside the firewall" context to other security functions. By enhancing existing systems and processes with this data, organizations can bring internet visibility to a range of additional cybersecurity and IT operations tools to enrich the information they deliver, accelerate response or mitigation, and improve the organization's cyber effectiveness.

Some common applications are:

  • Pen testing: Having visibility and an always up-to-date inventory of exposed assets and their risks, pen-testing teams can focus their efforts on addressing the digital attack surface areas with the highest levels of risk.
  • Vul-scanning: Identifying unknown assets and assets with weaknesses as a priority for scanning. As with pen-testing, you can only scan those assets your cybersecurity team has visibility of.
  • SIEM enrichment: A SIEM (security information and event management) tool can only see as far as the edge of the corporate network — the data that feeds it comes from devices and applications hosted on that network. For malicious activities that originate on the open internet, SIEM correlation and detection may find the effects of a cyber threat, but often there is no information available to determine the cause. This is where outside-the-firewall visibility comes into play.

Now is the Time to Begin

Due to cloud server migration, hosting, and other digital media initiatives, millions of assets appear on the internet every day, and they're entirely outside the scope of firewalls and endpoint protection. A business's digital attack surface extends from the internal network to the farthest reaches of the internet, where cyber attackers have all the visibility. Cyber security teams are now responsible for defending this enormous swath of digital real estate with the same scrutiny as their internal networks.

Fortunately, despite this drastic increase in what cybersecurity teams are now tasked with protecting, basic tenets of cybersecurity haven't changed. With the right tools, cybersecurity teams can apply the same rules that keep their internal networks safe to their entire digital attack surface.

Don't get overwhelmed on your way to a robust digital attack surface management plan. Just get started!

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor