One way to secure an organization is to defend and manage the attack surface: the sum of all points where an intruder can enter an organization’s network. The attack surface includes every digital asset that has to be defended—software, servers, routers, switches, network connections, desktops, laptops, mobile devices, and all points of interaction with users.
“The better you get as an organization at reducing your attack surface, the more you lower your risk of attack,” says Sean Convery, VP and GM, Security & Risk Business Unit at ServiceNow. “The question organizations have to answer is: What does it take to launch that virtuous cycle and keep the attack surface under control?”
The job has grown more challenging in recent years, in large part because for many companies the attack surface has exploded in size. New technologies such as cloud computing, mobile devices, and the Internet of Things have dissolved the perimeter that used to separate an organization’s digital assets from the outside world. As a result, the typical company’s attack surface now extends to the outer reaches of the internet.
In a large organization, there can be tens of millions of different digital assets. Every time a company deploys or modifies an application, adds or removes servers, connects or disconnects new mobile devices, or reconfigures networks, the size and complexity of the attack surface increases.
“Each new widget, from the smart thermostat to the networked DVR to a security camera, represents a potential target and attack vector for hackers to exploit,” says Steve Ginty, a senior product manager at RiskIQ, a San Francisco–based cybersecurity firm. A 2018 study by the firm recorded nearly 250,000 new domains and 5.5 million new hosts per day across the internet over a two‑week period.
At the same time, many IT and security teams are losing control over the attack surface. “With everyone bringing their own device and the proliferation of cloud services, IT no longer completely controls the security environment,” says John Pescatore, a director at SANS Institute who has more than three decades of experience in network and data security.
The problem will only get worse as the Internet of Things goes mainstream. Already 127 new IoT devices are being connected every second, according to a 2018 McKinsey study. Many of those newly connected devices aren’t designed with strong security in mind. They run a wide range of operating systems and applications, making the attack surface even harder to defend.
So how are smart organizations meeting this challenge? One long‑standing security strategy still holds true: wherever possible, shrink the attack surface.
Analyze and reduce
The first step to reducing the attack surface is getting a clear picture of the battlefield. Technology can help. Specialized threat surface tools combine analytics and data visualization so you can identify the areas of highest risk and prioritize remediation.
“With technology, security teams can understand the entire cyber kill‑chain and what controls they need to implement at what place in the attack path,” says Archie Agarwal, founder and chief technical architect at Threat Modeler, a New Jersey‑based cybersecurity company.
Visualization platforms display the topology of an organization’s network, along with its software and hardware assets and the paths between them. Their analytics features help to identify potential trouble areas, such as software vulnerabilities, misconfigurations, and overly permissive security rules. They allow security teams to differentiate between vulnerabilities that must be addressed immediately and those that are less damaging or harder for attackers to exploit.
As a result, security resources can be allocated where they are most needed. Risks can be identified by individual business unit, geographic region, and types of exposure. Vulnerabilities across an enterprise can be detected in hours, not weeks.
Smarter attack surface management
Technology, however, isn’t the sole answer. Companies must modernize their planning and processes too.
“Organizations need to be much more proactive and programmatic in addressing security vulnerabilities before they become issues,” says Convery.
Companies should establish organizational policies that clearly spell out acceptable responses to particular security vulnerabilities. For instance, a company might decide that vulnerabilities above a certain risk threshold must be patched within 48 hours. Tying patches to real business risk helps educate everyone in the organization about the consequences of exposure. It also helps drive the point that attack surfaces are everyone’s responsibility, not just IT’s.
Companies can also streamline their technology purchases in order to keep attack surfaces under control. They should focus on forming strategic relationships with a smaller number of hardware and software vendors, and standardizing on fewer systems that are well understood. As part of that initiative, they should demand that vendors show a commitment to security.
“The onus has to be on the seller to prove that their technology is secure,” says Pescatore. “If a company is buying networked medical devices or fleet vehicles with internet connections, that technology better be more secure than it has been in the past.”
The payoffs for a well‑managed attack surface are considerable: fewer security breaches and faster responses when problems do occur. Smart threat surface management can also help transform IT and security teams from crisis managers into true security analysts whose insights protect the bottom line.
“Reducing the attack surface and the damage from routine attacks gives your analysts more time to hunt for the interesting stuff,” says Convery. “Instead of focusing on the latest threat, they can address the issues that have a much greater downstream impact.”