Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external facing services and assets only; making the mistake that internal servers and endpoints are safe from compromise and attack.
Read this field guide to understand how to gain clear visibility of the security of both your internal and external assets and services.
The cyber security industry has a seemingly insatiable appetite for jargon and acronyms. It’s almost as if any security document can quickly descend into sets of clever 3 or 4-letter acronyms that really don’t add much to anyone’s understanding.
Some of these elaborate descriptors might be fine for security specialists but, for the layperson, the security and business benefits of these documents and terms can be limited. At a time when everyone is looking to maximise the value of their cyber security spend, matching technical requirements to solution functionality is critical. Organisations can’t afford to waste their resources on duplicate or redundant technologies. So, getting to the bottom of some of these cyber security terms is important for all security stakeholders.
One of the areas where this practice has become unhelpful is in the field of cyber security audit or assessment. Maybe because it’s at the dynamic interface of the business and technology disciplines, or even that it’s just an unchecked explosion of IT analysts’ creativity. But whatever the reason, the names and capabilities of some of these technologies seem almost designed to confuse rather than explain their function.
By now most organisations have at least some security controls in place to mitigate security risks; but business stakeholders are seeking assurance, and in some cases evidence, that their assets are protected. Verifiable information is increasingly being sought to give confidence to customers, to inform insurers, to comply with the law and even satisfy their own fiduciary responsibilities as company officers.
Understanding the effectiveness or ROI of these controls requires a degree of objective measurement:
Measurement techniques vary with more frequent audit and oversight (which can be expensive, intrusive and invariably imprecise) through to more technical solutions that add quantitative assessment to the risk management process – one such solution is “Attack Surface Management”.
Attack Surface Management, a relatively new term, is the genus of a number of different species; each with different capabilities, which can make selecting the best solution for your needs a bit tricky. A note of caution: not all ASMs are the same.
The full extent of an enterprise “surface” that is vulnerable to attack includes both internal and Internet facing (external) IT assets and services. Without mitigation efforts, these surfaces present security risks to the business and must be managed. Adding to the confusion, some vendors use ASM to describe external facing services and assets only; making the mistake that internal servers and endpoints are immune from becoming an attack vector. They can of course.
In short, systematically monitoring an attack surface to identify and mitigate any vulnerabilities will improve the level of cyber resilience and reduce the risk of attack for an organisation. ASM solutions that include both internal and external assets can obviously provide greater confidence about the risk assessment result. They also provide better visibility of the security of both your internal and external assets and services.
Asset management is something that companies often struggle with – accounting for all the IT assets and systems in place and how they are configured. In recent years this has become even harder; but identifying every asset and service on your network is important risk mitigation activity:
Your choice of ASM solutions will determine what assets and services you can discover, analyse, remediate and monitor; and so, the cybersecurity vulnerabilities and potential attack vectors that make up the organisation’s attack surface.
Here’s a handy field guide to help you with ASM taxonomy in the wild. The species of the ASM genus are as follows:
This species is closely related to the types of external scanning of systems and networks sometimes undertaken by adversaries. It’s low cost, can be surreptitious and as a result is not particularly reliable. It identifies IP address ranges, accessible systems, gateways/VPNs, websites, cloud platforms and applications. Then it assesses security/asset exposure in user accounts/emails, gateway access points, web vulnerabilities/SSL certificates, cloud misconfigurations and other vulnerabilities.
EASM provides an easy way to discover the accessible external facing assets and systems – and this is its shortcoming. Systems are not always accessible for a number of reasons – they might be quite adequately protected by other controls (for example a web server), or they might just be disconnected (as in the case of a laptop).
These services are broad in their adoption but again, purely external in nature. Like credit ratings services they emerged as a business service to provide quick cyber assessments by gathering publicly available information:
They remain totally external to the enterprise and unobtrusively gather information from the public domain to profile the security rating of organisations. The scan is a low-cost operation, and SRSs have been known to scan an unsuspecting target and making a report available to them, with an offer to correct any erroneous or inaccurate information for a fee.
The poor reliability and lack of evidential rigour, ensures that the quality of these reports remain contentious. So much so that early adopters of the service now place greater reliance on other risk assessment methods. For example, organisations seeking reinsurance often now have to certify that they have a mandatory set of controls.
This is really just a new name for familiar external threat intelligence services. These are companies that gather and collate threat intelligence about an organisation – more than just general indicators of comprise of rogue IP addresses and file hashes.
This “threat intelligence” about an organisation can be derived from external information, its employees or data from the Internet, web forums or social media. Elements of tradecraft are sometimes associated with the aggregation of this sort of material. The difficulty is that conclusions can often be very subjective and digital artefacts quite tangential to the risk level faced by the target organisation.
In this already confusing market, some EASM and SRS vendors also claim to offer some of these risk protection services – to help manage potential reputational risks.
As businesses increase their use of on-premise applications deployments – be it SaaS, cloud applications or self-managed – it is important to understand how the attackers might choose to subvert them, and the underlying IT assets and systems.
An example might be a server application that provides an API. An end-customer may choose not to use the API, so pays little attention to its security or settings. They forget it is there, it’s active, and vulnerable to attack.
AASM applies ASM concepts specifically to discover these applications and APIs, as well as any vulnerabilities that an organisation might have unwittingly adopted.
This identification and vulnerability/threat understanding can be applied to:
Finally, arguably the broadest and most interesting species of attack surface management, is Cyber Asset Attack Surface Management. At a stretch, it encompasses almost all other ASM types (although like for any other rule, there are exceptions).
CAASM (sometimes referred to “inside-out”) is viewed from the perspective of an organisation protecting itself against a dynamic threat environment – it is focussed on the vulnerability of all enterprise assets and services. That is, the IT assets and services that comprise the organisation – internal and external facing – across the enterprise network, the cloud providers and user workstations.
CAASM sets out to deliver unified visibility across all assets by identifying any vulnerabilities, subsequent mitigations and any ineffective security controls.
The combination of an asset management inventory and clarity around security vulnerabilities and misconfigurations provides the business with a clear ledger-like overview. Cyber security coverage, maturity and control effectiveness is listed on the one hand and the resultant cyber exposure and security posture of the organisation on the other. Importantly, CAASMs can highlight the maturity of the security controls to report the status of risk management activities for security and business stakeholders.
This multi-dimensional view of the systems and platforms, their configuration and controls, and the protection they provide against hackers, APTs and ransomware enables the measurable, timely and accurate view of cyber security that all parts of the business need.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
There are bottlenecks throughout the cyber security risk management process. UK Government surveys suggest that directors are invariably unclear about the business implications of the cyber security reports they receive. Conversely, despite the challenges associated with the massive volumes of ever-changing security data, security teams believe their communications to the business are clear. In many […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.