The recent MoveIT transfer file data breach once again demonstrated the impact of a third-party’s ability to damage entire supply chains. Since hundreds if not thousands of organizations relied on this service, over 17.5 million individuals and 200 organizations, including well-known names such as Shell Energy, First Merchants Bank, the BBC, British Airways and the U.S. Department of Homeland Security were affected. The proliferation of these types of third-party services–and their tremendous appeal to attackers–contributes to the increasingly challenging task of monitoring expanding attack surfaces of companies of all sizes across all industries.
According to Randori, a subsidiary of IBM, 67% of organizations have seen their attack surfaces expand in the past 12 months, and 69 percent have been compromised by an unknown or poorly managed internet-facing asset in the past year. This dangerous combination of trends, and the cyber risk it poses to organizations, highlight the need for organizations to perform ongoing attack surface monitoring to defend against cyber attacks.
What is Attack Surface Monitoring?
Attack surface monitoring is the process of continuously monitoring possible entry points that malicious threat attackers could use to infiltrate your server or network. Once these entry points are successfully exploited, they can expose your assets.
The goal of attack surface monitoring is to identify these threats, protect these assets and prevent attackers from exploiting these entry points.
This includes taking a complete asset inventory to identify:
- Known assets. This can range from physical assets, such as routers, servers and networks in your IT environment, to digital assets such as IP addresses, cloud and on-premise applications, your corporate website, and any additional domains and subdomains.
- Unknown assets. These are assets that exist unbeknownst to your IT or security team. Examples include Shadow IT, orphaned IT infrastructure, websites or devices no longer in use, or personal devices that connect to your organization’s network.
- Malicious or rogue assets. Website impersonations, cyber-squatted and type-squatted domains, phishing emails, stolen sensitive data, and PII of cardholders sold on the dark webare all examples of assets abused by attackers.
- Third-party assets. Third-party assets aren’t under your IT infrastructure or network but are still part of your digital supply chain. They could belong to vendors, suppliers, partners, and services and contribute to an expanding attack surface. They might also include the networks of your organization’s subsidiaries, cloud assets, SaaS applications and APIs.
With constant changes to your organization’s network and services, your attack surface is highly dynamic. The addition of a new server, domain, router or IP address can all result in discovering new assets and opportunities for threat actors to attack. As a result, the continuous discovery of your organization’s attack surface is essential to understand which security controls to put in place to reduce the risk of attacks. For this reason, many organizations leverage attack surface monitoring tools and vulnerability management tools to assist them in prioritizing remediation efforts.
What are Common Best Practices in Attack Surface Monitoring?
Even though monitoring your digital attack surface is becoming increasingly difficult for organizations, there are steps you can take to make it as effective as possible. Although most organizations today rely on attack surface monitoring tools to automate this process, it’s helpful for your security teams and leaders to understand how the process works to minimize security risks.
1) Identify, analyze and prioritize
One of the most important steps of attack surface monitoring is asset discovery. This should include a complete asset inventory and continuous discovery of both known and unknown assets, malicious or rogue assets and third-party assets. In addition, assets need to be classified according to the level of risk they pose to your organization. An impersonated website or database of sensitive PII data may put customers at risk of fraud and data leaks and would warrant more attention than shadow IT, which may not be posing an immediate risk to your organization.
2) Monitor endpoints
While monitoring assets is crucial, attack vectors should be continuously monitored as well. The number and type of endpoints within an organization such as laptops, desktops, mobile devices, IoT devices, and servers are dynamic and a favorite target for attackers. Monitoring endpoints is also critical to maintain a robust security posture.
3) Establish a vulnerability patch process
As you monitor assets and endpoints, you’ll find that they require regular updates and software patches. Since manually patching vulnerabilities requires a great deal of energy and resources, a vulnerability management solution can help security teams who want to secure thousands or even tens of thousands of assets and endpoints as it scales. A good place for security teams to start, however, is with the Known Exploited Vulnerabilities catalog published by CISA. Prioritizing the patching and remediation of these KEVs can significantly reduce your organization’s security risk.
4) Prioritize remediation efforts
Patching vulnerabilities is not always a possibility. Research from Rezillion found that only 54% of security leaders were able to patch only half of their vulnerability backlog. With the average security team reporting a backlog of over 100,000 vulnerabilities, remediation must be prioritized. Remediation may involve putting broad security controls in place such as multi-factor authentication, eliminating rogue assets, and putting a process in place for managing and securing shadow IT services and applications.
Why is External Attack Surface Management (ASM) Important?
Traditionally, organizations have relied on risk assessment and vulnerability management that was developed well before the rise of IoT, remote work, cloud migration and other digital transformation trends in our current environment. Penetration testing only tests for attack vectors at a certain point in time; it does not deliver security for the dynamic network of today’s organizations.
Attack surface management offers a method for continuous monitoring of your attack surface through discovering assets, monitoring endpoints, having a vulnerability patch process in place, and prioritizing remediation efforts. Advanced attack surface management solutions automate this process, delivering real-time alerts to any vulnerabilities that pose a high or immediate risk to your organization while at the same time also providing fewer false positives to the security team. These advanced attack surface management solutions also integrate into other threat detection and threat intelligence solutions, working together to improve your security posture.
Benefits of attack surface management include:
- Fewer third-party attacks. The expansion of attack surfaces, combined with the rise in more devices and third-party services, have made massive digital supply chain attacks such as the GoDaddy data breach more frequent. It’s essential that monitoring your third-party risk is a continuous process.
- Faster remediation. With prioritization, you won’t waste time and effort patching or remediating low-risk vulnerabilities and focus instead on those that pose a high, critical or immediate risk to your organization. You’ll also be able to optimize your risk assessment, prioritization and remediation efforts.
- Continuous assessment of your security posture. Continuous attack surface monitoring allows you to identify any security gaps so that you can put the proper security controls in place and reduce risk from known and unknown IT assets, end-of-life software, KEVs, third-party services, stolen IP data, and more.
- More efficient risk management. With an attack surface management process in place, information and communication between the security team, IT, business teams and executive-level leadership is more efficient, enabling you to both streamline tasks and prioritize and remediate risks.
- Near real-time visibility. As supply chain attacks increase, CISOs struggle to map, identify and respond to these attacks without proper visibility. Attack surface management helps security teams keep up with your rapidly evolving digital footprint, and be aware of any changes to your security posture and risk posed to your organization. You’ll also have insights into which risks pose a threat to your organization from third parties, suppliers, partners, subsidiaries or other vendors.
- Ensure better compliance. As more cyberattacks and third-party attacks make the headlines, organizations are under more pressure to comply with regulations such as GDPR, PCI DSS, and HIPAA that have regulations in place for handling sensitive data. Recent SEC regulations now require that cyber breach reporting take place no later than four days after a security incident occurs. Attack surface management helps both your organization reduce any data exposures and streamline the reporting process when an incident occurs, reducing compliance fees, reputational loss and a loss of time and resources.
Panorays for Extended Attack Surface Monitoring
A recent Panorays survey found that 43% of organizations lack this visibility into their supply chain, with shadow IT becoming a major source of concern. Security teams are under increasing pressure to stay one step ahead of attackers but have insufficient tools to identify and understand risks in their entire digital supply chain. Current attack surface monitoring tools don’t always provide accurate and credible details surrounding your external attack surface.
Here’s how Panorays supports extended attack surface monitoring:
- Supply Chain Discovery. Automatically discover Nth party digital connections, and get a clear view of your extended digital supply chain. Supply Chain Discovery lets you reveal potential shadow IT suppliers and understand how a risk event could impact you through fourth and Nth-party suppliers.
- Asset Details. Get in-depth attack surface discovery with an added layer of attack surface visibility: asset details that allow users to learn more about internet-facing assets.
- Risk Insights and Response Portal. Receive alerts for all third-party breaches and vulnerabilities, and see their impact on your direct and indirect suppliers. Take quick action to cyber risks by sending incidence response questionnaires to relevant parties.
Panorays’ third-party security risk management platform also integrates with your current incident management or SIEM solutions so that you can see and manage all third-party alerts from a single dashboard. In addition, you can also use Panorays to remediate, document, and send questionnaires to support your comprehensive third-party risk management process.
Get started with a Free Account today to gain full visibility into your entire digital supply chain and manage third-party cyber risks.