Home / Our thinking / Insights / Attack Surface Management: Mitigating risks
Attack Surface Management: Mitigating risks
Table of contents
The estimated cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025. Are you prepared for the worst?
The rate of cyber-attacks has become alarming over recent years, with organisations and governments facing a significant increase in cyber-breaches coupled with increasing sophistication and frequency. What was formerly the responsibility of CIO's, CTO's and digital leaders, organisational security has now transgressed to be a major corporate objective and continuous discussion at the board level. The impact of cyber breaches can be devastating, compromising an organisation's ability to continue trading and incurring compliance and regulatory fines, legal costs, compromised data, loss of business, reputational damage and more. In 2021, the reported average cost of a breach reached an eyewatering $4.24 million and this figure is rising. To protect themselves, organisations are looking towards safeguarding their digital assets with the latest cyber strategies and technologies, but many are failing to comprehend the entirety of their digital risk and put the necessary rail guards in place to defend them. An approach that has grown in popularity over recent years - Attack Surface Management - enables organisations to comprehend their vulnerabilities in real-time and identify potentially devastating risks before they realise. But what does attack surface management mean?
Traditional security measures have reached sell-by date
The digital transformation boom resulting from the pandemic has led to an increase in the adoption of technologies worldwide, and these technologies are only becoming more complex by the day - consider, for example, the cloud. The more traditional security measures such as firewalls, antivirus software, traditional penetration testing and red teaming exercises are no longer sufficient for protecting organisations against the modern security attack due to evolving cyber techniques, rise in AI and frequent changes to attack surfaces.
Attack surface - What does it mean?
An organisation's attack surface comprises of all the digital assets in their IT ecosystem that can be penetrated by unauthorised external parties, such as software, API's, applications, endpoints, code, websites, cellular devices, etc. The increase in adoption of new technologies, and therefore potential entry points, means that an organisation's attack surface is always shifting and expanding in size, making them liable to cyber breaches should they be left unprotected. And this is what is being observed worldwide. According to a recent report, 52% of security-conscious enterprises said they don't know how much of their attack surface is secured, and not one respondent was confident their organisation was fully in control of its attack surface. To get a handle on security, organisations need to take on a proactive approach to monitoring their attack surface and protecting any exposed IT - particularly given that attackers move laterally once they have entered a system.
Understanding Attack Surface Management
Attack Surface Management is a strategy that enables organisations to be proactive in monitoring the status of their internal ecosystem. By viewing digital assets from the 'outside-in' and embodying the point of view of an attacker, organisations can map their entire attack surface, implement robust incident reporting systems, and promptly block incoming attacks. The key advantage of its approach is that it provides visibility of risk in real time as soon as they emerge and monitors any sudden changes across IT infrastructures, something that former strategies could not accommodate. And this is essential as the state of cyber-attacks have changed. What would formerly take days to deploy, attacks can now be activated within the matter of hours.
Steps to Attack Surface Management
The benefits of implementing an Attack Surface Management strategy are substantial: it increases visibility of risks, reduces exposure and the number of successful attacks. So, what does effective Attack Surface Management look like and what steps are involved?
Attack surface mapping
Attack surface and security audit: Analysis of current state of security and identification of all external facing assets that can be targeted, such as cloud environments, hardware, software, networks, applications, etc. How they interact with each other in the digital supply chain is also assessed.
Vulnerability assessment & prioritisation
The reality is that organisations don't have the capacity nor capability to address all vulnerabilities immediately, and not all vulnerabilities are measured the same based on the impact its breach would cost. Once the attack surface is mapped and contextualised, potential entry points are analysed and ranked according to:- How likely it is for an attacker to target the risk
- The severity of impact to an organisation
- External threat intelligence sources
- The ease and time to mitigate
Implementation and mitigation
Remediation: A strategy is put in place to mitigate vulnerabilities, from high priority to low. Security measures are introduced, for example, retiring legacy system usage, implanting software operating system patches, API gateways, debugging application code, data encryption, multi-factor authentication and enhancing incident response planning.
Continuous monitoring
Keeping up to-date with threat intelligence: Keeping an eye on emerging threats, technologies, techniques and strategies materialising in the industry. Automation: Continuous monitoring, vulnerability scanning, and penetration testing to identify sudden vulnerabilities or lapses in security. When manually assessed, it takes more than 80 hours for the average organisation to build a full picture of their attack surface and even then, key components of an attack surface are easily missed and inaccurate. Implementing an a utomation tool helps organisations to continuously review their assets daily and reduces time spent. Find out more about NashTech's security automation testing here.
It's not a matter of if, it's a matter of when
It may be tempting to put cyber security at the back of your priority list. After all, what are the chances that your organisation is impacted among the many? The real answer? Indefinitely. Cyber-attacks are no longer targeted towards only a particular sub-section of organisations. Over the recent years, breaches have been observed across the board - startups, corporates, SME's, governmental bodies, etc. In fact, malicious actors are experimenting their techniques on smaller organisations who lack the right strategies or technology, before moving on to larger firms.