Blind spots, shadow IT or “unknown unknowns” — this is what CISOs dread. Assets, vulnerabilities, misconfigurations and system weaknesses that security teams cannot detect present a massive opportunity for threat actors and forms a major security risk for organizations.
Most security programs or policies are built around the concept of visibility. Because what you don’t know, you can’t secure. Visibility into the attack surface helps organizations identify where it is most at risk. Decisions on how and where to mitigate risk to reduce losses due to cyberattacks can only be made with visibility. It is the driving force for any cyber risk management policy. But visibility is hard to come by as the evolving concept of a workplace brings with it unforeseen risks. It is possibly why only 35% of Indian organizations have complete visibility into their assets and how they move across the organization.
And while several tools help provide visibility, there are a great many challenges that the “unknown unknowns” pose in understanding where these blind spots are and gaining visibility into them. Once visibility is achieved, security teams can analyze which assets pose the greatest risk and mitigate them accordingly. Although it isn’t as easy as it sounds, there is light at the end of the tunnel.
Lately, two techniques have proven effective in managing these shadow IT blindspots — External Attack Surface Management (EASM) and Attack Path Analysis (APA). So, what are these methods? Why must they be a critical part of any security program? And how can they help organizations gain visibility?
External Attack Surface Management
One of the most difficult areas to comprehend and secure are external-facing assets in any organization’s infrastructure. These are assets that are publicly accessible from the Internet and are among the first things cybercriminals will look for to compromise. For security teams, this becomes a problem when the assets out in the public space remain unknown. For instance, there could be a leftover DNS entry, which could be leveraged by an attacker to commit fraud with it, or threat actors could seek out a poorly secured server or web application that developers have put up as a test but includes the organization’s domain information. Most organizations have many external-facing assets that security teams aren’t aware of but attackers always are.
EASM technology enables organisations to determine where their public-facing assets are, whether they’re servers that have been forgotten about, stale URLs and DNS entries that could be hijacked and leveraged by an attacker to seem legitimate, or services that are exposed to the public. This expands the true visibility of the organisation to legitimately encompass the entire attack surface presented to attackers. Leveraging EASM means organisations can see these public-facing, difficult-to-find assets and incorporate them into their existing remediation and risk management processes.
Attack Path Analysis
While EASM identifies potential entry points for an attack, APA identifies vulnerabilities, misconfigurations and system weaknesses that are likely to be leveraged to gain access to critical datasets and assets. APA forms connections between disparate types of security findings to identify areas where security controls can be circumvented by attackers. APA tools enable security teams in creating a comprehensive picture of the security posture of each asset and better visibility into the relationships between all of the data.
To successfully defend against attacks, organizations need to understand the entire path and where one vulnerability type can lead to exploiting another. This helps decide where to implement security controls so that defenses can be made stronger. APA reveals the “unknown unknowns” of where cybercriminals are likely to strike.
Reduce the number of ‘unknown unknowns’
The complexity of environments is directly proportional to the number of potential attack vectors via “unknown unknowns”. Leveraging existing best practices for vulnerability assessment, configuration assessment and risk management will act as a solid foundation for analyzing the relationships between all of those findings. This helps security teams reduce the number of “unknown unknowns” and, hopefully, establish better security controls to protect their organizations from endpoints to servers to the cloud and all points in between.
About the author:
Nathan Wenzler is Chief Security Strategist at Tenable.
