I dislike creating new terms for things in cybersecurity that already exist, so I’m on thin ice with that headline. But hear me out.
Attack Surface Management (ASM) has made sense to me. “You can’t manage threats” is one of the foundations of cybersec companies and organisations have forgotten. Although we can’t manage threats, we sure can manage how we watch them, respond to them and structure our tech and security though. ASM is often subdivided into external or internet-facing External Attack Surface Management (EASM) and internal or asset derived Cyber Asset Attack Surface Management (CAASM). I think these are interesting distinctions not because the technology between them is different, but it hints that the purpose of the surface means differentiation.
ASM has us turning around the camera from focusing on the baddies to looking at ourselves. This is exciting because it makes the attacker’s job harder and makes them more detectable sooner. The weakest link in ASM has been actionability, especially in any trusted automated fashion. Hold that thought and let’s talk about security posture for a moment.
Security posture and ASM
In parallel to ASM during the approximately last two years has been the development of real-time and actionable security posture assessments. Security posture has taken information about entities and produces an assessment (i.e. not just data) and often a score about how much trust can be placed in that entity.
Examples include assessments such as “even though this identity is valid, don’t trust it because the mail account associated with it has been spewing malware”, “this machine is a little behind in patches but has been contacting other machines in an atypical way”, or “none of these 15 indicators on their own is suspicious but combined they have a very high likelihood of meaning it is an early indicator of attack XYZ”.
I especially like the term security posture because so many of the risk scoring tools are bad and give risk management a bad name. But security posture does equal risk management. The good news is that because it is focused on near-real-time and used by the SOC, it has been developed with automation in mind.
How ASM relates to business
Aside from having weak actionability with ASM on its own, it often feels like there is a missing quality element in ASM: how does this relate to our business? This has been elusive as data categorisation and security has been heavily weighted toward the labels of compliance, and the ballooning of cloud data and data management has sped ahead faster than cybersecurity’s ability to understand the security context and make it actionable.
We’ve maybe done better on the latter than the former, but it’s frankly been weak. Machine learning (ML) has advanced enough that data security categorisation with a high level of fidelity is now very do-able: understanding what that data means to your business other just using manually derived boundaries of the coarse classifications of compliance.
Let’s consider an example. An endpoint is examined. It is one patch out of date. Many risk views would stop there and assign a value. From a business perspective, there needs to be more context before risk can be meaningfully assessed:
1. What actions have this been observed through telemetry since the last patch was available? Has it been used to distribute email that could be internal phishing, or in ways to generate IOCs consistent with known attack groups who have been observed exploiting a vulnerability?
2. What is the role of the user? is this someone who otherwise would have use of valuable or sensitive data, even if the telemetry indicates that sensitive data does not yet appear to be compromised? What is the real significance of the data being accessed?
3. What is the posture or health of that user identities? Even if not revoked, have the credentials been associated with somewhat unusual activity – activity not to level of a serious alert but not consistent with normal behaviour?
4. What network activities has the user been associated with, including activity on other endpoints and devices? What is the nature of that communications and has it involved other users or devices with escalating levels of sensitivity and therefore risk?
So, if we combine ASM with data security categorisation and security posture and make it as actionable as possible we can have nice things again: business attack surface management. In other words, understand how important things and data are to our business, and their vulnerability to attack means real assessment of our business risk. Then by making this assessment actionable, especially in as automated a way as we’d like we have real risk management or, business attack surface management.
For information on attack surface and cyber risk management, check out the following resources: