Attack Surface Management Strategies
As organisations shift to the cloud in droves, their digital attack surface continues to rapidly expand. We explore how proactive cyber risk management can help harden your defences and reduce the likelihood of an attack or breach.
Save to Folio
The need for cyber risk management
Digital transformation has caused an enterprise’s attack surface to expand rapidly—50% of organisations are adopting a cloud-native approach to support both employees and customers, and the number of connected devices is expected to climb to 55.9 billion by 2025. The shift to the cloud and dramatic increase of connectivity gives malicious actors new (often unmanaged) attack vectors to target.
The expanding attack surface has led to new complexity, which oftentimes leaves security operations teams on the back foot; reacting to events and struggling to control the impact.
We discuss how proactive cyber risk management not only empowers functional collaboration across IT and Security Ops by breaking down visibility siloes and enhancing threat detection and response but enables security leaders to better understand, communicate, and mitigate risk across the enterprise.
Explore more SOC best practises: Three Ways to Evolve Your Security Operations
What is attack surface risk management?
Attack surface risk management (ASRM) is the continuous discovery, assessment, and mitigation of an organisation’s IT ecosystem. This differs from asset discovery and monitoring in that ASRM evaluates security gaps from the attacker’s perspective, including risk across people, processes, and technology.
ESG reported that only 9% of organisations believe they actively monitor their entire attack surface. Thus, it’s unsurprising that 69% experiences some type of cyberattack that started through an exploit.
The goal is to operationalise cyber risk management, which requires continuous command across the three phases of the attack surface risk lifecycle: discovery, assessment, and mitigation.
Cyber asset discovery
First, you need total visibility to be able to discover and continuously monitor known, unknown, internal, and internet-facing (external) assets. Siloed point products across endpoints, users, devices, cloud, networks, etc., limit overstretched security teams from taking stock or perform manual auditsAlso consider that new projects with open-source dependencies and user/device accounts are spun up instantly, meaning you need to be able to see your entire ecosystem as it changes, not after.
The goal is to gain visibility to answer questions such as:
- What is my attack surface?
- How well can I see what assets are in my environment?
- How many, what types, and what attributes are associated with these assets?
- What are my high-value assets?
- How is my attack surface changing?
Being able to see your entire ecosystem as it changes is the first step; next, security teams need to assess and prioritise any weaknesses or vulnerabilities. This doesn’t just apply this to systems, but user types as well—for example, executive level employees are the most common targets for business email compromise (BEC). Also, we’ve seen an uptick in campaigns targeting software supply chains and DevOps pipelines, meaning processes also need to be evaluated for any security gaps.
Ideally, this risk information will be contextualised for greater understanding to answer the following questions:
- Can I quantify my risk? What is my overall risk score?
- Is my risk score increasing or decreasing over time?
- How does it compare to peers in the industry?
- Where do I see the most significant security risks?
- What risk factors need immediate attention?
While discovering and assessing risks across your digital attack surface is important, it’s also critical to receive actionable prioritised mitigation recommendations to lower risk exposure. Virtual patching, changing configuration options on a prevention control, and controlling user access parameters are just a few examples.
Furthermore, it should be possible to automate mitigation wherever possible for great efficiency and to reduce the chance of a successful attack or breach.
With the skills shortage introducing very real challenges to managing the attack surface, the opportunity to create a common framework and a single pane of glass is paramount to effective cyber risk management. Enter: extended detection and response (XDR) and zero-trust strategies.
The importance of XDR
Investments in XDR mean there is data, analytics, and integrations, and a technology in place that could act as a foundation to serving other use cases and providing insight and operational value beyond the realm of detection and response.
More proactive risk prioritisation and mitigation benefits the SOC by reducing overall exposure and the scope of a security incident. Conversely, detection data collected by XDR provides valuable insight into attack surface threat activity and how current defences are coping. In turn, this can inform risk assessments and response recommendations.
Learn more in Guide to Better Threat Detection and Response (XDR)
Supporting zero-trust strategies
Proactive cyber risk management depends on operationalizing elements of a zero-trust strategy. Zero trust is an extension of the principle of least privilege, wherein any connection—whether it’s from within the network or not—should be considered untrustworthy. This is crucial in today’s hyper-connected, remote work environment that has increased the different entry points or connections into the enterprise.
As always, this needs to be an ongoing process that constantly evaluates identity, user and device activity, application, vulnerability, and device configuration. The demand for continuous assessment has led to many SOCs shifting toward the Secure Access Service Edge (SASE) architecture, which combines discrete capabilities such as Cloud Application Security Broker (CASB), Secure Web Gateway (SWG), and Zero Trust Network Access (ZTNA) for more granular control across the network.
Tying it all together, XDR alongside risk insight and mitigation that is aligned with zero trust can further enhance security. XDR establishes a solid foundation for verifying and establishing trust. And since it continuously collects and correlates data, it fulfils the continuous assessment pillar of the zero-trust strategy.
Better digital attack surface management starts with the right tooling: a unified cybersecurity platform with broad third-party integrations that seamlessly fits into your existing security stack.
Consider a platform like Trend Vision One, backed by innovative security capabilities such as XDR, continuous threat monitoring, risk assessments, and automation to alleviate security teams, accelerate detection and response, and meet compliance and cyber insurance requirements.
For more information on attack surface management, check out the SOC series: