2021 was a tumultuous period for cybersecurity: it was a record year for the number of reported data breaches. And who can forget Log4j vulnerability, Colonial Pipeline and Kaseya ransomware?
Combine that with the continuous growth of cloudification and remote worker sprawl as well as constant supplier diversification and mergers and acquisitions, and you get dynamic attack surfaces in organizations that can be highly challenging to manage.
With the ever-changing IT environment organizations must now handle, CISOs and business leaders are turning to new strategies and solutions to help them manage and reduce their organizations' attack surface.
To learn how modern CISOs are tackling these new challenges, we were joined by Terence Runge, a seasoned CISO and CISSP with over 20 years of experience working with various cybersecurity companies, and one of the early adopters of our Attack Surface Reduction platform.
"I discovered some private IP addresses being published to public DNS and wanted to know how prevalent it was in the company. I have done some work in this area with open source tools, and had an idea that there were around 1,200 or so exposed systems. Lo and behold, SecurityTrails got involved and discovered that there were several thousands and that the attack surface is very dynamic, growing each day."
In the January edition of SecurityTrails Fireside Chat, our VP of Sales Scott Donnelly sat down with Terence Runge for a session on the CISO's perspective on attack surface reduction. Key topics included:
- What the attack surface looks like in this ever-changing world
- How supplier risk assessments can drive attack surface understanding
- Enforcing policies for remote workers in large organizations
- Why asset inventory is a must for efficient attack surface reduction
How a CISO handles the continuously changing attack surface
Defining an attack surface from the CISO's perspective starts with considering all systems and services that adversarial attackers can discover from their vantage point, then use to infiltrate your network. But going beyond systems and services, Terence also covers other assets associated with the organization:
"An attack surface can be made up of any properties associated with the company, and with past acquisitions, as well as any code, public open repositories, keys, passphrases, secrets—both belonging to the company but also to their customers."
All of the properties that make up the attack surface are changing every day. Furthermore, many events in an organization can change their attack surface—such as M&As, where findings from a security assessment led by analysis of the target organization's attack surface can make or break the deal.
Suppliers are also an important third party in an attack surface. Regarding supplier security, Terence puts location, where they're hosting data and cyber hygiene, at the top of the checklist.
"When assessing a new supplier, we go further than a regular check and look at their attack surface. We do this for several reasons: one is that we will potentially be entrusting them with either access to our systems or our data so we need to know if they have exposures."
Securing the remote workforce
Another important aspect of modern, dynamic attack surfaces are remote workers and the implementation of policies as a CISO in a remote world. Terence highlights strong authentication as the main story for a remote workforce. Utilizing multi-factor authentication, single sign-on, VPNs and similar processes for authenticating users is key for Terence, but other basics for device authentication should not be forgotten:
"Device encryption, policies applied… all of this creates what we call a 'Reltio Authorized Device'—a RAD device."
Scanning cloud assets
For any modern IT environment, cloud assets are an expected part of the attack surface. And scanning and enumerating these cloud assets has its own set of challenges, depending on both the size of the environment and its persistence, with a dynamic one being more challenging.
"With the AWS dangling DNS records issue, when you start with one list of assets, but the scanning takes more than a few hours, it will not return any results as those IPs are off or false positives since that IP will no longer be associated with something of the organization."
As a solution for these challenges, Terence leverages Attack Surface Reduction:
"With your technology and through its interface, I know what is exposed, which includes open databases—that you shouldn't have too many of them! If we didn't have SecurityTrails, we would surely run some scripts or something to continuously assess what's out there."
To round up the main points of attack surface reduction from a CISO's perspective, Terence and Scott, led by audience questions, addressed asset inventory use cases and its importance as well as a few tidbits relating the gravity, and sometimes hilarity, of IoT devices and the part they play in an attack surface.
You can watch the full recording here:
Tackle the challenges of growing attack surfaces with ASR
To solve the challenges of ever-changing IT environments, Attack Surface Reduction (ASR) can provide you with the continuous asset discovery and analysis you need to detect any security risks in your external infrastructure. Terence and many other CISOs already leverage ASR to seamlessly navigate their organization's evolving infrastructure without risking any unknowns.
Don't miss your chance to gain visibility and prevent risks before they become threats!