6 steps toward proactive attack surface management
With organizations' attack surfaces growing, new research shows better asset management, tighter access policies like zero trust and consistent configuration standards can help.
Organizations are taking a hands-on approach toward attack surface management, according to upcoming research from TechTarget's Enterprise Strategy Group. But it takes a village of business, cybersecurity and IT teams to succeed.
Seventy percent of survey respondents said their attack surfaces have increased over the past two years. Why? Cybersecurity professionals point to several drivers, including more third-party IT connections, increased use of operational technology (OT) and IoT devices, additional users connecting to applications and networks, an increase in volume of sensitive data and greater use of SaaS applications.
Not surprisingly, a growing attack surface has propelled efforts around attack surface management. ASM involves deploying tools from vendors such as CyCognito, Detectify, Ionix and Palo Alto Networks, but implementing new technologies isn't the only course of action.
6 ways to help reduce attack surfaces
The research indicated many organizations are taking proactive and collaborative measures toward attack surface reduction, including the following:
- Implementing zero-trust policies, processes and technologies. With zero trust, no one person or asset is trusted by default, as verification is required as part of every technical session or interaction. Most organizations are addressing zero trust on a tactical basis -- one application, network segment or user population at a time. Common examples include providing application access to third-party users, replacing VPN clients or isolating OT networks from IT traffic. Together, the sum of these incremental zero-trust projects equals a reduced attack surface.
- Tightening access policies for critical applications and services. Zero-trust technologies and security teams enforce access policies, but line-of-business managers are responsible for establishing these policies in the first place. Business managers should determine who should have access to critical applications and data, as well as the entitlements for each user. In the past, many business execs simply granted everyone access to everything, but regulatory compliance and security best practices preclude this negligent behavior. The research found that reducing the attack surface is also acting as a change agent toward tighter identity governance.
- Establishing more secure configuration requirements for endpoints, servers and cloud workloads. Most organizations have long had gold image standards that serve as standards for deploying assets. The problem is that a lot of large organizations have several of these in a business unit, division or geographical area. This alone makes asset, configuration and vulnerability management quite difficult -- especially when configurations and software change constantly. The upcoming Enterprise Strategy Group research indicated an effort to impose more consistent configuration standards across the enterprise, improving asset management while also reducing the attack surface.
- Implementing policies and processes to secure the software supply chain. This one is big, given the recent history of security events involving Log4j, MoveIt and SolarWinds. The U.S. government has made software supply chain security a priority by mandating that all software suppliers provide and manage a software bill of materials (SBOM) as part of their procurement requirements. These SBOMs help federal agencies identify vulnerabilities or establish compensating controls in a timely manner. Many enterprises are taking a similar approach with new oversight, requirements and controls for homegrown software developers. As the federal government recognizes, active software supply chain management can greatly reduce the attack surface by providing greater visibility into internally developed and commercial software.
- Removing unneeded code, applications and services. Alarmingly, 63% of respondents said their organization has suffered some type of cyberattack that started with the exploit of an unknown, unmanaged or poorly managed internet-facing asset. Examples of unneeded or unknown assets could include an old web server that was never decommissioned, stale user accounts, sensitive data on a publicly facing development system, an open Simple Storage Service bucket, and so on. Organizations are actively searching for these orphaned assets and pulling the plug on them as soon as possible. If no one notices, they've successfully reduced their attack surface.
- Reducing the number of internet access points. This is another area where the federal government deserves credit for its Trusted Internet Connections program. When first established in the early 2000s, the goal was to reduce the number of internet connections on the federal system at the time from more than 8,000 to 50. The program was later modified to accommodate changes such as greater use of cloud services and remote worker support during the pandemic. Based on the latest Enterprise Strategy Group research, private sector organizations are also looking for ways to reduce and consolidate internet access points while supporting business connectivity needs. This effort is often part of zero-trust projects resulting in attack surface reduction.
There's no one-size-fits-all solution for reducing the attack surface. Rather, this list indicates that attack surface management must be a dynamic and collective effort across the business, cybersecurity and IT. Once again, security -- like sales -- is everyone's job.
Jon Oltsik is analyst emeritus and founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.