The Future of Attack Surface Management: How to Prepare
By David Monnier, Team Cymru Fellow
To stay ahead of threat actors, organizations must monitor their attack surfaces continuously, maintain accurate and updated asset inventories, and judge which vulnerabilities to patch for the most significant risk reduction.
At Team Cymru, we have spent decades developing solutions to help organizations better understand adversaries by mapping their infrastructure; it’s now time for us to equip our customers with the adversary view of their own.
We are providing the home-field advantage to proactively defend their critical data and infrastructure. This article looks at our vision of the future of attack surface management (ASM) and the tools needed to understand and manage cyber risk.
What the Future of ASM looks like
Each hour that passes after threat actors breach your defenses allows them to extract more and more valuable data and learn how you respond to certain types of attacks. A delayed response can cost your organization millions when it comes to cyberattacks. But speed alone is not enough.
ASM begins with a deep understanding of threats and vulnerabilities; this is where Team Cymru is truly unrivaled with another Pure Signal Orbit stablemate. Our Pure Signal™ Recon platform gathers signals from across the globe and has been the recognized leader in this space for many years. It provides security teams visibility far beyond their internal infrastructure and provides the ability to trace threats more than a dozen hops to their source.
After IPs associated with confirmed malicious activities are added to a dynamic IP Reputation feed to create a network-level blocklist, the information is automatically fed to the insight engine of our Pure Signal™ Orbit—a recently launched solution. This sequence allows Orbit to autonomously identify known and unknown customer assets, remote connectivity, and third-party and fourth-party vendor assets that are impacted by current threats anywhere across the globe.
By continually monitoring these assets to determine the presence of vulnerabilities or threats, Orbit can provide a fulsome and holistic risk score, so C-suite and security teams benefit simultaneously from strategic and tactical views. Leaders can prioritize remediation efforts and drive risk-based decisions from their enhanced vantage points. This is the future of ASM, and we call it ASM v2.0.
It is estimated that the external attack surface for more than two-thirds of organizations has expanded in the past year. It is critical to gain an awareness of internal and external vulnerabilities as quickly as possible. With ASM v2.0, teams can gain a holistic view of their attack surface and detect supply chain threats and dangers posed by business partners.
For business leaders considering a merger or acquisition, ASM v2.0 capabilities become even more critical to reduce the financial exposure of ingesting an already compromised organization. No longer wait for months to get a static report that was out of date the moment it was sent to you, do it now, do it tomorrow, and do it every day until that deal completes. Every moment is another opportunity for an attacker to compromise your target acquisition and cause more pain. On the flip side, a weak security status is grounds for negotiation in your favor—another few million here saved in the cost of breach avoidance, another few more beating them down on sale price.
Leaders need to know that the other organization is not inadvertently hiding threats or vulnerabilities to make essential risk-based decisions.
Because there’s no time wasted trying to take the information provided by one tool and apply it to a second, third or fourth, we have integrated the features of our ASM v2.0 solution, Pure Signal™ Orbit, into a single platform. This integrated approach drives speed and accuracy as all critical data, threats, and risks are available in a single place.
Additionally, a pricing advantage is realized by buying one tool instead of four disparate solutions. The need to manage a single tool also provides savings in administrative costs.
The ASM v2.0 approach of integrating legacy ASM, vulnerability management, and threat intelligence is a better solution. It brings best-in-class threat intelligence and never before seen visibility of your expanding attack surface into a combined solution.
What to ask yourself to prepare for ASM v2.0
For budget planning, it is essential to ask yourself if the licensing model of an ASM v2.0 solution works for your organization. You will need to consider leadership’s expectations about the future growth of your organization.
By most standards, ASM is still immature, but it is evolving rapidly. EASM solutions are at the top of management investment priorities for 2022.
Competitive solutions vary in breadth and depth. To further complicate buying decisions, offerings can be standalone solutions or part of an integrated platform.
ASM is a set of processes for discovering, identifying, managing, and monitoring external IT assets. Solutions to aid teams in implementing these processes are commonly referred to as EASM (external attack management) solutions.
Less than a third of organizations have a formal external attack surface management solution. Most still rely on manual processes and spreadsheets to implement ASM processes. Using these manual processes can take more than 80 hours for an organization to update its attack surface inventory alone.
Another vital thing to consider is the stability of the EASM vendor. EASM is a volatile space, so the longevity and track record of the various vendors should weigh heavy in purchasing decisions. Assumptions about the capabilities of each solution are based chiefly on marketing claims, so look for a vendor with a history of meeting customer expectations.
The Future is Bright — For Those Who Evolve
The future is coming faster than we think, and being prepared to evolve as emerging threats present to your environment is critical. Research has demonstrated that most companies do not entirely understand their attack surface. Upwards of 70% of organizations have been compromised because of an unknown, unmanaged, or mismanaged visible asset.
Transitioning from legacy ASM processes to an ASM v2.0 EASM solution reduces your organization’s risk of being left behind in addressing cyber threats.
Integrating threat intelligence, vulnerability scanning, and attack surface management will be essential to ensure a bright future for your organization. Now is the time to extend your view of your attack surface beyond your company or cloud provider’s walls.
About the Author
David Monnier is a Team Cymru Fellow who has 30+ yrs experience in cyber intelligence and has presented keynote insights more than 100 times in over 30 countries.
David Monnier was invited to join Team Cymru in 2007. Prior to Team Cymru, he served in the US Marine Corps as a Non-Commissioned Officer, then went to work at the Indiana University. There, he drove innovation in a high-performance computing center, helping to build some of the most powerful computational systems of their day. He then transitioned to cybersecurity, serving as Lead Network Security Engineer at the university and later helped to launch the Research and Education Networking ISAC.
At Team Cymru, he has been systems engineer, a member of the Community Services Outreach Team, and a security analyst. David led efforts to standardize and secure the firm’s threat intelligence infrastructure, and he served as Team Lead of Engineering, establishing foundational processes that the firm relies on today.
After building out the firm’s Client Success Team, he recently moved back to the Outreach team to focus once again on community services, such as assisting CSIRT teams around the globe and fostering collaboration and data sharing within the community to make the Internet a safer place.
With over 30 years of experience in a wide range of technologies, David brings a wealth of knowledge and understanding to threat analysis, system hardening, network defense, incident response and policy. He is widely recognized among veteran industry practitioners as a thought leader and resource. As such, David has presented around the globe to trust groups and at events for network operators and security analysts.
David can be reached online at LinkedIn and Twitter. Our company website https://team-cymru.com/