The Main Components of an Attack Surface Management (ASM) Strategy

Last updated at Fri, 04 Oct 2024 16:21:49 GMT

In part one of this blog series, we looked at some of the core challenges that are driving the demand for a new approach to Attack Surface Management. In this second blog I explore some of the key technology approaches to ASM and also some of the core asset types we need to understand. We can break the attack surface down into two key perspectives (or generalized network locations), each of which covers hybrid environments (Cloud, On-Premise):

• External (EASM) - Public facing, internet exposed cyber assets
• Internal  - Private network accessible cyber assets

External (EASM)

Today, most available ASM solutions are focused on External Attack Surface Management (EASM) which provides an attacker’s perspective of an organization, an outside-in view. In fact, it’s common for organizations, and some analyst firms,  to refer to EASM as ASM. However, while this is important, it is only a small, and partial view of the attack surface in most organizations.

EASM seeks to understand an organization’s external attack surface by collecting telemetry about an organization’s internet exposed, public facing assets. This telemetry is derived from different data sources such as vulnerability & port scans, system fingerprinting, domain name searches, TLS certificate analysis and more. It provides valuable insights into the low hanging fruit that attackers will target. Core EASM capability is the equivalent of pointing a vulnerability scanner at your known external IP address range.However, unless your external environment is most of your business, this visibility alone is not enough and leaves organization’s with a limited, partial view of their attack surface.

Internal

The internal attack surface is often the largest portion of an organization’s digital footprint. Attackers frequently gain footholds in organization’s through identity, ransomware, and supply-chain attacks, among many other attack vectors. Organization’s need visibility into their internal attack surface to gain real insight into their digital estate and to be able to reduce their risk by understanding how their most vulnerable and business critical systems are connected, monitored, and protected.

Today, most organizations that have adopted an ASM approach are manually correlating asset information in spreadsheets from various sources to combine business context with the security controls deployed on those assets so they can answer basic questions about their security tool coverage & deployment gaps, and measure their compliance adherence.

The data sources in these spreadsheets typically include their directory services such as Active Directory, combined with outputs from common security controls such as EDR or vulnerability scanning.. Not only is this manual process time-consuming but the information is often out of date by the next morning.

Organization’s need a more scalable solution to this problem, which has led to the development of CAASM solutions to address this challenge..

Introducing CAASM, a new approach to attack surface and exposure management

Over the last few years an approach has emerged to address the attack surface discovery & visibility problem in a scalable, holistic way. It’s a long acronym that stands for Cyber Asset Attack Surface Management (CAASM).

CAASM is the security team’s take on asset management, but it’s much more than that. It addresses the internal visibility problem by aggregating and correlating asset information across an organization’s security and IT tools, providing a clearer, more accurate picture of an organization’s attack surface. Foundational to CAASM is a correlation engine and data model that builds relationships across different types of assets, controls, exposures and more.  This technology is able to provide the best representation of an asset with full context from IT and security tools. It enables IT, SecOps, DevOps, and CloudOps teams to operate with the same information by breaking tool sprawl and data silos, enabling better visibility, communication, prioritization, and remediation of risk.

CAASM solutions work by ingesting data from IT, business applications, and security tools through simple API integrations that pull in asset data from each respective tool on a continuous basis, identifying unique assets through aggregation, de-duplication and correlation. This provides the best picture of your digital estate by breaking down the data silos and tool deployment gaps.  The more data you ingest from your environment the more accurate the picture of your attack surface becomes.

These solutions are continuing to evolve today to treat identities as assets, create software inventories, and map SaaS applications as part of the attack surface. When seeking a holistic attack surface solution, you should ensure it includes the following key features for optimal visibility:

• External Attack Surface Management
• Internal Attack Surface Management
• Unified data correlation engine
• Cloud resource aware
• Identities
• Software Inventory

Key Asset Types to Drive Attack Surface Visibility

NIST has a definition of asset that is very broad but will suffice for this article:

“An item of value to stakeholders…the value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns.

Based on this definition, we will further narrow down the scope to focus on types of cyber assets that add the most value in understanding the Attack Surface. Let’s start with the most basic: machines.

Traditional Assets (Machines)

Often referred to simply as "assets," these primarily include your employee and business application compute devices,  such as workstations and servers. Due to the fast paced evolution of digital infrastructure, this definition is quickly expanding to include infrastructure like virtual machines, containers, and object stores, or new asset categories are being created in  Attack Surface Management solutions. The important thing is to make sure you have visibility into the cyber assets in your organization, however they’re defined.

Identities

Identities are the new perimeter, as some say, and are valuable assets to the business because they grant access to the business’s resources. Identity data suffers from the same data silo problems as other assets. Your company email address, for example, is typically used to authenticate and access many different business services and applications. If we can correlate data from sources like Active Directory, Okta, Google Suite, Office 365, KnowBe4 security training, we can provide security and IAM teams with visibility into not just the identities within the organization, but also key challenges in the identity attack surface, such as identities that have MFA disabled but also have Administrator access to key services.

A common challenge with identity discovery and attack surface management is that security teams attempt to map it using threat data. There is a significant difference in accuracy between detection rules and the identity source. For example, a service account that is actively enabled may be missed by aSIEM/XDR solution due to a lack of recent log activity, therefore excluding it from reports. By inventorying identities as assets, we can gather the status of the service account directly from the data source’s API. Both the identity telemetry data from the source (e.g. Okta, AD) and threat data (e.g SIEM/XDR) can be leveraged to give a more accurate picture of the state of the environment.

Software Inventory

With the rise of supply-chain attacks and the increased presence of unapproved or outdated software, visibility into software has become a key part of understanding your attack surface. Inventorying all software installed and running on an assets, combined with security context around that software from vulnerability scanners, NGAV and Threat Intelligence, gives teams the best visibility into understanding and measuring the risks posed by unapproved or unauthorized code. A software inventory helps answer questions like:

• Which of my machines are running software that has a new, high-risk vulnerability?
• Which machines are running legacy or outdated software?
• What is the most vulnerable software in my environment that we should prioritize for remediation?
• Am I over utilizing an application license?

Other types of ‘software adjacent’ assets include SaaS applications and web applications.

Now that we have identified the three major types of business assets to monitor in your attack surface, in the next blog we will explore how ASM solutions discover the assets in your environment and what to watch out for to ensure you have the best discovery capabilities so that you’re not missing large portions of your attack surface.