By Carolyn Crandall, Chief Security Advocate and CMO
Modern network architecture looks less like a walled fortress and more like a sprawling cityscape. The rise of cloud environments, SaaS applications, remote work, and countless other factors have fundamentally changed the concept of the network perimeter and what it means to secure it. This change is driving organizations to focus more on identifying how attackers can get in, whether they have an attack path, and if the threat can bypass security controls.
Network visibility has never been more important, with organizations needing to continuously understand if critical systems have vulnerabilities, the consequences of a compromise, and whether they have the necessary capabilities and processes in place to protect their operations if under attack. Lean-forward organizations are also assessing the velocity and agility of how fast they can innovate and how fast their security “immune system” adjusts to changing environments.
Organizations have used Attack Surface Management (ASM) solutions to focus on public-facing infrastructure for some time. The latest evolution of ASM has added an internal focus, which includes exposure assessment of servers, web systems, applications, Active Directory (AD), cloud, networking, cybersecurity controls, and attack path mapping from on-premises to cloud and back. Together, these capabilities can help organizations create risk-based asset profiles, better identify security gaps and attack paths, and improve remediation efficacy.
Using ASM for Attack Path Mapping
Today’s businesses need complete visibility into any potential attack paths and techniques that could threaten their networks, and modern ASM solutions with attack pathing and security validation across networks, clouds, and identity systems play an incredibly important role. Solutions that are limited to only scanning cloud environments or identity systems fail to account for how those systems overlap and interconnect. Elements like interconnections, trusts, permissions, and other factors can change the path of an attacker in ways that are not immediately visible without a more holistic view of the environment. The ability to identify and visualize these potential paths enables the organization to more quickly close potential security gaps and vulnerabilities.
To be effective, modern ASM solutions should also include features such as AD scanning, cloud misconfiguration scanning, vulnerability scanning, and unified attack path mapping and analysis (UAPMA). AD remains a high-value target for attackers, and organizations need to be able to identify problems like delegation issues, known misconfigurations, overprivileged accounts, and others. Cloud misconfigurations are also common, especially with the rise of multi-cloud environments. If an organization cannot identify cloud assets, discover misconfigurations, and identify vulnerabilities like poor password policies and over-provisioning, it is dangerously vulnerable. Likewise, if an ASM solution cannot scan for cloud-specific infrastructure and identify misconfigurations, it leaves a significant coverage gap.
It is also crucial for ASM solutions to perform network discovery and vulnerability scanning both on-premises and in cloud infrastructure. Having a broad range of individual controls can be good, but the real value comes in the ability to correlate data across these tools and make incident response more risk-informed. Covering both environments continuously will also deliver reporting that aligns more closely to risk, rather than just reactive incident response.
Complementing Attack Surface Management
ASM is useful for creating an inventory of systems and risk profiles for them. Vulnerability management solutions typically focus on identifying, classifying, and tracking vulnerabilities that could be exploited—providing enhanced visibility and reporting. When used with ASM, security teams can quickly find at-risk systems and prioritize the remediation of systems that possess a vulnerability of concern.
Cybersecurity validation is another valuable complement to ASM—and the rise of breach and attack simulation (BAS) technology has made cybersecurity validation easier and more comprehensive. Although understanding the severity of a threat is important, it is an incomplete data set for prioritizing patching and remediation efforts. When security teams also use BAS tools to validate whether the controls are successfully detecting and alerting on attack activity, they can understand if their controls are working as intended, if they need to be tuned, or whether additional solutions may be needed. BAS efficiently performs broad-spectrum simulation assessments to look at each layer of security controls, discovering strengths and gaps to identify where controls are operating correctly, where resources must be allocated to reduce risk, and where redundancies exist that can be consolidated to reduce the overall budget.
Combined with ASM (which can identify viable attack paths), BAS defines where controls will and will not deflect threat actor activities. This produces information about where attack paths are validated and that security controls are alerting and detecting effectively. InfoSec members can then focus remediation efforts efficiently on systems that are not only vulnerable but attackable and insufficiently defended.
The rise in the need for a proactive defense based on these capabilities has not gone unnoticed by key voices in the industry. According to a recent Gartner report, threat exposure management and cybersecurity validation are among the top cybersecurity trends of 2023. The report predicts that by 2026, organizations prioritizing their security investments based on a continuous threat exposure management (CTEM) program will suffer two-thirds fewer breaches. Gartner also notes that cybersecurity validation will enable regular benchmarking of attack techniques, security controls, and processes, predicting that through 2026, more than 40% of organizations (including two out of three SMBs) will rely on consolidated platforms to run cybersecurity validation assessments. These highlight the growing importance of not only testing and benchmarking security solutions and practices but doing so continuously. Together, these capabilities can grant organizations improved visibility into the threats and vulnerabilities they face—and help them better understand how to remediate them.
Aligning Modern Security Solutions with Today’s Top Trends
Today’s cyber threats evolve quickly, which means it is essential for organizations to be able to observe their entire attack surface on an ongoing basis. And as leading industry voices now acknowledge, security solutions are trending toward continuous threat exposure management and cybersecurity validation. Organizations increasingly want and need greater visibility into the threats they face, as well as the means to validate that their solutions are working in measurable, quantifiable ways. Fortunately, modern ASM tools are evolving to meet those needs, incorporating the ability to monitor not just threats, but vulnerabilities and misconfigurations from Active Directory to the cloud.