Challenges Abound in Securing Complex Networks

Securing your Internet attack surface today is more complex and challenging than ever.

2125 x 1416

Securing your Internet attack surface today is more complex and challenging than ever. Machine-speed attacks mean that bad actors can find compromised assets in minutes. Security teams often find themselves responsible for securing assets that are ultimately managed by other departments. Ensuring protection without having control over the Internet-connected assets and services that need that protection can be a challenge.

Adding to these escalating risks is the frequency with which the extended enterprise is targeted by malicious actors. Subsidiaries, companies that have been acquired, vendors, and partners can all be targets and add to your risk. Securing your organization isn’t about putting endpoint security tools on every company-owned device and setting up a firewall anymore; it’s about having complete visibility into and control over your global Internet attack surface, including relevant third parties.

Recent research has only confirmed this need. A new paper studying data breaches included in the Privacy Rights Clearinghouse database found that, out of a sample of 307 cyberattacks against 224 unique firms, 144 of the attacks impacted previous acquisitions and subsidiaries rather than the parent entity.1  That means that 47% of attacks come from subsidiaries or companies that have been acquired.

In our work with Fortune 500 companies, Expanse has found that most organizations rarely have a good handle on their attack surface or inventory of Internet-connected assets and services. We conduct regular IP list indexes and routinely find 10% more assets than organizations were previously tracking. In some cases, we’ve found up to 70% more assets.

To give you a sense of how this problem manifests, check out what three leading companies had on their Internet attack surface versus what they believed they had:

expanse 1 post image Expanse

Startups and smaller organizations (those that are more likely to be acquired) have an even higher rate of unknowns and exposures. Startups rarely keep accurate inventories of Internet-connected assets and services, and their pre-acquisition audit often boils down to a single security person sending over the list of IPs that they scan with vulnerability management software. Following this process, things can easily get missed. Also, security is often deprioritized over the growth of the business, leading to messy IT decisions that can take years to clean up.

In the case of mergers and acquisitions (M&A), cybersecurity is all too frequently treated as an afterthought. The IT organization at the parent company is rarely brought into the M&A process early. They’re usually brought in at the last minute and have to rely on error-prone surveys and questionnaires. Getting accurate information through self-attestation can be challenging, especially if the company being acquired has gone through a name change or has acquired other companies in the past. Expanse once found nested subsidiaries five layers deep. In many cases, abandoned assets are typically found at the lowest layer.

When working with third-party vendors and partners, organizations again end up relying on self-attestation, or they may turn to security scores, which are not actionable for driving the necessary changes in a third-party organization’s security posture. With all of the competing priorities of a security team and the time pressure to execute, audits are often left unfinished. And then the Internet-connected assets that an organization doesn’t know about do not get secured appropriately.

When you work with a third-party vendor or partner or acquire or merge with another company, you are also taking on the risks associated with that company’s network. Be sure to get a global, independent view of all of the organization’s Internet-connected assets and services so you can identify and remediate issues quickly. 

1 Kamiya, Shinichi, et al. What is the impact of successful cyberattacks on target firms? No. w24409. National Bureau of Economic Research, 2018.



Copyright © 2019 IDG Communications, Inc.