Understanding the attack surface to better allocate funds

In the last few years, the attack surface has changed from defending the perimeter to protecting applications in the cloud, leaving CISOs wondering how they can best allocate funds to stay ahead of attacks.

Misha Govshteyn, co-founder and CISO at Alert Logic, said, “For a long time, when people thought about defensive strategies it was about their enterprise or their perimeters, where the infrastructure ends and the outside world begins.”

According to Earl Perkins, research vice president, digital security, the IoT group at Gartner, “We now embrace multiple forms of wireless networks as an enterprise. We distribute smaller, fit-for-purpose devices that have some processor and memory function, but aren’t general-purpose platforms in the sense of traditional IT. All of these are now ingress points and vulnerable assets if they are inadequately protected.”

Keeping up with these changes can be a challenge which is why understanding the attack surface has gained importance for startups and larger enterprises alike, especially in the cloud, Govshteyn said.

“For a company that started five years ago, they literally were in the start of building their infrastructure. A lot of their software is in the cloud, and not just one cloud but a couple of cloud like environments,” Govshteyn said.

Where so many organizations can now go and buy SaaS applications, the need for firewalls is lower and lower, said Govshteyn. “They are no longer a traditional data center behind the firewall. Their attack surface is very fragmented. For some the attack surface is users and people in the office behind desktops and laptops. They have applications they buy from SaaS environments.” 

Still other organizations have custom applications, and their security infrastructure is built around cloud environments. “That’s very different,” said Govshteyn. “They may have few controls or have to share control with their cloud provider. They have no laptops, no end users. It doesn’t make sense that they would use the same protection strategy across those environments.” 

Looking at their IT environment, the end points they are protecting, and inside the cloud will reveal very different kinds of technology. “Protecting endpoint devices, client applications, web browsers, the kind of technology they need for that looks radically different from what they would put in their cloud environment,” Govshteyn said.

One interesting trend is the notion that the marketing department might have a larger budget than IT, but Govshteyn said, “I do see early signs of IT eclipsing other departments.” 

Some of those signs are in the shift toward delegating authority to line of business owners. “They decide whether an application will be hosted in a cloud or with a cloud server, then ‘how do I secure the information?’ is the second question,” Govshteyn said.  

Key to determining where to allocate funds, particularly with limited resources, is having a clear understanding of the attack surface. Perkins said, “Ruthless prioritization of risk remains the more effective means of determining where money is to be spent in cybersecurity.”

“A complete understanding of core business risks in the enterprise, mapping the technology mesh over the enterprise organization to understand how technology impacts those risks, assessing the current cybersecurity readiness of that mesh, then prioritizing according to the most critical business assets and their dependency on that technology,” is how the CISO can best determine where funds should be allocated, Perkins said.

Certainly, there is a more detailed process, but Perkins said, “That allows a baseline of budget funding to be established. Managing risk involves reassessing frequently how and whether business risks have evolved, reprioritized or changed and ensuring that technology changes have not jeopardized the ability of those risks to be addressed.”

J.J. Thompson, founder and CEO of Rook Security, said it’s all about tying the assets and the attacks together.

“They are really struggling because the technologies used throughout threat detection don’t really tie the attack to the assets effectively. How can they prioritize? Being able to prioritize depends on what the criminals are attacking,” Thompson said.

Many CISOs instead are trying to fend off attacks, dealing with categorizing and prioritizing the attacks without looking at the assets that are being attacked.

“Maybe I don’t care about any of the assets flagged as having a critical attack on them, but because they are using their detection to prioritize based on CVE or CVSS scores, the attacks don’t align with the assets,” Thompson said.

By way of example, Thompson explained that if a missile were detected over the US, the response would be incredibly different if that missile were landing in Fargo or in Boston.

“When attacks work, the response is markedly different depending on what’s being attacked,” Thompson said, “so they can’t look at an attack in a vacuum without pairing it up with an asset.”

There are certainly many tool sets for detecting threats that are currently working, but Thompson said, “They are not doing a good job of coupling and providing context. What they need is a coupling of the threat and the context so that analysts can adapt.”

Scott Chasin, ProtectWise CEO and co-founder, said that the biggest challenge any CISO has is in defining exactly what that attack surface is. “In traditional enterprise networks or perimeters, they might have invested in a SIEM or they have an army of point products deployed that output log files,” Chasin said.

The challenge then becomes one of visibility. Chasin said, “Their enterprise visibility coverage is generally myopic.”

The problem with understanding the attack surface comes down to visibility and the fidelity of the resolution. “Most companies have anywhere from 50 to 100 point products to deploy and glue together, and they provide varying degrees of visibility,” Chasin said.

Moving beyond traditional enterprise coverage, they come to the cloud, where Chasin said there is barely any visibility. “In IoT, industrial control, and critical infrastructure, there is even less visibility. They are operating with the lights off. They simply don’t have a clear picture or understand of their computing service or the attacks on top of that.”

Operating in the dark, said Chasin, leaves CISOs questioning how they get pervasive visibility with the legacy burden of very expensive solutions that provide myopic visibility.

The network doesn’t lie, Chasin said, “So if they can record the network, every asset they have has to communicate. Being able to record the conversations provides the visibility and asset awareness to create their baseline of what is normal and not normal.”

While some warn of data hoarding, Chasin argues that most organizations aren’t collecting enough. “They should be leveraging the cloud to store as much data as they want and have nothing on the edges. The cloud provides a very long retention window, and it’s not just visibility as a real time component, but visibility that has a memory to it.”

Visibility is key to decision making as it provides the deep understanding CISOs need to best allocate funds. “A security and risk leader must have unprecedented visibility into the technology mesh they are responsible for, monitoring, detecting and responding to changes,” Perkins said.

Deposit your comments over on Facebook.