Reduce Your Attack Surface? Yeah, Right!
Hey, your attack surface is showing! It’s okay – everyone has one.
There’s a lot of talk these days about “reducing” your attack surface. We’re guilty of saying it ourselves at Censys. But the truth is, when it comes to attack surfaces, the goal is not actually to reduce the attack surface. Your goal should be something else entirely.
What is the “attack surface?”
Let’s start at the beginning. What is an attack surface? NIST, the National Institute of Standards and Technology, defines it as such:
“[t]he set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment” – NIST SP 800-172 from GAO-19-128
To define it another way, your attack surface is, essentially, all the ways the attackers can get into your organization. Most Attack Surface Management (ASM) solutions focus on reducing the attack surface because the smaller the attack surface, the easier it is to protect, right? While that may be true in theory, in practice – is that what’s best for your business?
Now, let’s take a step back to explore why attack surfaces are continuously expanding and explore the benefits to your business that have come with that before we jump to assuming we need to reduce it.
Why does your organization’s attack surface keep getting bigger?
The attack surface is showing you all of the external components that empower your business to accomplish its mission. It’s the website where you offer your marketing materials; the software-as-a-service that you sell; the external file sharing you enable to work with a third party in a secure fashion. It’s not only a path for attackers, but more often an environment for your customers and business partners. And there have been some big changes for organizations in how they accomplish their mission in recent years.
First began our migration to the cloud. The cloud lets businesses easily launch highly scalable applications globally to create new revenue streams on demand with lower upfront costs. It enables innovation by introducing new types of compute, like serverless or containers, and it gives us the unprecedented ability to process and store data, machine learning, artificial intelligence and a number of other managed services that offer the ability to transform our businesses.
Next came a global pandemic that shifted the paradigm of work entirely. The pandemic forced organizations to respond to a rapid shift to a remote workforce to enable the business while protecting employees’ health. Especially those that had to suddenly transition from a traditionally in-office workforce to those who work from home. This introduced new network complexity overnight. Now, more external connections and new configurations were necessary to keep workers empowered to complete their missions. As swift as the transition to remote work was, it left some companies open to new risk types they do not have mitigating controls for.
And lastly, Shadow IT will always be with us. As much as security professionals may try, there is no way to completely control what employees do with technology. With the introduction of cloud computing, organizations have reached an all-time high in terms of level of complexity in what they have to defend.
The inherent risks of letting an attack surface grow and grow
Complex architectures and innovative technology has left blinds spots for adversaries to exploit. Risk Based Security’s 2020 Year-End Data Breach Report reported a 48% decline in reported breaches, but a 141% increase in the number of confirmed records compromised. This points to an increase in the effectiveness of attacks. It’s plainly evident in the latest T-Mobile breach, which exposed the personal information of 40 million users. A 21-year old American has taken credit for the attack, according to the Wall Street Journal. While reported breaches may be declining, attacks are increasing:
“Global cyber attacks increased by 29%, as hackers continue to exploit the COVID-19 pandemic and shift to remote work. Ransomware attacks surged 93% in the last 6 months, fueled by innovation in an attack technique called Triple Extortion.” – 2021 Cyber Attack Trends
The rise in quantity and quality of attacks has eliminated the ability to be confident in security. The old adage goes that security experts have to plug every hole and the attackers only have to find the one you missed.
Forget “reducing,” focus on “continuously managing” your attack surface
And we’re back to that tricky word, “reducing.” For the reasons listed above and more, your attack surface is not likely to be able to be reduced anytime soon. But there is a very good method for addressing these issues – by continuously managing your attack surface.
The first step is using an Attack Surface Management solution, like Censys’. Censys ASM gives security teams an opportunity to solve issues before they have a chance to take place by allowing organizations to know all of the doors into their perimeter that an attacker can find. Further, it enables security teams to rise above the noise and focus on only the most risks attackers are most likely to exploit.
In addition to getting started managing attack surfaces with a great solution, organizational leaders need to also dispel the misconception that security is a blocker. Security executives are struggling as they migrate to the cloud and deal with the rapid adoption of innovation, which is hard to secure. This leads to tough conversations with business partners, often where security is seen as the difficult group.
Focusing on reducing your attack surface leads to an amplification of this problem. It creates situations where security controls stifle innovation in an organization. Steve Zalewski, Levi Strauss’s Deputy Chief Information Security Officer, expressed the shift he’s committing to in their cloud migration journey to empower the business to move quickly but securely:
“Part of the negotiation from Day One was getting both sides to understand that the new relationship had to be forged from a cybersecurity perspective and that if we couldn’t, it was putting me in a position where I couldn’t accomplish my primary goal, which is to protect the company.”
For organizations who are on this digital transformation journey whether they like it or not, it’s important to build a partnership with your security team. By presenting security as partners we reduce risk, improve visibility and gain allies. The struggle is real, because if you unintentionally encourage end users like developers or operations to take short cuts, they’ll end up accidentally evading security controls, because it’s too hard.
Take an outside-in approach to channel efforts in managing your attack surface instead of reducing it. Empower your organization to shift from reducing your attack surface to continually managing it with confidence.
Want to try an Attack Surface Management tool that works? Demo Censys ASM today.