Security is Dead. Long Live Attack Surface Management

91
World map concept

Written by: Dan Schoenbaum, President and COO at RiskIQ

For businesses with an online presence, it’s not a question of if threat actors are targeting you, it’s a question of when, how, and how often. In 2018, there were 53,308 reported security incidents and 2,216 data breaches across 65 countries. Ironically, many of the victims thought they were doing everything necessary to protect their customers and business.

Among the victims of these incidents were high-profile companies like Equifax, Marriot, and British Airways. Each of them maintains sensitive consumer data, so it’s a reasonable assumption that their cybersecurity practices were sophisticated and their attack surfaces impenetrable. So no matter how often data breaches come to light, it’s still shocking when these mega-breaches hit the front page. After all, how can an organization we trust with our most sensitive personal data be compromised, and in the case of Equifax, for so long and so damn easily?

The unfortunate answer lies in the way most organizations approach security. It too often involves a checklist only of simple, traditional measures focusing on maintaining a perimeter and hiding behind it. They monitor internal networks while ignoring a crucial portion of their attack surface: everything that lives outside the firewall, a varied collection of client-facing assets that hackers can and will discover as they research their next threat campaigns.

Until recently, this was deemed enough. Not anymore.

Due to cloud server migration, hosting and other digital media initiatives, millions of assets—websites, servers, the third-party components running on them, mobile apps, certificates, social media profiles, and more—appear on the internet every day, and they’re entirely outside the scope of firewalls and endpoint protection. These items proved to be the cause of many of the year’s most massive breaches — an expired cert in the case of Equifax and compromised Javascript in the case of British Airways. These organizations may be investing in their security, but they’re failing miserably at managing their overall attack surface.

Investing in security inside the firewall while ignoring anything client-facing is like purchasing a bike helmet and expecting it to protect your entire body. Today, a business’s attack surface extends from the internal network all the way to the farthest reaches of the internet. Traditional security approaches have little or no visibility and attackers have plenty. Security teams are now responsible for defending this enormous swath of digital real estate with the same scrutiny as their internal networks. Nevertheless, many do not.

Adding to the disbelief of CISOs, consumers, and the press, organizations validate their outdated approach when these breaches happen by pointing to a satisfactory security score or risk report from vendors. These scores use narrow criteria and only attempt to predict the likelihood of a breach based on a point-in-time reference, often doing more to mask severe flaws and shortcomings rather than actually prevent them.

But an organization’s attack surface and the threat landscape that targets it is changing all the time: certificates expire, frameworks need patching, shadow IT is stood up, and attackers’ tactics evolve. Recent RiskIQ data shows millions of websites are still running versions of PHP that will expire this month, making them vulnerable to yet another wave of breaches. Because of these constant changes, a static scorecard is useful, but it’s hardly the authority on assessing a security posture. If anything, it may actually cause you to become reliant on a false sense of security.

When organizations manage their entire attack surface, they understand what they look like from the outside-in. This means they can develop a strategy that lets them discover everything associated with their organization on the internet, both legitimate and malicious, and shrink its attack surface down to size. However, bringing the massive scope of an organization’s attack surface into focus is no easy task. Ask any corporate security leader how many of their company’s digital assets exist outside their firewall. Their approximation is likely just a fraction of the real number.

A recent rash of supply chain attacks has been capitalizing on this lack of visibility into corporate attack surfaces. These attacks breach vulnerable third-party components to gain access to thousands of sites at once, and they are a central narrative to some of the year’s most high-profile security events. Just consider the rise of Magecart, the threat group responsible for intercepting millions of consumer credit card records.

Discovering these vulnerable assets takes considerable resources. Organizations finding success on today’s threat landscape are those spending on surveillance and reconnaissance tools that show them what they look like from the outside-in. The tools providing insight and visibility into these assets leverage internet data to discover everything associated with an organization on the web, monitoring them for compromise and bringing the massive scope of an attack surface into focus. With this view, organizations can take a proactive approach to defend their organizations. They can even be proactive against future attacks online.

It won’t be long until high-profile breaches are no longer tolerated. Consumers and regulatory bodies will punish businesses that put their data at risk. Those who fall short in managing their entire attack surface (not just internal networks) will suffer crushing material loss. Today we’re in a new age of security—the age of Attack Surface Management. Taking a proactive approach by venturing beyond the corporate perimeter to identify forgotten, mismanaged or vulnerable assets is now the only way to protect your business, your customers, and your employees.

About Dan Schoenbaum, RiskIQ COO and President

Dan Schoenbaum has 23 years of leadership with high-growth software companies. As the President and COO, Dan leads Sales, Marketing and Customer Success functions for RiskIQ. Formerly, he was the CEO of Cooladata, a leader in Cloud data warehousing and machine learning. Dan was also the CEO of Redbooth, where he grew the company from startup to Gartner “cool vendor” with over a million paying users worldwide. Redbooth was acquired by AeroFS. Dan was the COO and Chief Business Development Officer for Tripwire, a leader in datacenter security, where he helped triple revenues, file an S1 on the NASDAQ and sell the company. Dan was also the Chairman of Mergers & Acquisitions and Strategy at Compuware – a billion dollar enterprise software company- and is credited with the creation of an $800M line of products at Mercury Interactive (acquired by HP for 4.6B). Dan was also a First Sergeant and a sniper in the paratroopers.