7 Best Practices for Enterprise Attack Surface Management

More cloud computing solutions, remote and work-from-home systems, and Internet-connected devices increase the risk of an expanded attack surface. As surveys predict that the enterprise attack surface will continue to increase, the best way to reduce the number of vulnerabilities is to establish a proper enterprise attack surface management program.

Several IT assets that access corporate network services lack critical security measures, according to a report by Sevco that analyzed data aggregated from visibility into more than 500,000 IT assets. The report found 11% of all IT assets lacked endpoint protection, 15% of IT assets were not covered by enterprise patch management solutions, while 31% of IT assets were not covered by enterprise vulnerability management systems. It gets worse when the report looks at small to medium-sized businesses (SMBs) that are working on their own to secure their attack surface. The report found 21% of IT assets lack endpoint protection for SMBs that do not use a managed security service provider.

Proper management of the attack surface requires analysis of operations to discover potential vulnerabilities and understand the landscape. That information should help develop a plan, but success depends on executing that plan across the organization’s network, systems, channels and touchpoints.

Consider these best practices when building an enterprise attack surface management program:

1. Map the attack surface

To set up a proper defense, you need to understand what digital assets are exposed, where attackers are most likely to target a network, and what protections are needed. According to Sevco, data aggregated from visibility into nearly half a million IT assets shows that 11% of all IT assets lack endpoint protection. It is therefore critical to increase the visibility of the attack surface and build a strong representation of attack vulnerabilities. The types of vulnerabilities to look for include older and less secure computers or servers, unpatched systems, outdated applications, and exposed IoT devices.

Predictive modeling can help create a realistic depiction of possible events and their risks, further strengthening defenses and proactive measures. Once you understand the risks, you can model what will happen before, during and after an event or breach. What kind of financial loss can you expect? What will be the reputational damage from the event? Will you lose business intelligence, trade secrets or more?

“The successful [attack surface mapping] strategies are quite simple: Know what you are protecting (accurate asset inventory); monitor for vulnerabilities in those assets; and use threat intelligence to know how attackers are getting behind those assets with those vulnerabilities,” said John Pescatore, SANS director of emerging security trends. “…each of those three phases requires skilled personnel with security technology to keep up with the pace of change in all three areas.”

2. Minimize vulnerabilities

Once organizations have mapped their attack surface, they can then take steps to reduce the risk posed by the most important vulnerabilities and potential attack vectors before moving on to lower-priority tasks. Bringing assets offline where possible and strengthening internal and outward-facing networks are two key areas to focus on.

Most network platform vendors now offer tools to reduce the attack surface. For example, Microsoft’s Attack Surface Reduction (ASR) rules allow you to block processes and executables that attackers commonly use. There are other attack surface discovery and management tools designed to quantify, minimize, and harden the attack surface.

Most breaches are caused by human error. So, building awareness and training employees is another critical aspect of reducing vulnerabilities. What policies do you have to help them stay on top of personal and workplace security? Do they understand what is required? What are the security practices they should be using, and how might a failure affect them and the business in general?

Not all vulnerabilities need to be addressed and some will persist regardless. A sound cyber security strategy includes methods to identify the most pertinent sources, picking out which are more likely to be exploited. These are the vulnerabilities that need to be mitigated and monitored.

Most businesses allow more access than necessary for employees and contractors. Sufficiently scoped permissions can ensure that there are no outages or major damage, even when an account is compromised. Start your analysis of access rights with critical systems and then limit each person and device’s access to only those assets they absolutely need.

3. Establish strong security practices and policies

Following tried and true security practices will go a long way in reducing your attack surface. This includes implementing intrusion detection solutions, conducting regular risk assessments and establishing clear and effective policies. Here are some practices to consider:

4. Establish security monitoring and testing protocols

A strong cybersecurity program requires constant adaptation as IT infrastructure changes and threat actors evolve. This requires continuous monitoring and regular testing, the latter often through third-party penetration testing services.

Monitoring is typically done through an automated system such as security information and event management (SIEM) software. It collects log data generated from host systems and applications to network and security devices such as firewalls and antivirus filters. The SIEM software then identifies, categorizes and analyzes incidents and events.

Penetration testing provides unbiased third-party feedback to help you better understand vulnerabilities. Pen testers perform simulated attacks designed to reveal critical vulnerabilities. Testing should touch core elements of the enterprise network and BYOD and third-party devices used by vendors. Mobile devices account for approximately 60% of interactions with corporate data.

5. Harden your email system

Phishing is a common way attackers can compromise your network. Yet some organizations have not fully deployed email protocols designed to limit the number of malicious emails employees receive. The protocols are:

Sender Policy Framework (SPF) prevents the spoofing of legitimate email return addresses. Domain Keys Identified Mail (DKIM) prevents spoofing of the “displayed from” email address, which is what the recipient sees when they preview or open a message. Domain-Based Message Authentication, Reporting and Conformance (DMARC) allows you to set rules on how to treat failed or fraudulent emails identified by SPF or DKIM.

Pescatore recalls working with Jim Routh when he was CISO at Aetna. “He was able to get the organization to move towards secure software development and to implement strong email authentication by ensuring that the business benefit would exceed the security costs if management supported him in making the necessary changes.”

Not all initiatives land, but Routh delivered. His changes resulted in fewer software vulnerabilities and shortened time to market. “Moving to DMARC and strong email authentication increased email marketing campaign click-through rates and essentially more than paid for itself.”

6. Understand compliance

All organizations should have policies and procedures in place to research, identify and understand both internal and government standards. The goal is to ensure that all security policies are consistent and that there is a proper response plan for the various types of attacks and breaches.

This requires the establishment of a task force and strategy for reviewing new policies and regulations as they arise. As critical as compliance with modern cybersecurity strategies is, that doesn’t necessarily mean it should be the priority. “Too often compliance comes first, but nearly 100% of companies that had breaches where credit card information was exposed were PCI compliant. However, they were not safe,” Pescatore said. He believes cyber security strategies must first assess risk and deploy processes or controls to protect the company and its customers. “Then, [enterprises should] provide the documentation required by various compliance systems (such as HIPAA or PCI) showing how your strategy is compliant.

7. Hire auditors

Even the best security teams sometimes need fresh eyes when evaluating the enterprise attack surface. Hiring security auditors and analysts can help you discover attack vectors and vulnerabilities that might otherwise go unnoticed. They can also assist in creating incident management plans for dealing with potential breaches and attacks. Too many organizations are unprepared for cybersecurity attacks because they lacked checks and balances to measure their policies.

“When trying to objectively assess security risk, an external, unbiased perspective can be extremely beneficial,” said Jason Mitchell, CTO at Smart Billions. “Use an independent monitoring process to help recognize risk behaviors and threats before they become a problem on your endpoints, especially new digital assets, new onboarding providers and remote employees.”