John Bruggeman, CISSP, is a consulting chief information security officer (CISO) for CBTS, an MSP and MSSP.
In my previous article, I wrote about how CEOs and CIOs need to have people on their teams who think like a criminal or an attacker to protect their digital assets. I introduced the attack surface management (ASM) technique to help control the risk that your external assets pose to your organization and described five broad areas of focus to reduce the risk of a cyberattack against your environment.
In this article, I will discuss four categories of tools you should use to help your attack surface management team. These are:
• Information system asset inventory.
• Vulnerability scanning.
• Risk management system.
• Workflow integration.
You might be thinking, “Why do I need to worry about my attack surface? I know what my external assets are; I have a spreadsheet right here.”
That’s a good start, and if your business is static and doesn’t expand or grow, then you can track your asset inventory on a spreadsheet. Just remember to make sure you have a handle on shadow IT.
Keep in mind how easy it is to spin up cloud and SaaS applications where your data is deployed by your organization and trusted third parties. Also, remember to talk with the CFO to confirm that the recent merger has a spreadsheet of their assets. You’ll need to merge those two inventory lists once the deal is complete.
Four Tools To Help Your ASM Team
Information System Asset Inventory
According to a survey in May 2023 by SANS on attack surface and visibility, the 450 defenders and attackers reported that 94% of them use cloud services at least some of the time, and almost 90% report using third-party services and affiliates. Make sure you have a current list of your cloud assets and your trusted third-party systems as well. Your ASM tool should have a current inventory of your assets and should update it daily.
Vulnerability Scanning
Once you have your inventory, what vulnerabilities do they have? Some questions your board might ask are:
• Do you have a vulnerability and patching program in place?
• Are your externally exposed assets scanned for vulnerabilities once a week, once a month, every quarter, twice a year or once a year?
• Do you scan them after you patch them to make sure the patch was applied successfully?
For companies looking to ensure their team focuses on threat hunting and other high-value tasks, vulnerability scanning is a task that can be easily outsourced. When taking this route, it is important to get a service level agreement (SLA) from the vendor partner for your vulnerability management program. The SLA will cover how quickly they will have a scan that detects new vulnerabilities (within 10 or 14 days to detect a new vulnerability, for example).
The SLA will also state how quickly patches are applied and, most importantly, that the right vulnerabilities are patched first. You could have a vendor scan for vulnerabilities on a weekly basis and throw the resulting report over the wall to the ops team, but that doesn’t bring value. You want a partner that can scan vulnerabilities, identify the ones that are the riskiest for your environment and patch them.
However, you can also run this in-house. Some companies I work with have an internal vulnerability management program. There is a team that scans the network environment and a team that patches test and development (Dev) first, then patches production (Prod) after figuring out what the patches break. Remember, patching typically breaks things, so make sure you patch your test and Dev environment first, figure out what broke, get that fix applied and then you can safely patch Prod.
Finally, regularly scan your assets for vulnerabilities, whether this be weekly or monthly. Feed that information into a risk management system to prioritize the patching process.
Risk Management System
It is important to be able to assign values to your assets so that you know what to focus on first in terms of patching. You likely have a customer service portal with important data on it, but it’s not as critical to your daily or weekly revenue as the web portal that takes orders and processes payments. The risk and impact on your business are going to be different if the customer service portal goes down compared to the sales portal.
Your ASM tool should be an integral part of your risk-based decision process. The risks to your business from cloud misconfigurations, shadow IT, SaaS and supply chain vendors need to be integrated and centralized with your ASM tool so that your security team can prioritize remediation efforts.
Workflow Integration
The last type of tool that you want to include as part of your ASM program is a workflow integration tool. You don’t want to use a manual process to kick off a service ticket for patching an asset that has a vulnerability. Look for an ASM tool that can integrate with your existing ticketing system so that the workflow is automated as much as possible. As we all know by now, automating mundane workflow tasks is a great way to increase efficiency and ensure effectiveness each time those tasks are completed.
In Conclusion
This might feel like a daunting task, but the risk to your business is higher if you do not know what assets you have, where they reside and what vulnerabilities they have. You need to quantify the risk so you and the board can make an informed decision. With the right ASM tools, you can find, evaluate and assess the risk to your organization and mitigate that risk in an automated and orchestrated fashion.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here