According recently published ESG research, just over half of all organizations (52%) say security operations are more difficult today than they were two years ago. When asked why, 41% indicated an evolving and dangerous threat landscape, 38% identified a growing and changing attack surface, 37% said the volume and complexity of alerts were source of this change, and 34% blamed the growing use of public cloud services.
Today, most of these challenges are deja vu again, impacting security teams year after year. There is one exception, however: the growing attack surface. Granted, the attack surface has grown steadily since we all started using Mosaic browsers, but things have really taken off in the last few years. Blame Amazon, COVID or digital transformation, but organizations are connecting IT systems to third parties, supporting remote workers, developing cloud-native apps and using SaaS services in record numbers. When you take all of these factors into consideration, enterprise organizations typically use tens of thousands of internet-accessible assets.
Addressing Attack Surface Challenges
Yes, a growing attack surface is about to upend the old Apple Cart of security operations, but what effect is that really having? ESG asked this question to 376 security professionals. Respondents cited five challenges presented by the growing attack surface.
- Requires deeper relationship with developers. This response reflects a gap between software development and security as organizations develop more cloud-native applications and continually push new features to production applications. Do they use serverless functions? Connecting to insecure APIs? Leaving sensitive data on open S3 buckets? In many cases, security teams don’t know the answers to these questions. Cloud Security Posture Management (CSPM) can help, but these tools aren’t ubiquitous and can be hoarded by cloud development groups. Closing the gap between security and developers should be a priority for all CISOs.
- Leads to a reassessment of current tools and processes. This is another common bugaboo that continues to plague security ops teams. To discover and manage the attack surface, organizations tend to start with existing tools – asset management systems, vulnerability scanners, log management, CSPM, etc. They quickly realize that gathering data from disparate systems can take forever – 43% of organizations claim it takes more than 80 hours to do a full inventory of attack surface management. Since the data comes from multiple systems, someone has to verify the results, which leads to overhead and human error. The result? Sixty-nine percent of organizations say they experienced a cyber incident due to an unknown, unmanaged, or mismanaged attack surface asset.
- Increases the volume of vulnerabilities and associated patch cycles. It’s a simple calculation. More assets = more vulnerabilities = more patch cycles. Some organizations have the processes and resources to keep up; many do not.
- Slows down security investigations and response actions. In this case, security analysts may not have access to all the data they need and end up looking for it in different data sources. This contributes to the frequency of security incidents described above due to extended downtime while analysts try to figure things out. It’s also likely that incident response actions are incomplete as security and IT teams patch some systems, but miss the full scope of an attack on their amorphous attack surface.
- Causes visibility gaps. The growing attack surface creates blind spots of visibility, a nightmare for security analysts. As the tired but accurate security thread puts it, “You can’t manage what you can’t measure.”
These and other issues have drawn attention to enterprise attack surface management as CISOs realize that these challenges can lead to damaging cyberattacks. The industry responded similarly with a dizzying pace of M&A activity: DarkTrace picked up Cybersprint, IBM picked up Randori, Mandiant acquired Intrigue, Microsoft picked up RiskIQ, Palo Alto Networks bought Expanse Networks and Tenable. bought BitDiscovery. VC-backed startups like CyCognito, Cyberpion, and Upguard, as well as third-party risk management vendors like BitSight and Security Scorecard are also playing in this space.
Five years ago, few companies talked about attack surface management, but times have changed and it is now an enterprise security requirement. Ignore attack surface management at your peril.
Copyright © 2022 IDG Communications, Inc.