CISO’s Guide to Attack Surface Management (ASM)

CISOs have a vast array of responsibilities, including identifying and protecting against current threats as well as being prepared for the threats of the future. From a perimeter security perspective, knowing what is visible to an external attacker is one of the primary challenges. 

In one of our previous blog ‘Redefining Assets – A Modern Perspective’, we discussed how the definition of assets have evolved over time and now consists of many tangible as well as intangible resources, such as IPs, Subdomains, Social Media, Code Repositories, etc. Any public entity which holds the data of the organisation (or it’s clients) is part of the asset list and hence adds up to the potential attack surface. Dynamic DevOps environments and Cloud-based resources add to the already challenging problem of continuously identifying and securing the perimeter.

One can only protect what is known and that’s why Asset Management is an important aspect of Information Security.

Based on the discovered assets, the security team can classify them based on business criticality and plan to implement appropriate detective & preventive controls.

– Amol Naik (CISO, Unacademy)

Having a continuous Attack Surface Management (ASM) program is a must to keep a track of the ever-changing threat landscape and be able to efficiently reduce the risk. Ultimately, you can only protect what you see, and continuous discovery and monitoring provide you that visibility.

Types of Asset:

As discussed earlier, the definition of an asset is now broader than a decade ago. Anything that is helping the business currently to generate revenue or to perform its operational activities can be considered an asset to the company. New categories have been added and must be considered under the asset management program as a potential attack surface. Some of the primary asset categories to be considered are:

• Hardware: Routers, Switches, Workstations, etc.
• Virtual Resources: IP addresses, Subdomains, etc.
• Public Presence: Social Media Accounts, Public Code Repositories, etc.
• Cloud Resources: Storage Buckets, Serverless Functions, etc. 

Use case of an Attack Surface Management Program

Continuously discovering assets, monitoring their security posture and data leakage should be an important part of CISOs’ security roadmap. Without having a list of assets there will be no clear visibility to manage perimeter security. Primary reasons to have an attack surface management program are:

• Visibility: You can only manage what you see. Having a clear picture of your assets will help you organize and prioritize your actions.  
• Security and Compliance: Having a list of assets (including the ones you never knew existed) would help in managing their security and maintaining compliance requirements.
• License/Update Management: Managing expired licenses, outdated software version, and end of life support would also become easy once you know what is where and map them with your software inventory.
• Identify Process Level Gaps: A historic comparison around the number of assets can help a CISO understand the major shifts in the perimeter of the organization. For example, a substantial rise or descend of the attack surface could signify a new acquisition, a newly introduced process, or maybe a new security group is introduced.

How to discover assets?

Before we discuss how to discover assets, let’s note down some of the primary sources of assets:

• Distributed Development Teams: Development environments are becoming more and more dynamic with a lot of assets including IPs, Subdomains, Servers, Code-Repos, being deployed by the distributed teams to run and test the code.
• Infrastructure and Operation Teams: Infrastructure and Operation teams deploy multiple assets to support the tasks of other teams.
• Automatic DevOps Deployment: With rapid DevOps cycles and Cloud cloud-based deployments, multiple resources such as cloud servers, storage, IPs, domains/subdomains are rapidly deployed, mostly automatically.
• Sales and Marketing: Multiple assets such as company domain, website server, social media accounts, demo servers, promotional websites, etc. are frequently used by sales and marketing teams.

Internal teams can directly ask other teams to provide the list of assets they create(d). However, quite often, due to the dynamic nature of asset creation, it is advised to have an asset discovery and management process in place. In this program, known assets can be managed and new assets can be continuously discovered to maintain a comprehensive list.

Twitter Poll: How to set up an Attack Surface Management Program

As seen from our twitter poll, most of the organization still rely on Open Source Tools for Asset Discovery. Here is a list of pros and cons of implementing different kind of Attack Surface Management programs:

Pros and Cons of a Different Kind of Attack Surface Management Programs

CISOs ultimately need better visibility and actionable data to make informed decisions. Also, some solutions focus too much on technology, instead of considering the business problem they are trying to solve. While implementing/choosing an Attack Surface Management program the following factors must be considered, so that a holistic solution can be put in place, instead of just another dashboard:

• Discovery Comprehensiveness: What all does the program consider as an asset (only web or other protocols), how detailed is the discovery process, does it include resources such as social presence, associated assets, acquisitions/mergers, cloud infrastructure, legacy systems, code repositories, leaks, etc. as an asset or asset source.
• Less Noise: Nothing is more frustrating than going through tonnes of information and filtering out the useful items. An Attack Surface Management program should give you accurate information and least noise (ideally ZERO) so that you spend your time on prioritizing/tracking assets rather than removing the un-related entries.
• Actionable Insights: Does the program simply provide data or provides actionable information.
• Interaction, Usage, and Communication: What options are available for interacting with the program, how much effort does it require for a new user to get familiar and start producing results using the program.
• Cloud Asset Extraction: Is the program able to extract assets from different cloud platforms.
• Asset Ownership: How the program helps in defining and managing asset ownership.
• Asset Tagging: Does the program allow for tagging assets for easy searching and categorization.
• Custom Additions and Management: Is there a provision to manually add/remove assets and label them as well as how easy it is to manage/review asset lists and take actions. 
• Team Collaboration: Is there a provision for security and other teams to collaborate,
• Integration Options: Is it possible to integrate the program or its results with the available portals, issue tracking/communication platforms, DevOps toolchain such as Jira, Slack, HipChat, Jenkins, etc.
• Scalability: Will the program be able to scale as per the current/future size of the perimeter. 
• Continuous: Can the program run periodically with zero to low user interaction and effectively communicate the outcomes.

Conclusion:

There is no doubt that an Attack Surface Management program can deliver the visibility required by a CISO for perimeter security. Choosing such a program can be a tedious task and comes with its own challenges but considering the above-mentioned points will help CISOs to make an informed decision. CISOs need to consider the dynamic and evolving nature of the perimeter and be proactive to choose a framework that integrates well with the organization’s existing security suite and sits well with the business strategy.