Attack Surface Management for Overworked Security Teams
Using automation to Manage your Attack Surface
Security teams in all organizations struggle to stay ahead of cybercriminals and their daily assaults on company infrastructures. Even so, small-to mid-market organizations have it particularly tough.
To begin with, they lack the resources of their enterprise-sized counterparts. Budgets are much tighter, and not expected to increase anytime soon. At the same time, smaller organizations are large enough to present a sufficient set of entry points for cybercriminals to infiltrate and do serious damage.
According to research by Accenture, 40 percent of security breaches originate from indirect attacks against weak links in the supply chain. What’s more, software supply chain attacks increased 650 percent from 2020 to 2021, totaling 12,000, according to a report entitled “2021 State of the Software Supply Chain” by security provider Sonatype. By comparison, only 216 software supply chain attacks were recorded between February 2015 and June 2019, according to that report. And the cost of such attacks is significant, totaling on average $4.46 million, according to the “Cost of a Data Breach Report 2022” from IBM Security.
As a small to midsize organization, you may not be the attackers ultimate objective, but that doesn’t mean you aren’t actively targeted. Chronically understaffed, the security teams at nearly every SMB would love to hire another staff member or two to help them carry the burden. But even if they were to attract a candidate, they likely can’t match the higher salaries that an enterprise firm can pay.
Sound familiar?
If you’re in charge of cybersecurity for a company of mid-market size or smaller, we understand what you face. The problems you face are the same faced by tens of thousands of your peers.
We have some good news. Team Cymru has developed a tool that can dramatically lessen the strain your team faces and help you significantly improve your cybersecurity readiness without busting your budget. We’ll describe how it works later, but let’s start with examining the everyday strain that nearly all organizations of your size labor to address.
Fingers in the Vulnerability Dike
The old parable about a Dutch boy sticking his finger in a dike to keep the village from flooding is charming enough. But when you’re trying to plug up vulnerabilities in your infrastructure dam to keep out malware, it’s another story. New leaks seem imminent as you learn about one vulnerability after another. You only have so many fingers, and you can’t tell which cracks pose greater hazards than others. All you know is that new common vulnerabilities and exposures are listed daily and you’re expected to stop all of them somehow. It’s a daily scramble to act, but you don’t really have a good idea about whether your actions are needed to begin with, or whether something else should get your attention. You can’t avoid acting, but you also can’t help but feel that at least some of what you’re doing is futile. Worse, you sense that there’s no end in sight.
Not Knowing What You Are Defending
If you’re like most resource strained security departments, you likely have a dated and probably incomplete understanding of your organization’s assets. A majority of organizations — from my experience, close to 70 percent — took an inventory of their assets with a spreadsheet at some point and updated it from time to time. Perhaps every month or two. Possibly every quarter. Or maybe just once a year. The spreadsheet method is not only a time-consuming exercise, it fails to give you a realistic understanding of what is now referred to as the “attack surface” — the multiples of entry points for cybercriminals created by all the assets linked to your organization. Take shadow IT. Chances are, somewhere in your organization, an individual or a team has set up an application or is using a device that is not listed on your spreadsheet. Nonetheless, it is connected to your infrastructure and if penetrated, could eventually allow threat actors to reach sensitive data or bring your operations to a halt. But it’s not just shadow IT. A department may have added new endpoints without telling you. Or a remote employee is logging in from an unsecured device that you’re unaware of. These are not just possibilities, they’re probabilities. Without an automated method of detecting assets, it’s all but impossible for any organization larger than a few people to get an accurate, up-to-date inventory of its assets. We have found that companies switching from spreadsheets to our platform have undercounted their assets by at least 30 percent and as much as 500 percent. Others who use a specific Attack Surface Management tool to understand their external digital landscape have found they have undercounted total assets by an average of 50 percent.
Empty Seats Where Security Experts Should Sit
For years, the industry has bemoaned the lack of trained cybersecurity professionals available to fill job vacancies. The latest estimate is that worldwide, there are 3.5 million fewer security experts than the market requires and about 700,00 fewer than needed in the United States. Hardly a company exists whose leaders think they have an adequately staffed security team.
But the gaps are particularly significant in smaller companies. At an enterprise level, companies have roughly half the number of people they think they need for their cybersecurity needs. At smaller companies, that ratio slips down to 20 percent. So your group might think it needs five people to fully defend itself, but four of the seats where the experts should sit are vacant.
This is not a problem that is going to end anytime soon. As you well know, cybersecurity is not a field that someone can master quickly. It takes years of study and on-the-job training. Even if you are able to land a qualified security expert, that expert is probably not going to stay long. Turnover is high as companies compete for top talent.
Most discouragingly, estimates are that by 2025, the world will still need 3.5 million more security experts than are available.
This is one of the reasons why automation is so critical. Cybercriminals have the advantage of never being short of willing cohorts, it’s a well-organized and efficient eco-system with a cast of hundreds versus you, your team, and your defenses. The potential for criminals is a cash windfall far more lucrative than any salary a legitimate organization can match. Only with the assistance that sophisticated platforms can provide will organizations ward off cyberattacks and get a leg up on the threat actors.
And let’s be honest. Even if you had all five seats filled, you wouldn’t be secure by continuing to rely on manual processes. Cybersecurity threats come too fast and too stealthily for human detection and response. Only with the ever-vigilant, never-fatigued assistance of an automated platform can you hope to catch and shut down malware before it starts doing damage.
The Too Many Tools Dilemma
Perhaps your security team has been able to acquire tools to assist your efforts, but you’re finding they’re not helping as much as you expected. One tool doesn’t interface with another, leaving you to manually port the information — an inefficient and potentially inaccurate, incomplete task. Or you are getting different alerts without an understanding of which to respond to because you have no context for the warning: Is this a critical function at risk or a trivial one?
The too many tools dilemma is not unique to smaller organizations. Enterprises, too, find themselves struggling to coordinate the multiple applications and platforms they have acquired over the years. With multiple tools, multiple people or departments become assigned to each, causing more data silos and making it tough to monitor and respond as a unified force.
In fact, when Team Cymru did a survey of 440 security practitioners in the U.S. and Europe about their current security tools, almost half of them decided to stop working with the vendor supplying them their tools. Because the tools were not integrated with the rest of their infrastructure, were difficult to use, and weak on automation, they felt the tools were both too costly and ineffective.
Of course, going back to spreadsheets is not the answer. Sure, they may be less expensive, but they still are inadequate for addressing today’s cybersecurity threats. What is needed is a true solution to tool sprawl and clunky tools — an integrated, all-in-one platform to allow security teams to stay on top of their vulnerabilities and manage them accordingly. Think of it as “advanced vulnerability management.”
In fact, this is where the cybersecurity automation industry is headed. We’ll spare you the history of the various methods that vendors have created in an attempt to equip companies with proper defenses. Suffice to say that some vendors now realize that what is needed is a comprehensive program to eliminate the silos, gather all the information in one location, provide context for the attacks, and help security teams prioritize their responses. In a new article, Gartner calls this class of programs as “continuous threat exposure management” (CTEM). Here’s how Gartner summarizes the need for this new approach:
“Enterprises fail at reducing their exposure to threats to self-assessment of risks because of unrealistic, siloed and tool-centric approaches. Security and risk management leaders must initiate and mature a continuous threat exposure management program to stay ahead of threats.”
Exactly how does this new platform do so? Let’s take a look by looking at an example of one –Team Cymru’s Orbit solution.
Comprehensive Vulnerability Data
Team Cymru is unique among cybersecurity companies because of its comprehensive data-gathering methods for assessing vulnerabilities information on a global scale. We provide threat intelligence information to some of the world’s largest organizations by pulling information from sources across the world, always with filtering mechanisms that separate the wheat from the chaff as it were. In other words, we don’t pass along irrelevant threats or alerts about vulnerabilities. These are vulnerabilities that are based on confirmed malicious activity — there are no false positives.
Vulnerabilities are identified every day, and new information is constantly flowing in regarding existing vulns. Orbit is the automated way for your team to learn about those vulnerabilities in a coherent fashion, rather than the often-haphazard approach many security teams find themselves taking.
Determining What Is Relevant to Your Organization
As we mentioned earlier, today’s cybersecurity experts like to talk about an “attack surface” that each organization presents to cybercriminals. Your external attack surface is composed of all your organization’s assets (and potentially, assets of your business partners, but that’s for another discussion). Your external digital assets are constantly changing in numbers, and you need an automated system to identify all those.
Just as importantly, you need to understand the status of each of those assets. Do they have the latest software updates to be less vulnerable against newly identified CVEs? What other parts of your infrastructure are they connected to? Who is using them and are they authorized to do so? Have they exhibited any communications behavior out of the ordinary?
Chances are good that your organization is not aware of all its assets, let alone these important elements of their security status. Orbit uses a proprietary process to discover these assets and then update their status in detail with regularity — typically every two or three days — and shows when each asset was discovered and last scanned. Additionally, you can see other details about its connectivity, vulnerability status, and the like.
Creating Meaningful, Actionable Information
Now we have two key pieces of information: the vulnerabilities that are important to be aware of and the assets you have that may be affected by them. These are combined on a centralized dashboard in detail, with each combination of risk/vulnerabilty and asset calculated as part of a “total asset risk score.”
The last part of the equation that determines that score is something that you as a member of the corporation must add, which is a customized “business impact” factor. An asset that contains highly valuable proprietary corporate information or private customer data clearly should get the highest rating for the business impact factor. A honeypot that your company has set up to draw away cybercriminals is not of any business impact. Therefore, the total asset risk score is high for the proprietary information asset and low for the honeypot asset. The platform allows you to drill down into the asset and see which environment it is in, among other things, so you can determine on the fly whether you need to take action or not, even if you haven’t had time to determine its business impact factor.
Because all the information is centralized with everyone to see and share, you can efficiently assign actions to different individuals or groups responsible for a given task.
Keeping Your Executive Team Informed
We mentioned earlier that you likely have a tight budget for cybersecurity, so you’ll want to be able to demonstrate to top executives and your board that any new tool or platform you have purchased is worthwhile. Team Cymru certainly gives you the performance that you’ll need, heading off breaches before they happen and allowing you to work far more efficiently than you could with another person on your team (and likely cost less than that person’s annual salary). But these benefits only go so far in terms of demonstrating the investment value to your C-suite or board of directors. Orbit also gives you the ability to quickly inform the higher ups about the status of your company’s security. So now if you get a text message from board members or key executives who are wondering if a widely reported vulnerability has affected your system, you can give them a quick answer about where it might have shown up and what actions you took to prevent it from doing damage. Beyond that, Orbit allows you to demonstrate to others in an objective fashion how your cybersecurity posture is improving — how you are more aware of potential risks, better integrating processes, and getting teams to talk to one another thanks to the ready sharing of actionable information.
