What is attack surface management and why is it important?

Strengthening security

Attack surface management is a core component of any cybersecurity strategy. By proactively identifying and mitigating vulnerabilities, organizations can dramatically reduce the risk that an adversary will be able to access their critical digital assets.

However, it is vital to understand that attack surface management is not a one-time event. IT environments are highly dynamic, with old hardware, systems and applications being replaced by different ones, and entirely new software and services being deployed. Meanwhile, threat actors are constantly developing new tools and techniques, and the workforce is adopting new technologies and methodologies. Accordingly, to truly strengthen security, ASM needs to be a continuous process.

Ensuring compliance

Organizations today have to comply with a wide variety of strict industry regulations and national and local mandates, including modern data protection and data privacy laws. These security standards obviously vary in their focus and specific requirements, such as which sectors they cover and what types of information they are focused on securing.

Nevertheless, all of them share some core principles. One of the most fundamental is that organizations have a responsibility to implement appropriate controls to reduce risk to critical systems and regulated information.

An effective attack surface management will help organizations understand their vulnerabilities and implement effective controls to mitigate them — controls they can demonstrate during security audits. Moreover, it helps organizations prevent breaches of the personal health information (PHI), financial transactions, personally identifiable information (PII) or other regulated data they store and process, which in turn enables them to avoid steep fines and increased oversight from regulators.

Qualifying for cyber insurance

Not long ago, cyber risk insurance was readily available to any organization that wanted it. But the growing number of costly cyberattacks, especially ransomware, meant that insurance companies ended up having to pay out on huge claims.

As a result, insurers now often require organizations to have specific types of security controls in place in order to qualify for a cyber risk insurance policy. And the controls that organizations implement as part of their ASM strategy will often tick a lot of those boxes.

What’s more, while certain basic controls may be required to qualify for any policy at all, taking attack surface management seriously can enable you to exceed those minimums and demonstrate a more mature security posture. As a result, you might be able to reduce your premiums and qualify for better policies that provide more coverage.

Reducing IT workload and costs

Organizations have been dealing with a global shortage of IT professionals for some time. In recent years, that problem is being compounded by the retirement of large numbers of skilled security pros, especially in critical areas like Active Directory management.

Attack surface management can help. Reducing and managing your attack surface means fewer alerts for your security operations center to prioritize and investigate. Stable, reliable ASM processes, especially with proper automation, further reduce the burden on your limited IT resources. Moreover, IT professionals relish getting out of fire-fighting mode and will be more interested in joining and staying with your organization when proper security controls are in place to make their lives easier.

Attack surface management has long been vital for security, cyber resilience and compliance. It is also important for qualifying for cyber insurance and reducing the burden on your hard-to-find IT professionals.

But comprehensive ASM is more necessary than ever, for two key reasons.

First, the attack surface you need to manage is expanding. Key factors behind this expansion include digital transformation, migration to cloud technologies, and the explosion of remote and hybrid work. Organizations today simply have a much larger physical and digital footprint than ever before. In fact, even small organizations can have a large attack surface. 

Second, your attack surface is rapidly changing. Modern IT ecosystems are highly distributed and highly dynamic; new technologies are constantly being introduced and new assets are connecting to the network every day. It is amazingly easy for IT teams and business users alike to deploy new SaaS platforms or even spin up new cloud instances.

It’s no wonder that Gartner names attack surface expansion as the #1 cybersecurity trend for 2022, and the closely related trend “threat exposure management” tops its list of top trends in cybersecurity for 2023.

The core five functions in attack surface management are:

• Asset discovery — The foundation of attack surface management is gaining a comprehensive understanding of the attack surface. Indeed, inventory and control of enterprise assets tops the list of CIS Critical Controls. This function includes identifying all hardware, software and services and mapping their interdependencies. It is important to document all applicable details, such as the asset’s purpose, owner, current users, connections to other assets, IP address, vendor, version, compliance requirements and value to the organization.
• Vulnerability assessment — A second core function is to regularly identify vulnerabilities, evaluate their potential impact on the organization's security posture and assess the likelihood of their exploitation by adversaries.
• Risk prioritization — It’s almost always impossible to mitigate all identified vulnerabilities, but the truth is, not all components of the attack surface are equally important. Risk prioritization is the process of determining where to focus your limited budget and effort to defend against cyberattacks most effectively.
• Mitigation or remediation — This function involves taking steps to reduce and manage your attack surface, based on your risk prioritization. Some initial actions are simple, such as closing a vulnerable port. But true mitigation involves implementing controls and solutions that address vulnerabilities in a systematic, ongoing way. For example, you don’t merely install this month’s Patch Tuesday fixes; you establish a reliable process for timely patch management into the future.
• Monitoring — It’s also critical to monitor the attack surface for changes that could increase risk. This includes the deployment of new hardware, software and services. It also includes regular scanning of devices for outdated or unpatched software.

An enterprise-quality Active Directory security tool can help you implement all five of these core functions effectively and efficiently.

A great way to approach attack surface management — like virtually any area of cybersecurity — is to leverage a cyber resilience framework like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

For years, organizations around the world have structured their cybersecurity strategies around the five functions (pillars) of the NIST CSF: Identify, Protect, Detect, Respond and Recover. NIST CSF 2.0  adds a sixth pillar, Govern, which is foundational function that informs and supports all the other five pillars.

These six functions provide an excellent framework for building a robust attack surface management strategy:

Identify and Protect

The foundation of attack surface management is attack surface analysis and attack surface reduction. These strategies map closely to the Identify and Protect functions of the NIST CSF.

The goal here is to thoroughly understand your attack surface and implement controls to minimize it. In other words, you want to block attackers from breaching your network in the first place, as well as prevent malicious insiders or other adversaries inside your network from accessing sensitive data and systems.

Achieving these goals requires a defense-in-depth approach. Key best practices to implement include the following:

• Regularly inventory your IT estate, including hardware, software and user accounts, analyze the results, and remove any devices, accounts, applications and other assets that you don’t need.
• Perform regular vulnerability assessments and penetration testing. Ethical hacking professionals can discover important weaknesses that internal security experts might miss. Analyze and mitigate discovered issues promptly.
• Strictly enforce the principle of least privilege for all accounts. Key best practices include using role-based access control (RBAC) to make permission provisioning easier and more accurate, as well as requiring regular access review and attestation by asset owners.
• Mandate that administrative accounts can be used only on hardened privileged access workstations (PAWs). This security policy prevents powerful credentials from ever being left in memory on less-secure endpoint devices for adversaries to harvest and abuse.
• Ensure that applications, devices and systems are securely configured, are supported by their vendors and kept up to date on patches.
• Use strong passwords for all accounts and regularly check for use of leaked passwords. When appropriate, require multifactor authentication (MFA). To protect service accounts, use sMSAs or gMSAs.
• Encrypt data both at rest and in motion, so that even if unauthorized individuals manage to access it, they cannot read it.
• Block traffic from IP addresses that are known to be malicious, and potentially even from IP addresses in regions where you do not conduct business.
• Pay particular attention to internet-facing assets and implement controls such as web application firewalls. In addition, use network segmentation to prevent hackers who breach one zone from moving laterally into other areas.
• Proactively identify attack paths that can enable an adversary to gain control of your environment in just a handful of steps, and then pinpoint and mitigate their choke points.
• Provide comprehensive security awareness training to employees on a regular basis. Be sure to cover social-engineering methods and other common attack techniques, as well as explain how to both identify and report suspicious activity. Ideally, complement this security training with testing, such as sending test phishing emails and seeing who reports them and who falls for them.

Detect, Respond and Recover

A comprehensive attack surface management solution must also continuously monitor the attack surface for changes that could increase risk or introduce new risks. Organizations also need to be prepared for the likelihood that some attacks will get through by building robust response and recovery strategies.

Important best practices in this area include the following:

• Constantly monitor for vulnerabilities. Core controls include regularly scanning devices for outdated or unpatched software and checking systems for drift away from their baseline secure configurations.
• Leverage open-source and commercial threat intelligence feeds to stay abreast of current and emerging attack techniques, indicators of compromise (IoCs), threat actors and other factors that could impact your security posture.
• Audit Active Directory and other key systems. In particular, closely monitor any attack paths that you have not yet mitigated, since they provide attackers with a quick route to full control of your domain.
• Watch for suspicious activity using intrusion detection, change management and insider threat detection solutions. Pair these controls with a detailed incident response plan that you test regularly.
• Create redundant backups and store them on a hardened, isolated server to protect the backups from ransomware and other threats. Use a dedicated Active Directory backup solution that provides multiple backup options, including backups that minimize the risk of re-infection during recovery from ransomware.
• Establish a comprehensive disaster recovery strategy so you can get your business back up and running as quickly as possible in a worst-case scenario.

Govern

NIST 2.0 highlights the need for strong governance. This foundational function helps organization establish and monitor their security risk management strategy, expectations and policies. It is also a core element of a modern Zero Trust security model.

Governance informs and supports the other five pillars of the NIST CSF. Key areas to focus on include the following:

• Cyber resilience
• Identity governance and administration (IGA)
• Privileged access governance
• Identity and access attestation
• Data governance
• Data backup and recovery
• Endpoint security
• Active Directory management
  

The key to improving attack surface management is to approach it as part of a comprehensive cybersecurity risk management strategy that covers all the pillars of the NIST CSF.

Indeed, many organizations today are choosing to work with a select set of vendors to establish a cybersecurity mesh architecture  (CSMA) — an ecosystem of integrated tools and controls that enables a strong and consistent security posture across their complex, distributed IT environments. For Microsoft-based environments, a CSMA must include a robust Active Directory security tool in its identity fabric.

Quest offers a broad, integrated Active Directory security portfolio that empowers organizations to build a comprehensive defense-in-depth strategy while reducing complexity and simplifying operations. For learning more, please visit our cybersecurity risk management solutions.