In the natural world, if an animal isn’t able to outrun, fight, or hide from hungry predators, then it needs a creative defense mechanism or risk extinction. Take the pangolin, for instance. It’s a curious animal that protects itself by rolling up into a nearly impenetrable, scaly ball when it senses danger. Not bad!
In today’s information security world, the vast majority of corporate security teams are woefully outmatched by attackers. Attackers are hungry for the financial information, intellectual property, and customer data that can be monetized easily. There’s an inexhaustible supply of new exploitable vulnerabilities an attacker can target and new malware kits that are easy to obtain. In contrast, the security team is bogged down big time by slow, bloated processes for firewall management, vulnerability management, change management, threat management. The processes themselves could be useful in preventing attacks or limiting the damage. If they could keep up. But they don’t.
As networks and threats have become more advanced, these security processes have become mostly ineffective fin controlling the risk of attack. Firewall changes take place without proper risk assessment, because bloated rule sets are too unwieldy to analyze. Vulnerability scans are done once a month or less(!), leaving exploitable vulnerabilities open far too long. Identifying a relevant threat and responding can take days. Meanwhile an attacker is in, out, and selling your precious data in hours. In this mismatched battle, attackers win.
Rather than give up, security managers can take a cue from the pangolin and find ways to minimize attack vectors available to potential attackers. That is, reduce the attack surface. The attack surface grows as more access points, vulnerabilities, and exploits are available to be used in an attack. The attack surface shrinks when you segment network zones for minimum access, block high risk vulnerabilities, and make sure security controls and policies are constantly effective. Practically speaking, in order to shrink the attack surface, you have to first understand it. Attackers gather information and deduce the best methods of attack against your organization. Do you?
At Skybox, we believe that it takes a combination of network visibility and endpoint visibility to get an accurate picture of the attack surface. Network visibility is gained through information about network topology, segmentation, and connectivity paths, giving you great visibility of all point-to-point access paths. Endpoint visibility comes from detailed information about the configurations and vulnerabilities of all servers, desktops, and mobile devices.
Combining the two gives the much-needed context for security decision-making that security analysts recommend. Add simulation of possible attacks, and integration and automation with operational processes, and you can automatically identify potential attack vectors very quickly.
Those security processes mentioned above – firewall and vulnerability management and more – all benefit when an accurate picture of the attack surface is available and integrated with the data analysis, risk based prioritization, and remediation planning. False positives go down, and priority is given to the right risks. What’s more, reaction time improves by an order of magnitude or more through automated resolution of challenging security questions such as:
Q: Should we allow this firewall rule change?
A: It adds a new high risk attack vector, so block the change.
Q: Should we patch this newly announced vulnerability?
A: There are no attack vectors that could make use of it, so no need to patch until the regularly scheduled update cycle.
Using the knowledge of an organization’s attack surface makes existing security management processes more effective, and leads to faster and more targeted response to security issues. Fast remediation of the right risks, in turn, reduces the attack surface and keeps it in control.