ASM: The Best Defense is a Good Offense

About 10 years ago, security was relatively simple because everything occurred on premises. Change releases were tightly controlled by a change ticket and review process. In contrast, current networks consist of auto-scaling containers that run in Kubernetes clusters and even serverless clusters like AWS Lambda. We have transitioned from constrained environments that humans closely scrutinized to dynamic environments wherein we simply must trust the build process. Now, as security executives, we often feel two steps behind, constantly waiting for something horrible to occur despite our best defenses.

Praetorian’s mission is to make a dent in this security problem and give defenders a fighting chance, and the trick is this: organizations must shift to play offense as well as defense. That is where Attack Surface Management (ASM) comes into play. Through a continuous process of discovering, analyzing, remediating, and monitoring cybersecurity vulnerabilities and potential attack vectors organizations can present the smallest attack surface possible.

Three Problems, One Solution

We currently see three overarching problems as the migration to cloud-based networks introduces new types of risk. First, diffuse responsibility for controlling security groups and IP addresses increases the ease with which an inexperienced programmer can misconfigure something and expose a service to the internet and AWS. Additionally, developers now write more code and build more services, which increases the likelihood of code deployment before security is aware of its existence. Finally, the lack of centralization and rate of change combine to make ownership murky, thereby significantly complicating any attempt to respond to a security incident.

While security teams grapple with the added complexity of this dynamic environment, attackers are taking advantage by automating their offensive cyber attacks faster than we have seen before. Whereas before an attacker’s “way in” to an organization was via the human element, the widespread adoption of multi-factor authentication (MFA) has complicated that approach. Now, they have shifted to attacking internet exposed systems to gain a foothold for lateral movement within an organization’s other systems. The best response to this change in tactics is to go on the offensive: We need to adopt continuous ASM so we can find and patch our vulnerabilities faster than malicious actors can exploit them automatically.

The Holy Grail: When Business and Security Priorities Align

Security leaders that want to be successful need to think of their role in terms of enabling the business by allowing it to operate in a secure manner. This is an important concept, particularly for those of us who enjoy technology, because our role is not to find the latest whiz-bang solution or a magic bullet for security. It is to honestly assess where our organization is on a security maturity scale and, if mature, whether we can actually act to mitigate a security vulnerability. It is to understand where our security programs can gain the most value for the least amount of money. This is considering security through a business lens, and is likely to gain us support with our Boards of Directors .

From a business perspective, an actionable approach like continuous ASM is incredibly appealing. Incorporated successfully, it can help our organizations find and mitigate vulnerabilities before malicious actors do. It also has a better ROI than the financial (and human resources) cost of spot checks that only provide a snapshot of an organization’s security posture. Fortunately, ASM also is a solid, actionable solution from a security perspective. When we can enumerate exposures, catch vulnerabilities, and see when an attacker has attempted to establish a foothold, we are no longer just on the defensive. We’re playing offense.

Getting Started with ASM

The world of ASM really is a continuum, with solutions falling between full automation (SaaS based) and integrated managed services (human partners at the ASM provider). Keeping in mind that we should not let perfect be the enemy of better, this is where that business lens comes in handy. Where along the continuum will your organization derive the most value added?

Perhaps the best answer for your current program maturity is to plug in your domain to a fully automated ASM solution, integrate your cloud, and let that system enumerate all your exposed assets. Then you would take that list and go fix your vulnerabilities. Would there be gaps? Probably. But would this materially lower your risk? Almost certainly more than it would lower without any ASM whatsoever.

Alternately, perhaps your organization is on the mature side and the value-added that you need at this juncture is a team of trusted partners from your ASM provider to help with both finding and fixing vulnerabilities. This is a more robust solution, if your security program is at the right maturity level. Regardless, though, the measurement of efficacy should be vulnerabilities fixed, not just vulnerabilities found.

ASM Is a Commitment

Measuring success in terms of vulnerabilities-fixed shifts ASM from a “plug and play” solution and instead emphasizes the fact that it is a program. It is a commitment not just to spend money for a report or a tool, but to act on what it tells us. The return on investment for ASM is in what happens after it discovers a vulnerability. That is the start of the process, because the only time an organization derives value from knowing about a vulnerability before exploitation is when that vulnerability disappears before an attacker finds it. That is what makes ASM an actionable, offensive solution to the dynamic security environment that is unfolding.

An organization that wants to commit to ASM as an offensive programmatic solution must have buy-in from its business leaders and security leaders. They all need to agree that this approach will have the greatest potential return on investment. Successful implementation will depend on what the organization chooses to measure, so KPIs should be well-designed. “I will fix all vulnerabilities I find within X hours of knowing about them,” and “I will reduce X to X/2 over the course of three quarters” both are specific, measurable KPIs that focus the organization on fixing vulnerabilities rather than just finding them.

Ultimately, ASM will give you a preemptive response plan so that when a global vulnerability like Log4J occurs you already understand your vulnerabilities and have an established process for fixing them. In particular, an ASM provider on the managed service end of the continuum can be a partner that rallies around your organization so you can respond intentionally according to your particular business priorities and risk tolerance. After all, the human element can make all the difference when you’re playing offense.

This article captures key thoughts the author expressed during his guest appearance on the CISOTradecraft podcast on January 17, 2023. For more of that discussion, be sure to check out the recording here .

icon-praetorian-

See Praetorian in Action

Request a 30-day free trial of our Managed Continuous Threat Exposure Management solution.

About the Authors

Richard Ford

Richard Ford

Dr. Richard Ford is the Chief Technology Officer of Praetorian. He has over 25 years of experience in computer security, working with both offensive and defensive technology solutions.

Catch the Latest

Catch our latest exploits, news, articles, and events.

Ready to Discuss Your Next Continuous Threat Exposure Management Initiative?

Praetorian’s Offense Security Experts are Ready to Answer Your Questions