Can Exposure Management Secure the Growing Attack Surface?

As companies accelerate their efforts to further their digital transformation, the infrastructure that is needed to support this has dramatically transformed and increased.

The convergence of IT, cloud, operational technology (OT), and increasingly AI has unlocked unprecedented levels of efficiency and innovation for organisations. 

Yet, for all the good it brings in terms of data management, collection, and processing, this added infrastructure has also created additional security risks.

Convergence has expanded the attack surface that security teams must defend, making organisations increasingly vulnerable targets for cyber threats.

But to not press on with such efforts would prove risky too, as such digital transformation is continuously cited across sectors as key to growth.

Therefore, organisations may be in-between a rock and a hard place on balancing security with growth. Grow, but create gaps in your cybersecurity, or stay small and safe(r) but miss out on the benefits incorporating these new technologies bring.

“Protecting everything is soul destroying given it's practically an impossible task,”  Bernard Montel, EMEA Technical Director and Security Strategist at Tenable sums up. 

Examining the expanded surface

As mentioned, the integration of all these new systems has significantly expanded the attack surface of organisations. 

“This growth is due to the utilisation of cloud infrastructure and SaaS applications as well as the growing need for multi-device connectivity to business services,” explains Pete Shoard VP Analyst and part of the Security Operations team at Gartner. “The growth of the attack surface means a larger number of more complex, and sometimes invisible attack vectors for security operations teams to defend as well as create better monitoring visibility for.”

This introduction of numerous new entry points, creation of complex environments, and centralising data in vulnerable architectures all contribute to the multifaceted nature of the issue. 

Legacy OT systems often lack robust security features, making them vulnerable targets. Additionally, the convergence of IT and OT creates highly complex environments with numerous interconnected components, increasing the likelihood of security gaps and misconfigurations. 

Many OT architectures also rely on centralised data repositories or control systems, which can become attractive targets for widespread attacks if compromised.

Same as with the cloud. The adoption of cloud services introduces additional risks, as cloud-connected devices can be exploited to launch attacks on critical infrastructure.

A 2023 State of Cyber Assets Report by cybersecurity company Jupiter revealed nearly 600% annual growth in vulnerable cloud attack surfaces.

This surface has grown exponentially with the rise of things like remote working and even hybrid working, where users login to the company cloud from a work device, at home, on their own network and with all the uncontrolled security environments that entails. 

The extensive connectivity and data storage capabilities of the cloud make it an appealing target for cybercriminals. 

“Identities in particular are a key threat in cloud environments given they are the keys to accessing these resources,” elaborates Bernard. “If compromised, they enable attackers to gain access to everything, particularly sensitive data and systems.”

And it is not just worrying about your own organisation's attack surface. Many companies will work with third-parties to help integrate and manage these systems into their infrastructure. Which introduces yet another attack surface. 

A 2024 study by software company Blackberry showed how 74% of software supply chains were also exposed to cyberattacks in the last twelve months. 

This growing attack surface has unfortunately seen security teams spending time focusing efforts on reactively mitigating cyberattacks, rather than preventing them in the first instance. In fact, a 2023 tenable study showed 58% of respondents said their cybersecurity team was too busy fighting critical incidents to take a preventive approach to reducing their organisation’s exposure to attacks.

Defending the surface 

Despite the scope of the task ahead, tactics, procedures and technology are on hand to help develop a strategy to get organisations more security.  

“When it comes to proactive cyber practices, the basics still trip up security teams,” Bernard remarked. “Security teams need to be able to map every cloud asset, identity, and risk to identify toxic combinations and attack paths that pose the greatest threat to the business.”

What this means in practice is having a plan for exposure management. Built on the foundations of risk-based vulnerability management, exposure management takes a broader view across the modern attack surface.

Mitigation involves continuously identifying, assessing, and fixing vulnerabilities and risks across an organisation's digital infrastructure, and entails systematically discovering all digital assets, including IT systems, cloud resources, web applications, IoT devices, and mapping the entire attack surface to understand potential entry points for threats. 

Yet, this takes a lot of hours looking into. With the cybersecurity sector having a perennial staffing shortage, problems arise. 

“This creates a budget and resourcing problem, but this also manifests itself as a prioritisation issue,” explains Pete.“It's hard for security teams to align to the business objectives and protect/monitor the organisation against the entirety of the potential for security issues,”

This strategy, however, can be augmented by AI, helping build a better observer of the surface. Through this, AI can monitor endpoints, and when an external device connecting in has a change in behaviour, from either its or designated normal activity, they can have their access automatically revoked.

“With generative AI — such as Google Virtex AI, OpenAI GPT-4, LangChain and many others — it is possible to search for patterns, to return new intelligent information in minutes in simple language even non-technical people can understand, that helps decide what actions to take to reduce cyber risk,” explains Bernard.

Addressing the expanding surface

As organisations' infrastructure continues to expand, the attack surface will only grow larger, making them increasingly open for cyber threats. With more work also being done on the cloud, the haul for a single successful attack can be vast. 

But as Bernard explains, the point isn’t to try to secure every surface now exposed. “By focusing resources on what poses the greatest risk, and understanding how attackers chain multiple flaws together, security teams can design more complete strategies that expose where they’re most at risk and close the priority gaps to protect against attacks,” Bernard concludes.

By gaining an overview of what is exposed, who has access, what does access consist of, and how it is configured, organisations can prioritise remediation efforts based on actual risk rather than using what limited resources they have to secure everything in a batten down all hatches approach. 

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand