Cyber exposures are proliferating at an exponential rate that often outpaces the bandwidth of cybersecurity teams. In order to get ahead, it’s crucial to be aware of what’s out in the open and where cyber attackers are likely to target. The migration to cloud has remarkably expanded the internal and external targets, making the process of threat prioritization and managing your cyber exposure from a hacker’s standpoint more vital than ever. Here’s a dive into why it’s expanding and how to effectively supervise and control it using tools like Intruder.
Understanding your Cyber Exposure # To begin with, it’s imperative to realize that your cyber exposure constitutes the total of your digital assets that are ‘exposed’ – whether these digital assets are secure or vulnerable, recognized or unknown, in active usage or not. This cyber exposure consistently alters over time and includes digital assets that are on-site, in the cloud, within subsidiary networks, and third-party environments. Simply put, it comprises everything that a hacker can target.
What is Cyber Exposure Management? # Cyber exposure management involves the process of discovering these assets and services and then curtailing or minimizing their exposure to avoid hackers from exploiting them. Exposure could indicate two things: present vulnerabilities such as missing patches or misconfigurations that decrease the security of the services or assets. But it could also refer to exposure to future vulnerabilities.
For instance, take an admin interface like cPanel or a firewall administration page – these may be secure against all known current attacks today, but a vulnerability could be uncovered in the software tomorrow – when it instantly becomes a substantial risk. An asset doesn’t need to be vulnerable today to be vulnerable tomorrow. If you reduce your cyber exposure, regardless of vulnerabilities, you become tougher to attack tomorrow.
So, a significant chunk of cyber exposure management is minimizing exposure to potential future vulnerabilities by eliminating unnecessary services and assets from the internet. This what led to the Deloitte breach and what sets it apart from traditional vulnerability management. But to achieve this, initially, you need to know what’s there.
Asset Management vs Vulnerability Management # Typically considered the poor cousin of vulnerability management, asset management has traditionally been a labor-intensive, time-consuming task for IT teams. Even when they had control of the hardware assets within their organization and network perimeter, it was still fraught with problems. If just one asset was overlooked in the asset inventory, it could slip past the entire vulnerability management process and, depending on the sensitivity of the asset, could have far-reaching implications for the business.
Now, it’s a lot more intricate. Businesses are migrating to SaaS and shifting their systems and services to the cloud, internal teams are downloading their own workflow, project management and collaboration tools, and individual users expect to personalize their environments. When companies grow through mergers and acquisitions too, they often inherit systems they’re not even aware of – a classic example is when telecom company TalkTalk was breached in 2015, and up to 4 million unencrypted records were stolen from a system they weren’t even aware existed.
Transitioning Security from IT to DevOps # Today’s cloud platforms enable development teams to scale and move quickly as needed. But this transfers a lot of the security responsibility to the hands of the development teams – deviating from traditional, centralized IT teams with robust, trusted change control processes.
This implies cybersecurity teams face difficulties in comprehending what’s happening or discovering where their assets are. Similarly, it’s increasingly challenging for large enterprises or businesses with dispersed teams – often situated around the globe – to keep track of where all their systems are.
As a consequence, organizations are increasingly recognizing that their vulnerability management processes should be integrated into a more comprehensive ‘cyber exposure management’ process because you must first be aware of what you have exposed to the internet before you contemplate what vulnerabilities you have, and what fixes to prioritize.
Essential Features of Cyber Exposure Management Tools # There are various tools in the market useful for asset discovery, identifying new domains which resemble yours, and detecting websites with similar content to your own. Your team can then ascertain if this is a company asset or not, decide whether it’s included in your vulnerability management processes, and how it is secured. But this requires an internal resource because the tool can’t do this for you.
Similarly, some tools focus exclusively on the external cyber exposure. But since a common attack vector is through employee workstations, cyber exposure management should incorporate internal systems too. Here are three essential features that every cyber exposure monitoring tool should provide:
- Asset Discovery # You can’t manage an asset if you’re unaware of its existence. As we’ve seen, most organizations have a variety of “unknown unknowns,” such as assets located on partner or third-party sites, workloads running in public cloud environments, IoT devices, abandoned IP addresses and credentials, and more. Intruder’s CloudBot runs hourly checks for new IP addresses or hostnames in connected AWS, Google Cloud, or Azure accounts.
Intruder’s CloudBot automatically adds any new external IP addresses or hostnames in cloud accounts as targets for monitoring & vulnerability scanning. 2. Business Context # Not all attack vectors are created equal and the ‘context’ – what’s exposed to the internet – is a vital part of cyber exposure management. Legacy tools don’t provide this context; they treat all cyber exposures (external, internal office, internal data centre) the same, making it hard to prioritize vulnerabilities. Cyber exposure management tools identify the gaps in your internal and external security controls to reveal the weaknesses in your security that need to be addressed and remediated first.
Intruder goes a step further and provides insight into any given asset, and the business unit the application belongs to. For instance, understanding whether a compromised workload is part of a critical application managing bank-to-bank SWIFT transactions will aid in formulating your remediation plan.
- Proactive and Reactive Scans # You can’t just examine your cyber exposure once. Each day it continues to grow as you add new devices, workloads, and services. As it grows the security risk grows too. Not just the risk of new vulnerabilities, but also misconfigurations, data exposures or other security gaps. It’s crucial to test for all potential attack vectors, and it’s necessary to do it continuously to prevent your understanding from becoming outdated.
What’s even better than continuous scanning is a platform that can scan proactively or reactively depending on the circumstances. For instance, reacting to a new cloud service being brought online by launching a scan, or proactively scanning all assets as soon as new vulnerability checks become available.
Minimizing Your Cyber Exposure with Intruder # Cyber exposure monitoring tools like Intruder do all this and more. Intruder ensures that everything you have facing the internet is supposed to be – by making it easily searchable and explorable. Its Network View feature shows exactly what ports and services are available, including screenshots of those that have websites or apps running on them.
Most automated tools are great at spitting out data for analysts to examine, but not at reducing the ‘noise’. Intruder prioritizes issues and vulnerabilities based on context, or whether they should be on the internet at all. Combined with Intruder’s continuous monitoring and emerging threat scans, this makes it significantly easier and quicker to locate and rectify new vulnerabilities before they can be exploited.