Executive Roundtable: Attack Surface Management Opens New Opportunities to Proactively and Cost-Effectively Assess Threats and Address Vulnerabilities
Lane F. Cooper , Editorial Director, BizTechReports and Contributing Editor, CIO.com and CSO online
As organizations assess their 2023 strategies for enhancing the protection of their most important assets while rationalizing investment in security tools and technologies, risk management leaders will be well advised to integrate a proactive “outside-in” approach to threat assessment into their “Zero-Trust” initiatives. It is in this context that concepts like attack surface management (ASM) are receiving increasing attention in efforts to dynamically allocate the right resources to protect the most critical elements of their enterprises.
These were among the conclusions of a virtual executive roundtable held by CSO online and co-hosted by Alex Reid and John Velisaris from IBM. The event featured over 20 executives representing large enterprises from a wide array of industry sectors. The group generally agreed that tightening budgets and rising threats are putting more pressure on security professionals to do more with less – even as the threat landscape becomes more perilous.
Every single executive reported a commitment to embracing zero trust architectures (ZTA) – as outlined and defined by the National Institutes of Standards (NIST). NIST’s SP 800-207 document calls for organizations to engage in continuous and persistent access verification to minimize the impact of breach attempts by automating incident response and the collection of security-related data.
While adhering to the principle of “knowing thyself and those who seek to interact with thee” (an inside-out assessment), it will be essential for organizations to develop an ongoing understanding of how targets of opportunity are presented to bad actors.
This is where outside-in principles embraced by ASM strategies come in. Attack surface management, according to IBM, is the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface. Unlike other cybersecurity disciplines, ASM is conducted entirely from a hacker’s perspective, rather than the perspective of the defender. It identifies targets and assesses risks based on the opportunities they present to a malicious attacker.
“The key to success, however, is not to view ASM, or any security measure, in a vacuum. It should be seen as one piece of the risk management puzzle,” said IBM’s Velisaris. “True value – in this case reducing risk and cost – can only be achieved by integrating insights about what malicious players can observe about organizations with a full understanding of the entire security stack in as seamless a manner as possible.”
The opportunity to rationalize risk investments (and therefore reduce security costs) can be realized when technologies like ASM – which automate the process of persistently evaluating the exposure of organizations through automated scans and intelligent real-time analysis – are compared and contrasted with the enterprise resources that must be protected at all costs.
“ASM should be part of an overarching strategic approach to exposure management," explained IBM’s Reid. "This will not only provide dynamic situational awareness but also inform how attack simulations should be implemented to prepare organizations for breach attempts.”
It offers a way for technology and security leaders to bridge the gap between what the ‘internet’ sees and the current state of vulnerabilities.
"In so doing, a solid foundation is established for assessing the likelihood of what attack paths might look like, enabling organizations to play sophisticated ‘what if’ games based on external and internal insights,” he added.
While no one argued with the logic of this integrated approach, most executives in the roundtable session admitted that their organizations are still in the early stages of ASM consideration and adoption. It is a situation, however, that is also true for zero trust. Despite the headlines and buzz that surrounds ZTA, a recent Gartner report suggests that only 10% of large enterprises will have mature and measurable zero-trust programs in place by 2026, up from less than 1% today.
“The industry needs to do better. Proactive adoption and integration of technologies like ASM can make a real difference in reducing the number – and impact – of attacks. A recent IBM assessment revealed that 50% of cloud breaches, across all of the incidents we worked last year, occurred in assets that were either unknown or unmanaged. It is important to establish a collective global view and apply technologies that translate vast volumes of data generated by systems to enable the IT and security community to have the protection and resilience needed to operate in today’s environment,” concludes Velisaris.
###
To learn more about IBM’s take on the constantly evolving threat landscape, visit