The rapid expansion of the digital landscape adds increasing complexity to cybersecurity, especially for enterprises that could have up to 100,000 vendors in their supply chain.
Addressing these challenges requires implementing an Attack Surface Management (ASM) strategy tailored to enterprise businesses' unique risk profiles. This post outlines the importance of ASM for enterprises and offers a strategy for ensuring its effective implementation.
Understanding the enterprise attack surface
The enterprise attack surface is a collection of all the digital assets associated with an organization that are accessible internally or externally. Security professionals commonly refer to this network as an “attack surface” because each device potentially opens a pathway into an organization’s sensitive data if exploited by cybercriminals.
To better understand the scope and significance of the enterprise attack surface, it's essential to differentiate between external and internal attack surfaces:
- External Attack Surface: Includes all assets exposed to the internet, such as web applications, cloud services, APIs, web servers, and all external services in your vendor network
- Internal Attack Surface: Assets only accessible within the organization’s network, such as internal servers, databases, and user endpoints
Because enterprises typically have a large number of assets making up their digital footprint, they have more potential entry points for cybercriminals than smaller organizations, making them inherently more susceptible to cyber attack attempts and, as a result, data breaches. The vastness of the enterprise's digital footprint produces attack surface regions that are difficult to identify and manage with conventional cybersecurity strategies, especially across the vendor supply chain.
UpGuard found that the use of technology increases by an average of 311% when a company grows from 500-1000 employees to an enterprise size of 1000-5000 employees.
With such a large pool of technology devices to manage, enterprises face the greatest challenges in keeping track of their expanding attack surface and ensuring its size remains manageable.
The unique cyber risks faced by enterprises
Enterprises have a unique cyber risk profile due to the extensive digital network required to support their operations. Some of the most pressing risks associated with enterprises include:
- Third-Party and Fourth-Party Risks: Vendor security postures directly impact an organization’s level of cyber risks. With enterprise scaling models prioritizing vendor services for their cost-saving benefits, a bloated external attack surface is now a characteristic cybersecurity issue for enterprises. This category of cyber risks extends beyond the third-party vendor ecosystem. Fourth-party security risks also directly influence enterprise security posture, as demonstrated by the CrowdStrike incident.
- Shadow IT: Because enterprises usually lack a security policy for continuous monitoring at a micro level, they are at the highest risk of Shadow IT practices—the unapproved use of software, SaaS apps, or devices in an organization. This category of cyber risk is critical since any unauthorized tools and services could include exploitable vulnerabilities that security teams are unaware of.
- Cloud misconfigurations: As digital transformation pushes more of an organization’s network to the cloud, the risks of potential attack vectors arising from poor security configurations increase. Improper cloud environment settings could result in sensitive data exposures (data leaks) or unauthorized access to internet-facing assets, similar to the security incident Optus suffered. The potential impact surges when these misconfigurations involve cloud service security tools.
- Legacy systems: Many enterprises are unaware that their internet-facing assets are operated by legacy systems and that web application services are not protected by the latest security patches. IoT devices and IT assets impacted by legacy software are prime targets for threat actors performing reconnaissance in preparation for a cyber attack.
The Crowdstrike incident demonstrated that even fourth-party vendors are potential attack vectors in an organization’s attack surface.
Watch this video to learn how UpGuard helped its users identify third and fourth-party vendors impacted by the Crowdstrike incident.
Characteristics of an effective enterprise ASM strategy
An effective enterprise Attack Surface Management strategy addresses the key cybersecurity challenges unique to large businesses. Collectively, the components of this strategy support 360-degree enterprise cyber threat visibility and provide a workflow for managing the complete lifecycle of detected cyber risks.
1. Asset discovery
Comprehensive internet-facing asset discovery is the foundation of an effective ASM strategy. This process involves identifying all IT assets comprising an enterprise’s digital footprint. With an attack surface management solution, you can automate this process by specifying an IP address range for your asset inventory. All newly connected assets in this range are then automatically enrolled into any implemented real-time security risk monitoring processes.
Shadow IT detection is an integral component of the asset discovery processes and should also be supported by an ASM solution.
Watch this video to learn how UpGuard ensures both common cloud services and obscure technologies, such as network devices, javascript plugins, and hosting providers, are acknowledged within a risk management program.
2. Vulnerability management
After mapping out your digital footprint, all assets should be enrolled into a continuous scanning process to identify criitical exposures facilitating data breaches. Internal and external attack surfaces require specific management tools and security operations, given the unique cyber threats in each region. External Attack Surface Management -- the most critical component of ASM for enterprises, should be supported by a Vendor Risk Management program capable of threat detection across even the most nuanced vendor-related risk origins, such as dark web forums and ransomware blogs.
With an ASM tool like UpGuard, you can detect and remediate vulnerabilities and attack vectors hackers commonly exploit in ransomware attacks, such as leaked credentials and remote access services, and extend this protection across your entire vendor network.
UpGuard can also detect potentially dangerous IT asset vulnerabilities, such as servers running end-of-life web server software, which place enterprises at the greatest risk of suffering data breaches.
Watch this video for an overview of UpGuard’s approach to Attack Surface Management.
3. Continuous monitoring
The external attack surface is highly volatile. An effective ASM strategy should have a means of keeping track of the state of the external attack surface by addressing critical vendor threat intelligence metrics such as:
- Phishing attack susceptibility: the leading attack vectors facilitating data breaches.
- Website security: To discover vulnerabilities facilitating common attacks on domain cyber assets, such as cross-site scripting.
- Attack surface size: To evaluate attack surface reduction efforts and the efficacy of implemented security controls to assist this effort.
Security ratings are one of the most effective continuous monitoring methods for attack surface management. They provide objective quantification of internal and external security postures. UpGuard’s security ratings tool considers multiple critical attack vector categories in its rating calculations, with most categories aligning with the primary metric requirements conducive to an effective ASM program.
Learn how UpGuard calculates its security ratings >
3. Integrated risk treatment workflows
To support the ultimate objective of enterprise attack surface management, which is to keep the attack surface as small as possible, an ASM solution should include integrated workflows addressing the entire risk management lifecycle. Since enterprises have characteristically large vendor networks, an ideal ASM tool should consist of Vendor Risk Management working addressing the following VRM processes:
- Third-party risk detection: To discover vendor-related security risks that could facilitate third-party breaches.
- Fourth-party vendor detection: For visibility into the expansion of a vendor’s vendors
- Vendor risk assessments: For comprehensive vendor security posture evaluations and establishing third-party vendor risk treatment plans.
Watch this video to learn how UpGuard streamlines vendor risk assessment workflows.
- Risk remediation: Seamlessly progressing detected risk to the mitigation phase to minimize exposure windows.
For support with implementing such a third-party risk management component, refer to this post outlining a 6-stage Vendor Risk Management workflow.
An ASM platform with Vendor Risk Management workflows supports a minimal attack surface by consolidating internal and external attack surface management processes into a single solution.
4. Risk prioritization
A characteristic of a larger digital footprint is that automated risk detection processes are likely to discover many potential cyber risks. A common mistake enterprises make when establishing an ASM strategy is obsessing over every detected risk on their attack surface. An efficient ASM program isn’t one that eventually reaches a point of no longer detecting new cyber risks but rather one that can identify which risks should be prioritized and which are safe to disregard.
Security rating technology could be leveraged to achieve this by projecting the impact of selected remediation tasks on a vendor’s security posture.
Best practices: enterprise attack surface management
The following best practices will elevate your ASM strategy to exemplary levels:
- Understand you can’t completely prevent access to your network edge: A level of risk acceptance is required for network boundaries as broad as those of enterprises. Firewalls and remote endpoints must remain connected to the Internet to support critical business operations. Aim to catalog all edge network devices that cybercriminals could potentially target so that security teams can monitor their level of cyber resilience.
- Follow a tiering strategy: To ensure sensitive resources in your attack surface are readily identified and prioritized in risk remediation efforts, a tiering strategy should be implemented, where critical assets are grouped in a separate category with an inventory category. This strategy should extend to the external attack surface with a vendor tiering strategy.
- Use a centralized ASM platform: A centralized platform for addressing the entire enterprise attack surface will prevent the need for separate solutions for internal and external attack surfaces, keeping the enterprise attack surface minimal and thereby supporting the ultimate objective of ASM.
- Train your employees: Without proper training, your employees will likely disrupt your attack surface reduction efforts with Shadow IT practices and fall victim to social engineering attacks. An enterprise ASM strategy must include an employee awareness training component outlining how to respond to common cyber threats and how these responses align with the company’s attack surface management objectives. Simulated phishing attacks are an effective tool for tracking the organization’s level of human risk - a critical risk category that must also be addressed in a risk management strategy.
Watch this video to learn how UpGuard accounts for human risk in its attack surface management processes: