A CISO’s Guide to Attack Surface Expansion in 2022

A CISO's Guide to Attack Surface Expansion

Last Updated on 15 August 2022 by Alastair Digby

Gartner’s annual release of the top security and risk management trends is always a useful resource for CISOs looking to adapt and evolve their cybersecurity strategies in line with relevant and emerging threats. A notable inclusion presented by researchers in the 2022 report was attack surface expansion in the number one slot. This article provides a guide for CISOs on attack surface expansion, including an analysis of why attack surfaces continue to grow at a rapid pace and the essential technology components for handling this expansion.

Why Are Attack Surfaces Expanding?

Complexity and increased interconnectedness underpin the security trend that sees an increase in the number of possible entry points for unauthorized access into systems and environments. It’s worth diving deeper into the more tangible business changes that are driving attack surface expansion through complexity and interconnectedness.

Multi-cloud strategies

Most businesses use at least one cloud service provider, but it’s even more common for companies to adopt multi-cloud strategies and use several different providers. Cloud use cases differ widely, and some vendors may be more suitable for meeting specific needs.

Multi-cloud strategies increase the attack surface by paving the way for more entry points into your environment. User accounts for SaaS applications can be compromised and result in sensitive data access or malware uploads. Misconfigurations in cloud platforms and infrastructure can leave cloud databases unprotected or allow outsiders into development environments. All of these cloud assets fall outside the traditional network perimeter, often in Internet-facing public cloud systems.

Beyond the obvious complexity at play here, interconnectedness comes in the form of APIs that allow different apps and services to communicate within this multi-cloud ecosystem. APIs further increase the attack surface because not only do they link everything up, but threat actors can interact with them and attempt to exploit their often weak security.

Remote work support

At the height of the pandemic, 85 percent of CISOs admitted sacrificing cybersecurity to quickly support remote workers. The new normal for most businesses is a hybrid workforce where employees have the flexibility to combine office days with WFH arrangements. While most CISOs have since made efforts to improve the security of remote work infrastructure, there is no getting around the inevitable attack surface expansion at play.

Most pertinently, there are thousands of new devices to account for, each presenting a potential new entry point for hackers to exploit. Furthermore, businesses need to rely on their employees closely adhering to remote work security policies; any deviations, such as connecting to corporate systems on unsecured Wi-Fi, can be taken advantage of.

Poor visibility and incomplete asset inventories hinder the ability to manage the attack surface growth introduced by hybrid workforces. You can’t protect what you can’t see.

Modern software development practices

Modern development practices emphasize the need to quickly produce high-quality code. CI/CD pipelines call for a constant flow of new updates and streamlined SDLC achieved through automation. These cultural changes lead to attack surface expansion in several ways.

Most notably, developers favor the use of third-party libraries and frameworks in the web apps that they then spin up on cloud infrastructure. The need for speed influences decision-making here because it doesn’t make sense to code something from scratch when that functionality is available from a third-party source for free.

Much of this third-party code is open source and potentially vulnerable, depending on where it’s sourced from. Attackers constantly trawl the Internet looking for apps running vulnerable open source components, which can provide an entry point into that app and your wider environment. With proprietary codebases often containing hundreds of open source components, this complex software supply chain expands the attack surface, particularly when it goes unchecked.

3 Important Solutions for Handling Attack Surface Expansion

The Gartner press release that announced its 2022 security and risk management trends alluded to three technologies and solutions that will, “support CISOs in visualizing internal and external business systems, automating the discovery of security coverage gaps”. Among the acronym overload that muddies the waters in terms of understanding cybersecurity solutions, let’s now dive into these technologies and their actual use in helping your business handle attack surface expansion.

Digital Risk Protection Services (DRPS)

Digital risk protection services are a type of managed security solution that provide advanced threat detection in shielding internal resources from external threats. The typical DRPS offering leverages machine learning, automation, and human expertise to augment existing threat intelligence solutions and workflows.

A key element of DRPS is its reach in terms of the kinds of attack surface threats it focuses on. These threats include fraud campaigns, brand compromise, account impersonations, and even social media channel threats. The managed elements will also include experts scouring the deep and dark web for data leaks and other Internet-based threats to businesses.

DRPS solutions need to be able to map out a footprint of all assets in the environment to help monitor for exposure and reduce your attack surface, including shadow IT assets. This capability can come from dedicated EASM solutions, or the DRPS platform might just use an attack surface monitoring engine to monitor for changes and misconfigurations in key assets.

External Attack Surface Management (EASM)

External attack surface management solutions provide full-suite capabilities for managing the external-facing attack surface that poses the most risk to business networks, apps, and data today. These capabilities include attack surface discovery, asset inventory, classification, prioritization, and continuous monitoring.

A crucial appeal of EASM platforms is getting an attacker’s view of your external attack surface. By discovering all Internet-facing assets and viewing your attack surface in the way an attacker sees it, you can prioritize fixing the weaknesses and vulnerabilities that outsiders are most likely to exploit or that will present the most danger.

Cyber Asset Attack Surface Management (CAASM)

There are now dedicated cyber asset attack surface management (CAASM) platforms, a term which, on the face of it, sounds suspiciously similar to EASM. However, there are differences between the two, and one is not necessarily a replacement for the other.

You can think of CAASM as focusing specifically on consolidating your view into the cybersecurity assets in your infrastructure. Typically, aggregated asset data comes from API integrations with existing tools and platforms in your technology stack. These integrations include the things you’d expect, such as cloud service providers, SaaS applications, code repositories, and identity providers. But there are usually also integrations with EASM, SIEM, and other security solutions.

You can also run queries on the consolidated data to better understand the more complex relationship between digital assets that result from increased interconnectivity. While CAASM is an emerging tool that can prove very useful in managing your digital attack surface, its utility largely depends on the data it receives. Without feeding information from an EASM solution, you are likely to have gaps in your consolidated asset view that don’t fully account for the breadth of your external attack surface.

What solutions should CISOs choose to manage to attack surface expansion?

If there’s any takeaway message from the methods Gartner proposes for dealing with attack surface expansion, it’s that standalone solutions won’t suffice. While it’s clear that some of the capabilities and functionalities of DRPS, EASM, and CAASM overlap, it makes more sense to view their combined implementation as a roadmap towards arguably today’s most pressing cybersecurity concern—attack surface expansion.

Informer’s approach to attack surface management concentrates on helping you discover your external attack surface in minutes so you can start reducing your cyber risk as quickly as possible. Automated discovery and continuous monitoring help to keep pace with dynamic and ever-expanding attack surfaces.