7 best practices for enterprise attack surface management

More cloud computing solutions, remote and work-from-home systems and internet-connected devices increase risk from an expanded attack surface. As surveys predict the enterprise attack surface will continue to increase, the best way to reduce the number of vulnerabilities is to establish a proper enterprise attack surface management program.

Several IT assets accessing corporate networks services are missing critical safeguards, according to a report by Sevco that analyzed data aggregated from visibility into more than 500,000 IT assets. The report found 11% of all IT assets were missing endpoint protection, 15% of IT assets weren’t covered by enterprise patch management solutions while 31% of IT assets were not covered by enterprise vulnerability management systems. It gets worse when the report looks at small- to medium-sized businesses (SMBs) that work on their own to secure their attack surface. The report found 21% of IT assets were missing endpoint protection for SMBs that do not use a managed security services provider.

Proper attack surface management requires analyzing operations to discover potential vulnerabilities and understand the landscape. That information should help to develop a plan, but success depends on executing that plan across the organization’s network, systems, channels, and touchpoints.

Consider these best practices when building an enterprise attack surface management program:

1. Map out the attack surface

To mount a proper defense, you must understand what digital assets are exposed, where attackers will most likely target a network, and what protections are required. According to Sevco, data aggregated from visibility into nearly half a million IT assets shows that 11% of all IT assets are missing endpoint protection. So, increasing attack surface visibility and building a strong representation of attack vulnerabilities is critical. The types of vulnerabilities to look for include older and less secure computers or servers, unpatched systems, outdated applications, and exposed IoT devices.

Predictive modeling can help create a realistic depiction of possible events and their risks, further strengthening defense and proactive measures. Once you understand the risks, you can model what will happen before, during and after an event or breach. What kind of financial loss can you expect? What will be the reputational damage of the event? Will you lose business intelligence, trade secrets or more?

“The successful [attack surface mapping] strategies are pretty straightforward: Know what you are protecting (accurate asset inventory); monitor for vulnerabilities in those assets; and use threat intelligence to know how attackers are going after those assets with those vulnerabilities,” says John Pescatore, SANS director of emerging security trends. “…each of those three phases requires skilled staff with security technology to keep up with the rate of change in all three areas.”

2. Minimize vulnerabilities

Once organizations have mapped their attack surface, they can then take action to mitigate the risk posed by the most significant vulnerabilities and potential attack vectors before moving on to lower priority tasks. Bringing assets offline where possible and strengthening internal and outward-facing networks are two key areas to focus on.

Most network platform vendors now offer tools to help minimize the attack surface. For example, Microsoft’s Attack Surface Reduction (ASR) rules allow you to block processes and executables that attackers commonly use. There are other attack surface discovery and management tools that are designed to quantify the attack surface, minimize and harden it.

Most breaches are caused by human error. So, building awareness and training employees is another critical aspect of minimizing vulnerabilities. What policies do you have to help them stay on top of personal and at-work security? Do they understand what’s required? What are the security practices they should be using, and how could a failure affect them and the business at large?

Not all vulnerabilities need to be addressed and some will persist regardless. A reliable cybersecurity strategy includes methods to identify the most pertinent sources, picking out which are more likely to be exploited. Those are the vulnerabilities that should be mitigated and monitored.

Most businesses allow more access than is needed for employees and contractors. Adequately scoped permissions can ensure there are no disruptions or major damage even when an account is compromised. Start your analysis of access rights with critical systems and then limit each person’s and device’s access to only those assets they absolutely need.

3. Establish strong security practices and policies

Following tried and true security best practices will go a long way toward minimizing your attack surface. This includes implementing intrusion detection solutions, conducting regular risk assessments, and putting clear and effective policies in place. Here are some practices to consider:

• Conduct healthy account management with strong authentication protocols and access controls.
• Establish consistent patching and update policies.
• Maintain and test backups of critical data.
• Segment your network to minimize damage should a breach occur.
• Monitor and retire old equipment, devices, and services.
• Use encryption wherever practical.
• Establish or limit your BYOD policies and programs.
  
  

4. Establish security monitoring and testing protocols

A strong cybersecurity program requires constant adjustment as IT infrastructures change and threat actors evolve. That requires continuous monitoring and regular testing, the latter often through third-party penetration testing services.

Monitoring is typically done through an automated system like security information and event management software (SIEM). It collects log data generated from host systems and applications to network and security devices such as firewalls and antivirus filters. The SIEM software then identifies, categorizes, and analyzes incidents and events.

Penetration testing provides unbiased third-party feedback to help you better understand vulnerabilities. Pen-testers conduct simulated attacks designed to reveal critical vulnerabilities. Testing should touch on core elements of the enterprise network and BYOD and third-party devices vendors are using. Mobile devices account for about 60% of interactions with corporate data.

5. Harden your email system

Phishing is a common way for attackers to compromise your network. Yet some organizations have not fully deployed email protocols designed to limit the number of malicious emails that employees receive. The protocols are:

• Sender Policy Framework (SPF) prevents spoofing legitimate email return addresses.
• Domain Keys Identified Mail (DKIM) prevents spoofing of the “display from” email address, which is what the recipient sees when they preview or open a message.
• Domain-Based Message Authentication, Reporting and Conformance (DMARC) allows you to set rules about how to treat failed or spoofed emails identified by SPF or DKIM.

Pescatore recalls working with Jim Routh when he was CISO at Aetna. “He was able to get the organization to move to secure software development and to implement strong email authentication by guaranteeing the business benefit would exceed the security cost if management back him in making the needed changes happen.”

Not all initiatives land, but Routh delivered. His changes led to fewer software vulnerabilities and shortened time to market. “Moving to DMARC and strong email authentication increased email marketing campaign click-through rates and essentially more than paid for itself.”

6. Understand compliance

All organizations should have policies and procedures in place to research, identify and understand both internal and government standards. The goal is to ensure all security policies are in compliance and that there’s a proper response plan to the various attack and breach types.

It requires establishing a task force and strategy for reviewing new policies and regulations when they come into play. As critical as compliance is to modern cybersecurity strategies, it doesn’t necessarily mean it should be the priority. “Too often compliance comes first, but almost 100% of companies that had breaches where credit card info was exposed were PCI-compliant. They weren’t secure, however,” said Pescatore. He believes cybersecurity strategies should first assess risk and deploy processes or controls to protect the company and its customers. “Then, [enterprises should] produce the documentation required by various compliance regimes (such as HIPAA or PCI) showing how your strategy is compliant.”

7. Hire auditors

Even the best security teams sometimes need fresh eyes when evaluating the enterprise attack surface. Hiring security auditors and analysts can help you discover attack vectors and vulnerabilities that might have otherwise gone unnoticed. They can also assist in creating event management plans, for dealing with potential breaches and attacks. Too many organizations are unprepared for cybersecurity attacks because they didn’t have checks and balances to measure their policies.

“When attempting to objectively determine the security risk, having an outside, impartial perspective can be extremely beneficial,” says Jason Mitchell, CTO at Smart Billions. “Use an independent monitoring process to help recognize risk behavior and threats before they become a problem on your endpoints, particularly new digital assets, newly onboarded vendors, and remote employees.”