ARN

7 best practices for enterprise attack surface management

Follow this advice to minimise vulnerabilities and give threat actors fewer opportunities to compromise an organisation's network and devices.

More cloud computing solutions, remote and work-from-home systems and internet-connected devices increase risk from an expanded attack surface. The best way to reduce the number of vulnerabilities is to establish a proper enterprise attack surface management program.

Proper attack surface management requires analysing operations to discover potential vulnerabilities and understand the landscape. That information should help to develop a plan, but success depends on executing that plan across the organisation’s network, systems, channels and touchpoints.

Here are some best practices to consider when building an enterprise attack surface management program:

1. Map out the attack surface

To mount a proper defence, you must understand what digital assets are exposed, where attackers will most likely target a network, and what protections are required.

So, increasing attack surface visibility and building a strong representation of attack vulnerabilities is critical. The types of vulnerabilities to look for include older and less secure computers or servers, unpatched systems, outdated applications, and exposed IoT devices.

Predictive modelling can help create a realistic depiction of possible events and their risks, further strengthening defence and proactive measures. Once you understand the risks, you can model what will happen before, during and after an event or breach. What kind of financial loss can you expect? What will be the reputational damage of the event? Will you lose business intelligence, trade secrets or more?

“The successful [attack surface mapping] strategies are pretty straightforward: Know what you are protecting (accurate asset inventory); monitor for vulnerabilities in those assets; and use threat intelligence to know how attackers are going after those assets with those vulnerabilities,” says John Pescatore, SANS director of emerging security trends. “…each of those three phases requires skilled staff with security technology to keep up with the rate of change in all three areas.”

2. Minimise vulnerabilities

Once organisations have mapped their attack surface, they can then take action to mitigate the risk posed by the most significant vulnerabilities and potential attack vectors before moving on to lower priority tasks. Bringing assets offline where possible and strengthening internal and outward-facing networks are two key areas to focus on.

Most network platform vendors now offer tools to help minimise the attack surface. For example, Microsoft’s Attack Surface Reduction (ASR) rules allow you to block processes and executables that attackers commonly use.

Most breaches are caused by human error. So, building awareness and training employees is another critical aspect of minimising vulnerabilities. What policies do you have to help them stay on top of personal and at-work security? Do they understand what’s required? What are the security practices they should be using, and how could a failure affect them and the business at large?

Not all vulnerabilities need to be addressed and some will persist regardless. A reliable cyber security strategy includes methods to identify the most pertinent sources, picking out which are more likely to be exploited. Those are the vulnerabilities that should be mitigated and monitored.

Most businesses allow more access than is needed for employees and contractors. Adequately scoped permissions can ensure there are no disruptions or major damage even when an account is compromised. Start your analysis of access rights with critical systems and then limit each person’s and device’s access to only those assets they absolutely need.

3. Establish strong security practices and policies

Following tried and true security best practices will go a long way toward minimising your attack surface. This includes implementing intrusion detection solutions, conducting regular risk assessments, and putting clear and effective policies in place.

Here are some practices to consider:

  • Conduct healthy account management with strong authentication protocols and access controls.
  • Establish consistent patching and update policies.
  • Maintain and test back-ups of critical data.
  • Segment the network to minimise damage should a breach occur.
  • Monitor and retire old equipment, devices and services.
  • Use encryption wherever practical.
  • Establish or limit your BYOD policies and programs.

4. Establish security monitoring and testing protocols

A strong cyber security program requires constant adjustment as IT infrastructures change and threat actors evolve. That requires continuous monitoring and regular testing, the latter often through third-party penetration testing services.

Monitoring is typically done through an automated system like security information and event management software (SIEM). It collects log data generated from host systems and applications to network and security devices such as firewalls and antivirus filters. The SIEM software then identifies, categorises and analyses incidents and events, as well as analyses them.

Penetration testing provides unbiased third-party feedback to help you better understand vulnerabilities. Pen-testers conduct simulated attacks designed to reveal critical vulnerabilities. Testing should touch on core elements of the enterprise network and BYOD and third-party devices vendors are using. Mobile devices account for about 60 per cent of interactions with corporate data.

5. Harden email systems

Phishing is a common way for attackers to compromise your network. Yet some organisations have not fully deployed email protocols designed to limit the number of malicious emails that employees receive. The protocols are:

  • Sender Policy Framework (SPF) prevents spoofing of legitimate email return addresses.
  • Domain Keys Identified Mail (DKIM) prevents spoofing of the “display from” email address, which is what the recipient sees when they preview or open a message.
  • Domain-Based Message Authentication, Reporting and Conformance (DMARC) allows you to set rules about how to treat failed or spoofed emails identified by SPF or DKIM.

Pescatore recalls working with Jim Routh when he was CISO at Aetna. “He was able to get the organisation to move to secure software development and to implement strong email authentication by guaranteeing the business benefit would exceed the security cost if management back him in making the needed changes happen.”

Not all initiatives land, but Routh delivered. His changes led to fewer software vulnerabilities and shortened time to market. “Moving to DMARC and strong email authentication increased email marketing campaign click-through rates and essentially more than paid for itself.”

6. Understand compliance

All organisations should have policies and procedures in place to research, identify and understand both internal and government standards. The goal is to ensure all security policies are in compliance and that there’s a proper response plan to the various attack and breach types.

It requires establishing a task force and strategy for reviewing new policies and regulations when they come into play. As critical as compliance is to modern cyber security strategies, it doesn’t necessarily mean it should be the priority. According to Pescatore, “Too often compliance comes first, but almost 100 per cent of companies that had breaches where credit card info was exposed were PCI-compliant. They weren’t secure, however.”

He believes cyber security strategies should first assess risk and deploy processes or controls to protect the company and its customers. “Then, [enterprises should] produce the documentation required by various compliance regimes (such as HIPAA or PCI) showing how your strategy is compliant.”

7. Hire auditors

Even the best security teams sometimes need fresh eyes when evaluating the enterprise attack surface. Hiring security auditors and analysts can help you discover attack vectors and vulnerabilities that might have otherwise gone unnoticed.

They can also assist in creating event management plans, for dealing with potential breaches and attacks. Too many organisations are unprepared for cyber security attacks because they didn’t have checks and balances to measure their policies.

“When attempting to objectively determine the security risk, having an outside, impartial perspective can be extremely beneficial,” says Jason Mitchell, CTO at Smart Billions. “Use an independent monitoring process to help recognise risk behaviour and threats before they become a problem on your endpoints, particularly new digital assets, newly onboarded vendors, and remote employees.”