Last Updated on June 3, 2022
With the rise of cloud services and remote working, many businesses are still playing catch-up on securing a larger attack surface. Vendors have begun to address this need with a growing number of entrants in the emerging attack surface management space.
To define attack surface management, explain how it works and clarify its unique value proposition, Michelangelo Sidagni, CTO at NopSec, joined a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
Covering the continuum
In Michelangelo’s view, attack surface management encompasses all aspects of traditional vulnerability management, including asset inventory management, vulnerability assessment, vulnerability prioritization, and vulnerability remediation. It also includes associated security testing, whether automated and/or manual.
“I come from a world where the vulnerabilities are into the hundreds of thousands,” says Michelangelo. “So, it’s not enough to find all the vulnerabilities. We have to find those that matter the most to my network. The domain controllers are more important than a workstation, for example. A prioritized vulnerability is key.”
Defining attack surface management
According to Michelangelo, attack surface management integrates traditional disciplines related to vulnerabilities, yielding a whole greater than the sum of the former parts:
“Attack surface management basically wants to unify them all in a holistic approach—meaning finding the asset, finding the vulnerabilities, and most importantly for blocking an attacker, ‘connecting the dots,’” Michelangelo shares. “It’s not enough to have a vulnerability instance that could be exploitable or could even be under direct attack. But is it exploitable in my environment?”
Say you’ve got a vulnerability that an attacker tries to exploit. Can the malware connect back to its attacker machine so it can control the host and start moving laterally? If your environment prevents that, even a major vulnerability might not be a big deal. But if the hacker’s attack path is clear, you could be facing a data breach.
“It’s very important to understand [whether a critical vulnerability is exploitable in your specific environment], because not all vulnerabilities are created equal,” advises Michelangelo. “Some are exploitable, but some can create a real problem for the defender.”
What about threat and exposure management?
Another emerging security sector is cyber threat and exposure management. How does this area relate to attack surface management?
Within Michelangelo’s NopSec solution, the latter subsumes the former.
“Cyber threat and exposure management basically focuses on the threat,” describes Michelangelo. “A vulnerability is a state. It can stay there, idle or quiescent for years. You have to have an exploit. Then, you have to have a threat actor taking that exploit a step further.”
“Threat and exposure management focuses on threat modeling and management. Attack surface management is about taking this threat management, connecting it to the asset and the mediating controls, and proving through threat modeling or attack simulation that [the vulnerability] is indeed something that an attacker could exploit,” adds Michelangelo.
To enjoy the full episode with attack surface management thought leader Michelangelo Sidagni, click here.
Want a different take on attack surface management? Here’s a related podcast: EP#69 – Steve Ginty – Can You Benefit From Attack Surface Management?