All attack surface management (ASM) tools are not created equal. Especially when it comes to identifying all the assets that comprise your attack surface—a great many of which may lie outside your known digital footprint.
What are some of the asset discovery innovations that can help security leaders find the blind spots in their ASM view?
To talk about the realities of ASM and business risk for a modern organization, David Monnier, Chief Evangelist and Fellow at Team Cymru, joined a recent episode of The Virtual CISO Podcast features. Hosting the show as always is John Verry, Pivot Point Security CISO and Managing Partner.
Bringing new intelligence to digital asset inventories
From the standpoint of assets you can interact with electronically, the foundation of ASM is some kind of digital asset inventory. How many devices do we know of in the infrastructure? How recently have we scanned them for vulnerabilities? How often do we patch them? How often do we update the inventory? What are all the touch points for security and logistical controls? And the list goes on…
“You start to see [asset management] as just an endless supply of tasks,” notes David. “First you have to identify it, then you track it, then you scan it, then you do something, then you do something else, and so on.”
Having a repeatable asset management process is great. But what if an asset is already compromised? What if you need to tear it down and rebuild it, not just patch it?
“So we looked at how can we get intelligence into the ASM space?” David relates. “We identified that there weren’t really any products that were designed to take into account threat intelligence, even in the sense of what we think of as more like reputational data.”
Say Team Cymru helps you discover 3,000 assets on your network, only half of which you knew about previously. Of those, 10 are already compromised. Instead of just supporting security/vulnerability scanning, Team Cymru’s toolset adds two intelligence layers: one that provides threat intelligence, and one that looks at the relative business criticality of assets to prioritize risk and remediation.
Knowing more is knowing more
Team Cymru’s solutions evaluate the digital data coming to and from an org’s assets according to threat/reputational intelligence, business intelligence and vulnerability/security intelligence to help security leaders contextualize whether the data indicates “business as usual” or something that may require action.
For example, Team Cymru tracks internet namespaces using passive DNS and other passive collection methods.
“What if, for example, a certificate with your organization’s domain appeared up in AWS space somewhere?” David hypothesizes. “It’s outside of your address space altogether. You may have a /24 network that you know is yours, and you watch that diligently. But what if your DevOps team has spun up instances outside of your infrastructure that you have no idea of. But they have exported SSL certificates or TLS certificates that are pinned to those services. Wouldn’t you want to know about that?”
“Maybe it’s legitimate, maybe it’s not—but it’s massively important for the CISO to know that,” summarizes David.
To hear this podcast episode with David Monnier all the way through, click here.
How does attack surface management connect with patch management? This blog post covers the topic: How Does Attack Surface Management Connect with Patch Management?