Team Cymru is a leader in cyber threat intelligence, and its data feeds are available through a range of third-party tools and services from firewalls to cloud-based SOCs. Team Cymru’s threat intelligence is accessible through the Microsoft Azure Security Center, for example.
But what about Team Cymru’s own threat intelligence offerings? How do these add value beyond just making their feeds available for you to ingest?
To share a vision for more effective attack surface management (ASM), David Monnier, Chief Evangelist and Fellow at Team Cymru, joined a recent episode of The Virtual CISO Podcast features. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
The future of attack surface management
To deliver the most value from its threat data, Team Cymru recently created what it calls “the world’s most comprehensive digital risk management platform”: Pure Signal Orbit. Combining threat intelligence with attack surface management and vulnerability management features, Pure Signal Orbit offers dashboard-driven visibility into external assets and risks plus AI-based automation to help prioritize threats.
“We would describe it as a hybrid approach to traditional ASM, which we refer to as ASM 2.0,” says David. “We think if you’re ASM tool is only informed by what you’ve told it, that’s the hallmark of the old way to do attack surface management. If you’re tool isn’t showing you things you had no idea of, it’s probably a good indicator that you’re doing it the old way.”
Pure Signal Orbit will tell you things you didn’t know about. Like the CISO for a large US state, a Pure Signal Orbit pilot customer, who found out their attack surface was 380% bigger than they knew.
“They were surprised, to say the least,” relates David. “But it’s good that they know. Their previous ASM tool didn’t show them any of that. It showed them only what they knew to tell it, which was the networks they knew of.”
Discovering your true attack surface
How could a CISO not know about 75% of his org’ attack surface? And how does Pure Signal Orbit discover the rest?
David explains: “Think of [a US state] as a massively decentralized brick and mortar business. What ends up happening is one regional office is doing business one way, another office is doing business another way. And most of their interactions are determined by previously agreed upon specifications in the form of government forms. As long as the form is filled out in a certain way after that, typically the execution phase of the state’s business is determined by the local office. This state didn’t keep up with their device tracking.”
Team Cymru’s technology discovers previously unknown assets with a combination of humans and automation.
“We have threat intelligence analysts who typically have had experience either in law enforcement or the military,” David notes. “These folks are good at discovering assets—it’s what they do. Just as the bad guys can determine who owns what devices on the internet, good guys can use very similar methodologies and get very similar outcomes.”
When they onboard a new Pure Signal Orbit customer, Team Cymru starts with everything they know about their networks, domains, etc. Discovery starts from there, with a human being curating the search results.
What’s the bad news?
How much of a typical org’s attack surface remains undiscovered? Enough to raise eyebrows, if not send a shock wave.
According to David, “We’ve just been getting started, so we’re still discovering these stories. But so far that 380% has been the big one.”
To hear the entire episode with David Monnier from Team Cymru, click here.
Do you need an attack surface management solution? This blog post describes the core use cases: Top Scenarios for Implementing Attack Surface Management