Last Updated on December 17, 2022
Most attack surface management solutions can only operate within the space of assets you already know you have. But what about all that “shadow IT” you don’t know you need to protect?
To talk about “digital business risk management” as the next level beyond traditional attack surface management, the latest episode of The Virtual CISO Podcast features David Monnier, Chief Evangelist and Fellow at Team Cymru.
What is Digital Business Risk Management?
The volume of data pertaining to the attack surface you already know about and all the risks associated with that can be overwhelming. So, how do you discover and deal with the potentially vast and vulnerable attack surface you haven’t yet discovered?
To give orgs a wider view of risks beyond what traditional attack surface management provides, Team Cymru developed the concept of digital business risk management. By integrating vulnerability management and threat insights with asset discovery capabilities, organizations can map their own digital assets, those of their partners and vendors, and beyond—giving you unrivaled context for your external digital assets.
“The things that show me something I didn’t know to know are truly the most valuable.”—David Monnier
When is a data breach not a data breach?
David points out that many companies (and CISOs) that have supposedly suffered a data breach technically have not. Instead, someone in the organization has typically stepped outside of policy and left vulnerable data assets “lying around” out in cyberspace with no controls on them, where they are discovered and exploited by cybercriminals.
In David’s view, this scenario doesn’t constitute a data breach because the company’s networks or controls weren’t actually breached. Now was the data exfiltrated. It was simply picked up from where it was unwisely deposited. An example would be a developer who exports a live database of customer data to an AWS S3 bucket that’s been given public access.
“I know some very bright folks who have gone through the wringer as if they were responsible for a breach that, I would argue, technically they were not.”—David Monnier
Ingesting cyber threat intelligence
Team Cymru is widely known for its cyber threat intelligence feeds, which are the foundation of many of its products and services. Many orgs consume this data as part of a service they purchase from a third party, such as a firewall vendor or SOC service provider.
For example, Team Cymru’s threat intelligence figures prominently in Microsoft’s Protection Center.
“If you’re in Azure, our intelligence is available; you can just click on it and add it to your capabilities,” says David.
Access to Team Cymru’s cutting-edge reputational intelligence and business intelligence data comes with their Pure Signal Orbit product, described as the world’s most comprehensive digital risk management platform. Combining attack surface management with vulnerability management and threat intelligence, Pure Signal Orbit offers deep visibility into external assets and risks along with AI-driven automation to help orgs prioritize the highest level threats against the most business-critical assets.
“If you’re in Azure, our intelligence is available; you can just click on it and add it to your capabilities.” —David Monnier
A new view of third-party risk
Supply chain risk management is increasingly important for US government agencies and their suppliers, as well as many other organizations. Team Cymru’s technology uniquely enables businesses to probe their vendor risk in real-time, whether as part of a continuous monitoring program or on an ad hoc basis. (Companies like big-box retailers with hundreds of thousands of suppliers may not want the burden of continuously monitoring all of them!)
This is a significantly different approach from traditional attack surface management tools that only look at what is directly accessible given basic data like domain names and IP address blocks.
Team Cymru, in contrast, can combine a range of automated discovery mechanisms with human analytical expertise to draw the boundaries of a client’s attack surface. Optionally including, for example, their critical vendors.
“A lot of people just get handed the keys and are told, ‘Type in your information and go.’ You could have done that with just Nessus.”—David Monnier
Turning malware detonations into network policy
David explains at a high level how Team Cymru’s unique threat intelligence tools work:
“We detonate 500,000 to 700,000 pieces of malware every day,” shares David. “At the time of detonation, we identify their signaling behaviors, both lookups as well as reach-outs. We monitor all that and then, once we find them in the world, we endeavor to participate.”
One way to “participate” is to make a bot client and see what it’s being told to do, such as exfiltrate data or join a DDoS attack. The next step is to convert that threat insight into applicable network policy for owners and operators worldwide so that they can filter more unwanted traffic.
Team Cymru is famous for freely sharing its threat data. After all, their founder, Rabbi Thomas, started the business to make the world a better place.
“If you can get all the bots off your network, that’s a big win.”—David Monnier
Ready to hear this podcast show with David Monnier? Click here.