Last Updated on June 6, 2022
How do organizations manage today’s expanded attack surface? What assets should you monitor and what data should you gather? And which vulnerabilities out of potentially thousands are critical to remediate based on real-world conditions?
The concept of attack surface management has given rise to multiple SaaS tools, but each embodies a different view of now to identify and address vulnerabilities.
To explain his company’s comprehensive vision for how to implement attack surface management, a recent episode of The Virtual CISO Podcast features Michelangelo Sidagni, CTO at NopSec. Hosting the show is Pivot Point Security CISO and Managing Partner, John Verry.
Data collection and analysis
NopSec calls itself the leader in risk-based vulnerability management. The focus of its solution is on identifying the exposures that create the most actual risk. Its five core functions are IT asset discovery, vulnerability prioritization, automated remediation, kill chain simulation and progress measurement.
Rather than replace tools that are currently performing some or all of those functions in your environment, NopSec ingests their data.
Michelangelo explains: “Basically, we have a machine learning algorithm that takes all these pieces together, with the help of more than 30 threat intelligence feeds, to calculate the probability that a certain vulnerability will be exploited in a direct attack or through malware—even though it is not used in malware or in target attacks today. This is one piece.”
“The other piece that completes the attack surface management is we take what are basically environmental factors, such as network segmentation, as well as other compensating controls; the user, for example, or the EDR or antivirus. We join them with vulnerabilities and misconfigurations to calculate allowed attack paths,” adds Michelangelo. “It’s an algorithm that takes the risk of the vulnerability being exploited, as well as all the environmental factors, and calculates the theoretical attack path that an attacker can take to actually exploit successfully the vulnerabilities in the path. And we prioritize those vulnerabilities, for obvious reasons.”
An intelligence engine
As John observes, NopSec is an intelligence engine that sits on top of other data sources, analogous to a SIEM consuming log data but on a broader scale. NopSec also enriches this data through additional threat information, along with consolidating and normalizing it—and ultimately making it actionable.
Rather than running multiple tools and trying to manually consolidate their output to draw conclusions from it, NopSec automates the process through integrations, AI and ML.
Eliminating manual effort
Even large enterprises with sophisticated security programs face an uphill battle to identify the most critical vulnerabilities to remediate, let alone accomplish the fixes and benchmark their risk reduction impact.
Michelangelo depicts: “Today, basically their manual process, it looks like this: They take the vulnerability data from Qualys, from the hundreds of thousands of great vulnerabilities found by this great tool, or Tenable, or Rapid7. Then they download it into a spreadsheet. Then, basically, they associate it with the value of the asset—which is all manual—which is gathered through some other source. Then they try, through their various sources of threat intelligence, to prioritize which ones should be fixed first, as opposed to fixing them 100%.”
Why not use the Common Vulnerability Scoring System (CVSS) scoring to measure what’s actually exploitable?
“Of all the CVEs published, only about 0.7% or 0.8% are actively exploited at any given time in the world,” notes Michelangelo. “So, even if the CVSS score is a 10, only 0.8% of those [are being exploited].
Conversely, a medium rated vulnerability that might never be considered for patching could be a favorite for hackers and ripe for exploitation.
This illustrates why teams need help prioritizing what vulnerabilities to focus on.
When teams have hundreds of vulnerabilities reported, they tend to focus on the critical or high rated CVEs and accept the rest. But depending on how robust their security controls are, they could be missing major issues while investing significant effort fixing vulns no attacker could ever exploit in their environment.
“What’s the point to try to fix everything?” asks Michelangelo. “For organizations, even the large ones, it’s an operational strain. It’s unattainable. And it’s also a whack-a-mole.”
To hear this cutting-edge show with Michelangelo Sidagni in its entirety, click here.
What’s the relationship between attack surface management and supply chain risk? This blog post covers the topic: How Attack Surface Management Can Help Reduce Supply Chain Security Risks