CISOs strategies to address a growing attack surface

In this Help Net Security interview, Rickard Carlsson, CEO of Detectify, discusses the evolution of attack surface management in the context of remote work and digital transformation.

Carlsson highlights the challenges facing CISOs today, including maintaining visibility and managing compliance in a growing attack surface, all while managing limited resources and increasing business demands.

With the shift to remote work and digital transformation, how has the traditional concept of attack surface management evolved? What are the biggest challenges for CISOs today compared to a few years ago?

Companies should start forgetting the old perimeter-based approach to security. There is virtually no difference between office work and remote work. There is no inside And outside, just outside. What needs to be secured now is a growing, dynamic and sprawling mess of endpoints, cloud services and third-party applications that create an external attack surface.

It’s no wonder that CISOs today face many challenges related to expanding the attack surface. They constantly struggle to maintain transparency, keep up with modern (and rapidly evolving) technical changes and new attack vectors, and stay on top of a growing wave of compliance and regulation (like NIS2, DORA or the Cyber ​​Resilience Act in Europe). Additionally, they must manage everything with limited resources and increasing pressure to deliver business value.

Traditional attack surface management often requires help with incomplete and outdated inventories. What strategies and tools should companies use to ensure comprehensive and up-to-date asset inventories?

There is a growing trend for companies to use multiple cloud providers, expanding and decentralizing their attack surface. Assets that are not continuously mapped and evaluated make it much easier for digital compromises and domain-related vulnerabilities (such as subdomain takeovers or server misconfigurations) in unknown assets to go unnoticed. Manual inventories are typically either outdated or incomplete and rarely reflect the current state of the attack surface.

Attackers are aware that there is always a weak link. Therefore, the best strategy is to immediately detect and closely monitor changes to all internet-connected assets. Automatic and continuous scanning helps your team see what has changed on the attack surface beyond vulnerabilities and issues and whether that change poses a risk, even if it’s just an IP, port or cloud provider. The best tools also empower security teams by allowing them to set their own policies to define what changes should be considered a risk.

How important are real-time monitoring and automation? How can CISOs use these tools to reduce manual effort and improve security outcomes?

I would recommend CISOs to look for tools that can actually help their team do their job in the most impactful way, ranging from streamlining attack surface detection (with real-time continuous asset mapping) to achieving the most accurate and efficient rigorous assessments (this cannot be emphasized enough) and finally, the seamless integration of the results into existing workflows for quick remediation and reduced manual effort. When teams can’t trust their results and have to look for false positives, incredibly valuable time that could be spent addressing real risks or generating business value is wasted.

What metrics should CISOs focus on to measure the effectiveness of their attack surface management strategies?

Effectiveness is not measured by the total number of vulnerabilities fixed. It’s unrealistic and inefficient to pretend that security teams have to fix every vulnerability that comes their way, especially considering that many CVEs in many organizations’ systems have no associated attack path.

CISOs should define their risk based on their individual business context and focus on addressing the incidents and breaches that actually matter to their organization. It can also be useful and insightful to look at the detection and resolution time of these relevant issues. Assessing whether efforts are keeping pace with compliance requirements and audit results are also good indicators of the effectiveness of an attack surface management strategy and tools.

With many organizations relying on third-party providers and cloud service providers, the question becomes: How can CISOs manage and mitigate the risks associated with third-party partnerships and the increased attack surface that comes with them?

CISOs are painfully aware that digitalization efforts and modern tech stacks mean hybrid cloud and heavy reliance on third-party providers, making the task of creating a complete picture of the attack surface very daunting. To mitigate these risks, they should look for tools that provide automated and real-time visibility as well as the ability to manage issues across assets hosted on multiple cloud providers. Some level of exposure is always guaranteed, but it is up to the CISO to determine which risk is too high a risk. The acceptable risk always varies depending on the industry and digital maturity level.