Why external vulnerability scanning is no longer sufficient on its own

As security practitioners, we have access to more tools to detect vulnerabilities and threats than ever before. Yet security incidents continue to occur at an alarming rate. So what are we doing wrong?

Security teams primarily have to focus on two types of vulnerabilities on their internet-facing assets:

  • Software with known vulnerabilities (which usually need to be patched)
  • Application-level vulnerabilities (which usually require better input sanitization or business-logic corrections)

Once upon a time, vulnerability scanning was a sufficient solution for managing network issues. But that was the network of yesterday.

Today, our environments look a lot different than they once did. Because of the way business and technology have evolved, there are many more threats to consider that go way beyond missing patches. To us, that means it’s time to make a major shift in the way we think about vulnerabilities and how we approach them.

In this piece, we’ll reflect on the changes that have led us to this point, and explore why today’s security teams need to think beyond vulnerability scanning.

Let’s start at the beginning.

The average network 20 years ago was primitive by today’s standards.

Travel back in time with us to about 20 years ago when vulnerability scanners were first introduced. Public access to the internet had just become commonplace, though it was still rudimentary by today’s standards, and more and more businesses were beginning to capitalize on that.

The network environment was brand new to everyone, and it was all made in-house. Many organizations hired developers to build their websites from the ground up. That process looked much different than it does today. Development was slow. There was no agile development or DevOps team yet. Email was the main form of communication with customers, and IT teams managed their own email servers.

The few components of the network sat on-premise, so you knew exactly what you had and everything was 100% under your control. This meant that you could have an effective security program by plugging a range of IP addresses into a vulnerability scanner and taking the data back to system admins to fix the issues.

So what happened over the years?

Over the years, security technology evolved to keep up with increased demands.

As technology advanced through the years, the environment became more complex. With each new evolution of the network, security teams had to keep up with increased demands. We bolted on shiny new scanners and other assessment tools to gain visibility into the environment. We adopted more efficient cloud-based scanners (of which Halo Security had one of the first). Things like Web Application Firewalls (WAFs) came about which enabled the development of mission-critical applications, in addition to Log Monitoring which allowed the consolidation of security information and events into a single pane of glass.

As we tacked on all of these new tools, we started feeling some growing pains. The big problem was that all the tools in our toolbox rarely communicated with one another, causing security teams to rely on a patchwork of data stitched together from multiple, single-purpose security tools. This made it extremely difficult, if not impossible, to determine what is happening across the entire attack surface.

Where are we today?

With the explosion in online growth, external networks have totally transformed and the attack surface has greatly expanded.

Today, we’re in a whole new ball game. Customers have extremely high expectations and businesses must meet them if they hope to stay competitive. This has led many mature organizations to undergo a complete digital transformation and virtually every business has moved its infrastructure into the cloud.

With this explosion in online growth, external networks have totally transformed and the attack surface has greatly expanded. Networks and applications now use so many assets and resources that it’s extremely difficult for organizations to keep track of them.

Along with the changes in what our infrastructure now consists of and where it exists, we’ve seen a complete shift in the way technology is delivered and deployed. The agile development process allows businesses to see value as quickly as possible. Ideas that used to take weeks or months to become a finished product can now be created in a matter of minutes or hours.

But even with these advances, there is such a vast number of tools that are essential to business that it’s no longer cost-efficient or feasible to develop them all in-house. Instead, most businesses now outsource things like their blog platform, help desk, live chat, CRM, email services, and even the website platform.

And because many of these tools have been designed to be used by anyone, you now have different business units involved in deploying new technologies. For example, the marketing team may add JavaScript to the website that helps measure the success of their campaigns without needing to go through the IT team.

Why is this a problem?

Networks and applications now use so many assets and resources that it’s extremely difficult for organizations to keep track of risks.

While there are many benefits to the advanced technologies we have access to today, they don’t come without their drawbacks. To put it simply, having more assets means you also have more attack paths that can attract adversaries.

And without a solution to keep a close watch on these assets across the organization, over the years many teams have seen new services get layered on while legacy solutions were forgotten about and abandoned. And therein lies the problem. Today’s security teams have inherited this accumulated security debt without even knowing about it. Meanwhile, today’s attackers are utilizing sophisticated automated reconnaissance tools to find and compromise the forgotten assets that have the weakest defenses.

These attackers don’t care how or where they get in. They care about finding the path of least resistance, and they’re constantly on the lookout for it. Take last year's T-Mobile attack, for example. The attacker compromised the sensitive data of over 50 million T-Mobile customers by gaining access to an insecure router and then using brute force attacks to make his way into other IT servers.

And that’s just the tip of the iceberg when it comes to the new ways attackers can compromise your business, or your users and their data. Today, there are many new levels of attack and different threat vectors that go beyond CVEs in the national vulnerability database including:

  • Subdomain takeover
  • Session hijacking
  • Script weaponization
  • Zero-day vulnerabilities
  • Group misconfigurations
  • Role misconfigurations

What needs to be done?

With the emergence of these new threats, it’s clear that vulnerability scanning alone is not enough to keep organizations safe. Granted, it’s still an important part of every security program because you do need to be aware of CVEs, but vulnerability scanning is only useful for the assets you know about. So what can you do about the risks that you don’t know about?

Attack surface management is an emerging methodology that can help you get full visibility into your entire internet-facing environment and identify the assets that are most at risk, enabling security teams to remediate the issues before an attacker can exploit them.

This methodology is designed to mimic an attacker’s outside-in approach and begins with attack surface discovery – because you can’t protect what you don’t know about. After your assets have been brought into view, you need to get a complete understanding of their attributes and settings to identify any weak points that would be attractive to an attacker.

Once the risks have been remediated, the next step is to ensure that every asset has the appropriate security and monitoring tools installed, so that you can be aware when new issues arise. Vulnerability scanning is one of the pieces of that puzzle, but there are other important pieces as well like application scanning, compliance scanning, and penetration testing. To maintain good security hygiene, this entire process must be continuous and recursive.

How Halo Security can help

At Halo Security, we’ve made it our mission to help organizations take control of their attack surface by enabling them to see what an attacker sees. Our attack surface management platform provides a clear, comprehensive view of web security risks across all external-facing assets. Halo Security also prioritizes risk by the severity of the threat and ease of fix, allowing security teams to quickly remediate the most dangerous issues. And since we monitor your attack surface on a continuous basis, you can be confident that when issues arise, you’ll get alerted instantly.

Wrapping up

As the old saying goes, your chain is only as strong as its weakest link. With the way business and technology has evolved over the past 20 years, organizations now have hundreds of “links” in their chain. If even one of them doesn’t have strong security, an adversary has a potential opportunity to break into the network. Knowing this, it’s time to expand our external security beyond vulnerability scanning, and adopt solutions that allow us to continuously discover and monitor security blindspots.

If you'd like to see how Halo Security can help you expand your security program beyond vulnerability scanning, request a free trial of our attack surface management solution.