The business world at present looks dramatically different than it did 20 years ago. It’s even much different than it was 5-10 years ago. With the explosion in online growth and dependence on cloud assets, combined with a growing distributed workforce, businesses have vastly increased their attack surface.
To threat actors, a larger attack surface means more possible entryways to restricted data. This is why it has become so important for security teams to have a well-rounded attack surface management (ASM) program in place.
The concept of ASM as a security practice is still relatively new and often means different things to different organizations. There’s debate about what assets should be considered part of the attack surface, what assets warrant monitoring, and what assets are acceptable risks.
At Halo Security, it’s our belief that your attack surface management program can only be successful if you’re monitoring every website, hostname, and IP address that belongs to your company and is accessible from the internet. In this post, we’ll delve into the reasons why we think that, and share our recommendations for how to solve some of the common challenges organizations face with ASM.
Why your entire attack surface needs continuous monitoring
Without proper security monitoring, every internet-facing asset associated with your organization has the potential to become a gateway leading threat actors to your sensitive data. When assets aren’t monitored, they may undergo changes that make them susceptible to attack. Software versions may go out of date and not receive critical patches that fix vulnerabilities. Third-party resources may be decommissioned, leaving your sites vulnerable to subdomain takeover.
On top of these unintentional events, you also now have many different stakeholders making changes to the attack surface in order to meet their businesses objectives. For example, marketing teams commonly create new websites for marketing campaigns and add new scripts to gain additional functionality. If these changes aren’t reported back to the security team and monitoring tools aren’t in place, they may not get the proper security defenses needed to deter a threat actor.
Threat actors know forgotten assets get left behind, and now have access to powerful tools that can help to quickly find them. These tools help attackers identify what we refer to as the path of least resistance, or the asset that’s easiest to compromise, because time is money, and they don’t want to do more work than necessary to breach your organization.
We hear of this happening to prominent organizations time and time again. In 2019, Starbucks was found vulnerable to cross-site scripting and session hijacking because of a forgotten subdomain that pointed to a non-existent Azure cloud resource. Just last year an attacker gained access to 50 million T-Mobile customer records via an insecure router. CVS also made headlines after a misconfigured cloud database left over 1 billion records exposed.
In the wake of these attacks, organizations suffer difficult reputation damage, even when the fault lies with an outside entity. With the CVS data leak mentioned above, a third party was responsible for the misconfiguration error, yet CVS was the company whose name made news headlines. And because of that, the public views CVS as the party responsible for the breach.
At the end of the day, your attack surface is only as strong as its weakest links. The best way to prevent threat actors from breaching your organization is to have a clear understanding of what those weak links are. And because the attack surface is forever evolving, continuous monitoring is essential to do that.
Common challenges with monitoring the entire attack surface (and Halo Security’s recommended solutions)
With all that said, we know implementing continuous monitoring of your attack surface can come with its fair share of challenges. Let’s explore some of the ways we’ve addressed those issues at Halo Security.
Too much data, not enough resources
Security teams are often under-resourced, so one common concern is that attack surface monitoring will just add to the security team’s long to-do list. While it’s true that you may find more issues that need to be addressed, Halo Security’s approach to attach surface management is designed to help organizations efficiently tackle risk reduction in a logical and straightforward manner. Our risk scoring system further highlights problems that actually matter so you spend fewer resources on weaknesses or vulnerabilities that don’t create as much risk.
Halo Security’s tagging system can also help you combat this challenge by organizing your attack surface data in a way that’s easier to digest. Tagging allows you to create custom groups of targets and get a risk score for each of those groups. This can help you see which areas of your organization need your attention most urgently.
Another thing to keep in mind when you’re managing a long list of action items is that the Halo Security team is always here to be an extension of your own. So whether you need help validating a vulnerability or just want a second set of eyes to look over your attack surface, don’t hesitate to reach out to us via your dashboard.
Alert fatigue is a very common challenge, especially when your team is managing multiple security tools. The good news about Halo Security is that we make it easy to customize the alerts you want to receive so your inbox won’t be flooded with emails. You can set alerts for specific tags, hosts, domains, and more. You can also refer to the Events section of the dashboard to see a comprehensive history of changes we’ve detected. Alternatively, you can use our Zapier integration to send alerts directly to your existing workflow management systems.
Third-party resources can’t be modified
We commonly see organizations making news headlines and suffering reputation damage when they experience a breach caused by a third-party resource, as in the case of the recent CVS data leak mentioned earlier.
If you discover a vulnerability in a third-party resource on your site, it could be time to rethink your relationship with that vendor. It doesn’t hurt to start by bringing the issue to their attention. If they don’t fix the issue, consider terminating their services and seeking a new vendor.
We know it can be difficult to expand your security resources when working with a limited budget. One potential way to save on costs associated with continuous monitoring (while simultaneously reducing your organization's risks) is by removing assets you don't need. So many organizations have forgotten legacy assets that are never taken offline. Removing these can save you headaches and money. If you are interested in Halo Security’s attack surface monitoring services, we’re happy to work with you to ensure that all your assets are monitored with a plan that fits your budget.
Don’t risk being caught off guard by leaving blind spots in your attack surface. Ensure you have a complete, up-to-date map of your entire attack surface by using continuous monitoring services. If you’d like to see how Halo Security can help you get the attacker’s perspective of your organization, schedule a demo with our team.
Editor's note (August 2022): This article was originally posted on the TrustedSite blog in Jun 2022. It has been updated for the Halo Security blog