Read the full article for key points from Intruder’s VP of Product, Andy Hornegold’s recent talk on exposure management. If you’d like to hear Andy’s insights first-hand, watch Intruder’s on-demand webinar. To learn more about reducing your attack surface, reach out to their team today.
Attack surface management vs exposure management
Attack surface management (ASM) is the ongoing process of discovering and identifying assets that can be seen by an attacker on the internet, showing where security gaps exist, where they can be used to perform an attack, and where defenses are strong enough to repel an attack. If there’s something on the internet that can be exploited by an attacker, it typically falls under the realm of attack surface management.
Exposure management takes this a step further to include data assets, user identities, and cloud account configuration. It can be summarized as the set of processes that allow organizations to continually and consistently evaluate the visibility, accessibility, and vulnerability of their digital assets.
The continuous journey of managing threats
Continuous management is key for a number of reasons. Your business, your attack surface and the threat landscape are not static, they are constantly changing and evolving. New vulnerabilities are disclosed hourly, new exploits for old vulnerabilities are publicly released, and threat actors are updating their techniques continuously. Additionally, new systems and services are often exposed to the internet, and if you are running CI/CD processes, your applications are frequently updated, which could create exploitable security gaps.
Moving beyond CVEs
More and more, vulnerability management is being seen through a narrow lens of vulnerabilities that have CVEs. Intruder’s team disagreed with this approach, and believes that if there is a weakness in your attack surface, it is a vulnerability regardless of whether it has a CVE associated or not.
So, unlike the narrow approach to vulnerability management, exposure management takes in the entire vista – including misconfigurations and potential weaknesses that don’t have an associated CVE. Take SQL injection, for example. It doesn’t have a CVE but it’s still a vulnerability in your application that could lead to serious consequences if exploited. Additionally, having Windows Remote Desktop exposed to the internet doesn’t have an associated CVE, but it introduces risk that an attacker can attempt to exploit. Ultimately, exposure management provides a common name for how we perceive and manage these threats.
Prioritizing vulnerabilities: the need for context
Currently, most vulnerability scanners provide a list of vulnerabilities, each as a standalone data point. For example, they might report: ‘System X has vulnerability Y; you should go fix it.’ However, when dealing with large numbers of vulnerabilities, this information alone isn’t enough.
Effective prioritization requires more context to ensure that your team’s limited resource is focused on issues that will truly make a difference. For instance, it’s crucial to understand which assets support your critical business functions, which vulnerabilities can be chained together to impact critical business functions, and where an attacker could potentially enter your network if these assets were exploited.
This approach transforms the management of vulnerabilities from siloed and isolated tasks into a cohesive strategy, providing the context needed to determine not only if a vulnerability should be fixed, but also when.
Much like meditation helps filter out the daily bombardment of thoughts and distractions, Intruder’s approach to exposure management aims to sift through the noise to focus on the issues that matter most.
… (the rest of the content continues in a similar manner)
