Some people start with the sports section. My morning routine starts with security news. I scan my alerts and various feeds to see if anything catches my attention. A recent article in CSO online is one of those—not because our co-founder and CISO, Misha Govshteyn, is quoted in it—but because the headline had the words “attack surface” and “allocate funds,” not something you see in security headlines often. After reading it, I wrote down the questions organizations should start asking.
- Do you know the business value of your applications?
- Do you know how your applications are used and accessed?
- Do you know what is in place to protect your applications?
- Who is the ultimate business owner of each of these applications?
Traditional attack surfaces analysis starts with the examination of network interactions at physical, software, and network layers and often tails off from there. A different approach can start with identifying critical assets—typically, an application or data store—and mapping how they can be accessed (points of entry) and used (applications, authenticated, and un-authenticated users). This is a good time to categorize the data as confidential, sensitive, or regulated—important for compliance needs. This categorization helps ensure that the level of protection and access control you use is proportionate to the sensitivity level of the application or data you want to protect.
The mixed use of cloud services (SaaS and IaaS) makes attack surface analysis challenging. No longer can we draw circles around ‘our stuff’ as a strategy for building a defense. A better approach is to identify your high-value applications, map their accessibility, and overlay your existing security, and monitoring measures to determine where you have gaps or weaknesses in your security. For example, you might have a public facing application server that IoT devices connect to. That server is configured with endpoint protection and IDS but nothing to inspect the Layer-7 traffic between the server and the devices. As a result, you have a gap in your visibility to application level attacks.
Identifying specific examples like this are valuable when it comes time to produce a business case for CISOs responsible for acquiring and allocating funds. If you are responsible for security planning within your organization or struggling to find funds for current plans, I think you might find the article interesting.