Increasing Your IQ Around Attack Surface Reduction

Your Attack Surface Problem Is Really an Asset Management Problem

Greg Toto

By Greg Toto, VP, Product 04.22.2019

LINKEDIN

The foundation of effective security is knowing what you need to protect. Without a full inventory of your Internet-connected assets, you don’t have a clear picture of your attack surface. And that means you can’t identify and remediate exposures. While many organizations today may think they understand their attack surface, the truth is that they don’t because of a fundamental breakdown in asset management and governance.

Asset management is a well-understood and mature practice among IT and security teams. In the past, you could periodically review internal hardware and software assets to understand what belonged to your company and the attack surface you needed to protect. But digital transformation and the increased velocity and consequence of Internet-originated attacks requires that organizations rethink asset management processes.

Challenges with the current approach include:

  1. It doesn’t include digital artifacts such as certificates, IP addresses, domains, etc. These assets do not fit the classic description of a “technology asset” and exist outside of traditional asset governance processes. But they are nonetheless business-critical and have a lifecycle just like hardware and software assets do.
  2. It doesn’t account for the speed at which an asset can be found and exploited. In the past, a periodic inventory of your assets may have been enough to know what you needed to protect. But now, machine-speed attacks can exploit exposures in minutes rather than days or weeks.
  3. It doesn’t recognize the vast explosion of publicly exposed assets that are reachable by potentially malicious actors. If you don’t have a current and accurate view of all of your assets, you can’t identify and remediate exposures before an attacker gets to them. Leaving unsecured assets exposed to the public Internet is like leaving your open backpack on the sidewalk.  
  4. It can’t adapt to the speed at which your network and Internet-facing attack surface can change. There is simply no way to manually track your Internet-facing assets given how frequently assets change across your attack surface.

The rise of cloud and the democratization of IT are two key trends that have complicated these challenges. To reduce costs and boost agility, line-of-business and end users have embraced cloud solutions. Organizations are responsible for a range of digital assets beyond hardware and software. And as IT has become less centralized, it’s become more challenging for IT and security teams to inventory assets. In our work with Fortune 500 companies, we’ve seen a range of ways unknown assets can come onto your network or be publicly exposed, including:

  • Weak governance around cloud and IoT
  • Mergers, acquisitions, and divestitures
  • Failures in manual processes
  • Subsidiaries and franchises
  • Supply chain organizations

How to Solve Your Asset Inventory Problem

A root cause of successful perimeter breaches and ransomware attacks is the lack of a comprehensive, current inventory of assets that make up an organization’s attack surface. A decentralized model by which assets can come on the network requires an automated, continuous process to discover, assess, and manage those assets. To protect your organization, you need to:

  1. Develop a complete, continuously updated inventory of all the Internet-facing assets that belong to your organization. This includes all of your on-prem, Internet-connected assets as well as infrastructure and assets across cloud providers.
  2. Continuously discover unknown assets and bring them under management.
  3. Develop processes and SLAs to drive the deviation between what is known and unknown to zero, and to ensure all assets are well-configured.
  4. Continuously monitor assets for indicators of compromise and unusual behavior to prioritize high-risk and high-impact problems (this helps to deliver the highest business value even with scarce resources).

Only by doing this can you know what you need to secure, and then secure it.


At Expanse, we collect petabytes of active and passive information about every device and service on the public Internet to help organizations protect their assets in a way no other security service can match. Our products Expander and Behavior can help you tackle all four of the steps we’ve outlined above to protect your organization and reduce your network’s attack surface. You can click here to receive a free sample report and see what we can find on your network today.