8.2.18 – Security – Tim Woods
In the simplest terms, the “attack surface” is the sum total of resources exposed to exploit within your enterprise. Defending the attack surface was a lot less complicated when a defined corporate “perimeter” existed, neatly separating a company’s assets from the outside world.
But, next-gen technologies (e.g., cloud computing and software-defined networking) have dissolved the perimeter, causing the attack surface to grow exponentially. The Internet of Things (IoT) is a good example of how the window of opportunity for cybercriminals has been blown wide open. Any device connected to the internet can now be the target of a cyberattack.
In this era of complex infrastructures and sophisticated malware, we must stay laser-focused on reducing the attack surface to limit the opportunities available to cybercriminals. Here are five ways to do so.
1. Eliminate Complexity
One of the most impactful ways to reduce the attack surface is by eliminating unnecessary complexity, which can creep into the best of networks over time. Complexity is often the result of poor policy management or incomplete information during rule creation, which can lead to:
- Technical policy mistakes (e.g., duplicate or redundant rules)
- Unused rules that have become stagnant and no longer serve a valid purpose
- Overly permissive rule definitions that allow access well beyond what is necessary to meet business needs
Unnecessary complexity elevates the possibility of human error and risk, underscoring the importance of simplicity in security infrastructures and policy management.
2. Visualize Your Vulnerabilities
Vulnerability scanners give a severity score to a specific asset, application or host, but the score is incomplete without showing how an attacker could reach the weak spots. Visualizing vulnerabilities by creating a real-time model of what could happen in the context of network movement can provide this missing context. There are three methods that can greatly assist with this:
- Attack surface modeling – Creates a real-world model of the attack surface using: 1) network assets, or the prime targets for cybercriminals); 2) network topologies, which demonstrate the potential paths to a vulnerable asset; and 3) policies, which dictate what access is permitted.
- Attack simulation – Reveals the ways attackers could traverse the network and exploit vulnerabilities.
- Patch simulation – Pairs with network policy to identify which patches could have the greatest impact on security (i.e., helps focus efforts on reducing the greatest amount of risk in the most efficient way possible).
3. Control Your Endpoints
The first step to reducing the impact of endpoints on the attack surface is gaining visibility into what’s happening on them. Independent process monitors keep all endpoints under constant surveillance and provide alerts when endpoint behaviors deviate from the norm. Monitoring network connections (to see how endpoints are relating to the network at-large) as well as user behavior (to quickly identify modified behavior on the endpoint) is also critical for timely threat detection and response.
The second step is being able to control what the endpoints can actually do, and network policy is the most effective way to accomplish this. Policies draw a virtual perimeter around each endpoint to ensure that communication with the rest of the network conforms to security intent. When security drifts or when there’s abnormal endpoint behavior, adaptive policy kicks in to protect the network from any destructive spread.
4. Segment Your Network
You may already have perimeters around your network to protect the whole system, but segmenting your networks still makes a whole of sense, as it helps to reduce the attack surface by increasing the number of barriers an attacker encounters when attempting to travel through the network.
In a microsegmented world, we are able to drive security controls down to a single machine, partition, workload or application. Network segmentation not only helps to reduce the sum total of exploitable assets, but it also helps minimize dwell time (the time cybercriminals spend undetected on networks) by effectively putting “quick sand” in attackers’ paths to stop them in their tracks.
5. Prioritize Analytics
The final measure to reduce the attack surface is analysis. Security configuration assessments, traffic flow analysis and quantitative risk scores are three common methods of analysis that can be extremely effective in reducing the attack surface – and they’re methods you’re likely already using within your organization.
Building New “Perimeters”
While we cannot change the incentives and resources that give rise to cyberattacks, we can limit the opportunities available to cybercriminals. Following the five steps outlined above can help you create new network “perimeters” for today’s next-gen architectures designed to keep the bad guys on the outside looking in.
Tim Woods brings more than 20 years of leadership experience to his role as VP of Technology Alliances at FireMon, where he has global responsibility for the sales engineering organization. Tim’s “lead, follow or get out of the way” philosophy helped him grow his career from a systems engineer to leading a team of 20 engineers. As a leader, his passion is educating his engineers and clients on new and emerging technologies.