Saltar a la navegación Saltar al contenido principal Ir al pie de página

Hiding in Plain Sight:
Why You Need External Attack Surface Management in Your Vulnerability Management Strategy

Scanning is no longer enough.

07 noviembre 2024

By Amber Mitchell

 

In the ever-evolving world of cyber security, one thing is certain: your security posture is never static. 

New vulnerabilities, exploits, and attack surfaces emerge daily, keeping security experts on their toes. While most organizations are vigilant about protecting obvious assets like servers, databases, applications, and user accounts, they often overlook their external attack surface — the blind spot that attackers love to exploit. 

Imagine shuttering all your windows but leaving your front door wide open; that's what it's like when external-facing vulnerabilities are ignored. Real-time defense against vulnerability creep is essential to stay ahead of the game.

You need to secure your external-facing assets

Despite the best change management policies and protocols, vulnerability creep is a huge problem. As teams build out services and test environments, they spin up shadow IT…and then forget about these assets once the project is complete. The result is a shocking number of web apps, live IP addresses, domains, certs, and APIs blatantly exposed across every organization. Because of this constant evolution, the size of the average attack surface fluctuates by over 10% a month. 

Take web apps as just one example. CyCognito research has found that 70% of vulnerable web applications had severe security gaps, such as lacking WAF protection or encrypted connections (HTTPS in particular), while 25% lacked both. To put this in context, the typical enterprise has over 12,000 web apps, and at least 30% – over 3,000 assets – have at least one exploitable or high-risk vulnerability. 

As these external-facing assets age, they’re often forgotten and neglected, lacking updates and regular patching. This creates a convenient treasure trove of vulnerabilities just waiting for exploitation. But that’s not all. While forgetfulness and human error happen, the majority of perimeter-exposed products aren’t “secure by design,” according to the National Cyber Security Centre. 

Considering this wide-open landscape, it’s no surprise that Verizon's 2022 DBIR report mentioned that roughly 80% of cyber attacks have targeted external assets. Given the pace and volume of this threat surface creep, traditional vulnerability management falls short because it depends on being able to define the scope of your assets and identify what is exposed.

However, that’s exactly the problem: so many organizations are completely unaware of their risk because they lack an accurate inventory. Aside from their known and unknown assets, the same Cycognito report found over half of the critical and high-vulnerability assets are owned or managed by “subsidiaries” outside of IT, in remote branch offices, in separate business units, or as the result of mergers or acquisitions.

What is external attack surface management?

This is where external attack surface management (EASM) comes in. EASM is a cyber security practice that continually scans for and maps unknown internet-facing assets, identifies critical points of exposure, and offers prioritized steps towards risk mitigation. By autonomously scanning your entire external surface, this service identifies even those hidden assets you forgot about—the random open port, live IP address, or domain you were sure you’d closed down—and checks for vulnerabilities. 

With a clear and accurate inventory of assets, companies like NCC Group then work with your organization to assess the risks those vulnerabilities present, including the business context. A trusted security partner can help you prioritize those posing the greatest threat and build a remediation plan to address what matters most. 

 

You can’t protect what you can’t identify.

One customer with a ‘traditional’ Managed Vulnerability Scanning service in place that required them to define the scope had us scanning 70 external facing assets—the entire scope of external assets they had identified.

Our EASM managed service discovered nearly 5,000 assets, 500 of which were active IPs and web apps with active risks and vulnerabilities present and previously unidentified. Even more unsettling, the top three critical assets identified weren’t part of the 70 in the scope for the existing service—which means their actual external attack surface was over 70x larger than they thought, and they were completely overlooking the biggest risks.

 

Go beyond the Common Vulnerability Scoring System to prioritize and optimize response.

You might be wondering, “What about CVSS scoring? Doesn’t that identify my risks?” 

Unfortunately, the traditional CVSS doesn’t go nearly far enough. While it might identify potential risks, it doesn’t tell you what hackers are actively exploiting. For example, perhaps only 50% of your “critical” issues are actually exploitable by attackers, but this vital information is not captured in the CVSS score. That leaves your security teams chasing after potentially hundreds of issues that appear more urgent than they are. 

In other words, even though your back door may be unlocked, if thieves are more interested in the side window, spending lots of time and money double-bolting the back door may be a waste of resources.

 


 

Amber Mitchell

Amber Mitchell

Attack Surface Management (ASM) Senior Portfolio Manager, NCC Group

Amber holds a key role in helping customers navigate risk and vulnerability management challenges, offering a wide range of services to reduce their appetite for risk. With a strong background in IT and cyber security, she leverages her expertise to bridge the gap between technical capabilities, market requirements, and strategic opportunities to strengthen clients’ cyber security posture.

Identify, assess, prioritize, and remediate with NCC Group

External Attack Surface Management not only maps your external attack surface and potential points of entry but also identifies those assets with the highest appetite for risk. Global threat knowledge and cross-sector expertise help NCC Group to also track what is actively being exploited by hackers and therefore is the most important right now.

That means you can focus your remediation efforts on the highest priorities based on data-driven insights instead of hunches and speculation. This saves organizations tremendous amounts of time and money and helps them dedicate resources on mitigation activities that are a priority and have the greatest impact when reducing your appetite for risk.

 

Real-time protection posture visibility in a single dashboard

NCC Group’s new EASM solution, powered by CyCognito, provides the comprehensive discovery, consultant-led risk assessment, prioritization, and remediation planning you need to identify and mitigate against your external attack surface…even the assets you don’t know about. We take the pain away from managing the service, allowing you to use your valuable resources on mitigating activities, opposed to analysis and trudging through endless results.

Additionally, you’ll gain access to NCC Group’s integrated, unified cyber portal to provide an overview of your entire security posture. This enables a single pane of glass view of all results from all your NCC services. This rich data set gives our analysts a complete picture of your environment that, combined with their unmatched technical expertise and exploit intelligence, enables ongoing optimization based on how various vulnerabilities may affect your organization.

The result is valuable, real-time insight that you can turn into efficient, effective action to protect your external surface.

People-powered, tech-enabled EASM for all.

Contact us today to uncover the threats in your organization that may be hidden in plain sight.