"For anyone focused on identifying and reducing attack surface quickly, Randori should be on your shortlist."

4 Takeaways from the SANS Attack Surface Management Conference

Keegan Henckel-Miller

Yesterday, Randori and SANS came together to host the first Attack Surface Management Virtual Conference. Over 1,000 people joined some of the industry’s foremost experts for a discussion on the biggest topics in security today – from cyberwar to zero-days. But the theme for the day was undoubtably, resilience. 

This was the first conference specifically dedicated to defending modern attack surfaces and promised a frank and open discussion around “the things that actually work in cyber” – and it did not disappoint. Providing a rich overview of this emerging space and the challenges teams can solve with proper attack surface management – the conference offered attendees a solid combination of thought leadership and actionable advice for those looking to purchase or integrate an ASM platform into their security programs. 

Here are the four major takeaways I took away from yesterday’s event. 

1. We Need to Defend Forward

The event opened with a keynote by Former NSA/CSS Deputy Chief, Rear Admiral (Retired) Dan MacDonnell, and Randori Co-Founder & CTO David Wolpoff entitled Defending Forward in Today’s Exposed World. The talk focused on what the private sector could learn from the military’s “Defend Forward” approach and coming 24 hours after the FBI announced a major proactive operation to disrupt activity related to the Microsoft Exchange breach, the topic could not have been more timely. 

Right out the gates, Rear Admiral (Retired) MacDonnell hit home that cyberspace is only going to become more chaotic – the number of connected devices and the economic incentives for bad actors are simply too strong. His message – teams need to step outside the firewall and take a more proactive role in testing their defenses. We have to defend forward. 

Cyberspace continues to become more chaotic. It’s accelerating at a crazy pace. I would say it’s hot and getting hotter, and that’s because the bad guys they’re now operating continuously in cyberspace. They’re increasing in numbers because, frankly, the costs to do so are so low. It’s easy to get into cyberspace and there is a huge potential reward with relatively low risk.

The idea of being able to secure everything is no longer viable. Sharing examples from both their careers, the duo stressed that new approaches – such as attack surface management – were needed in order for organizations to take more deliberate steps to reduce their real-world risk. 

We need to focus on what’s important. Being proactive to me means that we’re just not sitting looking from the inside out and saying – Oh, we have everything covered. It’s about making a shift from being reactionary to aggressively acting to identify risks and gaps, and issues before they occur. It’s about improving the odds that we’re taking care of the right stuff in the right order; it’s about shifting our focus from security to resiliency – that’s Defending Forward.

Quoting General Eisenhower, “plans are worthless, but planning is everything” Rear Admiral (Retired) MacDonnell stressed the importance of war gaming and authentically understanding your adversary. 

A defend forward strategy is about stepping outside of your networks so that you can understand how the bad guys operate when they’re engaging with your network. And I think part of this is making sure you’re putting yourself in their shoes, doing it from their perspective, their culture, through their lens.

Moose sharing his perspective, as an attacker, touched on where he sees organizations falling short and how attack surface management can help teams adopt a defend forward approach. 

I have always thought about defenders as building castles. And I like stonework. I like a good, beautiful cathedral. A great castle is an awesome thing to look at on a wall, but it’s really hard once you’re in that castle to get outside of the castle and to think about how you look from the outside. How differently an attacker might see you and use that to come at you in ways that you didn’t anticipate when building the castle. And having that perspective, which is what attack surface management solutions like Randori bring, is a critical thing. Particularly as we stop trying to defend every asset and instead try to collaborate and coordinate across an organization – not just inside security but all the way to the executive – to identify the defensive structures that you need to keep the business running.  – David Wolpoff, Co-Founder & CTO, Randori

2. It’s All About Attackability

“What I really want to talk about today is how attackers see the world differently,” said Randori Principal Research Scientist Aaron Portnoy in one of the day’s most fascinating sessions. 

“Attackers see things a lot differently than defenders, how vulnerability scanners see things. Attackers have a unique mental skill: gaining a rapid understanding of an unknown system… Defenders too often come to the table with a limited view or preconceived notions about a given target or system”

I think Aaron summed it up best when he said – vulnerability scanners ask “what’s vulnerable?” while attacker’s ask “what’s possible?”. 

“Attackers are thinking about the known unknowns. The preconceived notions that the defenders are bringing cloud their ability to calculate the known unknowns… So we’re going to go through in this talk and demonstrate the different ways in which attackers are going to see your systems and your networks differently and how you can use to that to improve your defenses.”

This hits a key theme from the conference –  attack surface management helps security teams better understand not just what’s vulnerable but “what’s possible” by exposing the attacker’s perspective. Unlike asset management or vulnerability management solutions, this enables ASM to provide a better measure of an organization’s real-world risk.

Looking at a specific example, Aaron walked attendees through all of the contextual information that he consider, as an attacker, when looking at a target that traditional vulnerability management programs miss or don’t even consider. 

Bringing it home, he broke down how we provide this perspective at Randori by assessing the attackability rather than the vulnerability of targets. Attackability, the measure of how likely a target will be successfully attacked, goes far beyond detecting vulnerabilities and looks at a broader set of factors such as post-exploit potential and applicability to other systems that factor into an attacker’s calculus of which assets to attack first. At Randori, we call this Target Temptation in our platform. Backed by a world-class team of researchers, we believe this approach more accurately reflects the relative risk a specific asset on your perimeter poses than traditional risk-based vulnerability management assessments which lack this critical context. 

3. Operationalization Is The Key 

Later on in the day, Air Canada’s Kyle Howson and SANS’s Pierre Lidome, grounded the conversation – sharing examples and recommendations on how their organizations are leveraging ASM and the key capabilities they believe will make or break a deployment. A key theme in both sessions was operationalization and automation.

Everybody in the security world is burnt out right now, and part of the reason why is the number of assets they are responsible for protecting and the volume of threats they face are exploding right now. ASM is helping address this need by providing organizations a better way to prioritize issues on their attack surface.

“I need to be able to quantify my exposure and know which one of my systems are affected,” said Pierre Lidome, author of the SANS Guide to Evaluating Attack Surface Management. “ASM allows me to very quickly get an inventory of my exposed systems and narrow down to those which an attacker will find tempting.” 

Both speakers stressed how attack surface management can help teams combat alert fatigue and  focus on the issues that matter most – but hit strong on the need to identify and integrate ASM solutions into a process your team can run on a daily basis in a sustainable and repeatable way to truly be effective. 

“We can’t monitor everything all the time. This is where operationalization comes in. When it comes to our attack surface at Air Canada, we believe we can’t protect what we don’t know about,” said Air Canada’s Kyle Howson. “This includes shadow IT, process failures, and patching failures. For example, since we’re all working at home during COVID, processes may have changed. Things are now working differently than we thought they were. If I don’t know what’s there, I don’t get the logs; I don’t have my EDR on it. We needed to move from a threat-based model to a model that uses the attacker’s perspective and  allows us to say, ‘Okay, this asset is low risk and may not necessarily what to be patched, but this one is is highly tempting and we need to move and see quick changes.”

For example, Kyle at Air Canada walked through how they combine Randori, Anomali and their LogicHub SOAR platform to prioritize work on external assets known to be tempting to external threat actors that Air Canada is tracking. 

Offering guidance to those who may just beginning their ASM journey, Lidome outlined the key requirements of ASM and the capabilities he recommends organizations look for when evaluating ASM solutions.

Key Requirements of Attack Surface Management

  • Automated Discovery: An advanced algorithm capable of building a map of assets with minimal input and limited false positives.
  • Risk-Based Management: Create and maintain a risk score for each asset that combines the ASM provider’s external threat assessment with user-provided information on relative business value, impact and remediation status. 
  • Continuous Monitoring: The ability to detect change by frequently scanning the attack surface. When an asset is removed, the ASM solution should maintain the information in the database for historical purposes.

Key Capabilities of Attack Surface Management Solutions:

  • Alerting: Ability to monitor and alert on changes via email or an API.
  • Enterprise Management: ASM solutions should include basic enterprise management capabilities that enable large teams and organizations to operationalize the solution.
  • Interoperability & Integrations: Supports third-party integrations and custom development using a provided bi-directional API.

4. Attack Surface Management Is Only The Beginning 

While the talks focused on the benefits and value of attack surface management, the theme for the day was undoubtably, resilience. While this starts with having a proactive and external view of your attack surface, it was clear from the sessions that while gaining external visibility into your attack surface is essential – it only the beginning.  

“Security is like fitness: it needs to be constantly maintained to work,” said Wolpoff “If you’re looking for a silver bullet quick fix, it doesn’t exist. The only way to win this game is to get the blocking and tackling right. ” 

Compromises will happen. This was a point stressed repeatedly by SAP CISO Richard Puckett, Former Square CSO Window Snyder, and Randori Co-Founder David “moose” Wolpoff  during the Exchanging Zero Days Panel moderated by Reuters’ Joseph Menn and that having a firm understanding of what’s exposed, establishing good communication with the business, and testing your program’s ability to detect, respond to recover under real-world conditions were the foundations for a resilient security program. 

“You probably can’t defend your network against a determined attacker on an infinite timeline because they can wait to be opportunistic,” admitted Window Snyder, Former CSO of Square “They can wait for one of those technologies that you depend on to have an identified vulnerability. They don’t even have to do the work. They can just wait, and eventually, you will be exposed. So the real question is now: how do you respond to that?” 

SAP CISO Richard Puckett reiterated this point when stressing the importance of prioritization and adopting a risk-based approach to investing…

“Know what’s most important because you can’t defend everything. At least not reasonably, so if you try you’ll end up defending nothing. If you can first come to the conclusion about what are the most crucial things, that’s where you ensure you have greater observability, greater service management  and the right kind of bubble to make sure it’s safer. While, perhaps the rest of the environment is maybe not as well protected.”

Offering the attacker’s perspective, moose stressed that building a resilient security program is ultimately not a question of technology, but combining technology with the people and process that together can prevent, detect and respond in sane and effective ways.

“The things that are really effective in stopping me as an adversary over the course of the career haven’t been some sort of cool new technology. In fact, I don’t think I’ve ever recommended a customer, and I don’t think Randori has ever recommended a customer purchase some sort of new cool tech. Things that really make my life as an adverse or kind of the Randori world more difficult if you’re trying to break in are really blocking and tackling activities like strong visibility & logging, default-deny firewalls, network segmentation, things that we’ve talked about doing for a long time but never prioritized or had a good way to test.”

Stepping back, it’s clear from yesterday’s discussion that security is shifting to put a greater focus on resiliency and that Attack Surface Management will be an essential component in this transition but only the first of many steps we as an industry will need to take. Following yesterday’s event, I’m excited to watch as more organizations adopt defend forward approaches and begin to share their stories of how they are working towards a more secure, resilient future. 

If you’d like to learn more about Attack Surface Management or how we can provide an attacker’s perspective of your business – sign up for a demo of Randori Recon today.