Randori named leader in Attack Surface Management in GigaOm ASM Radar Report

June 15, 2022

Bridging the Gap: Expectations vs. Reality on Your Attack Surface

By: Keegan Henckel-Miller

Share on facebook
Share on twitter
Share on linkedin

Enterprise organizations are expanding their IT environments at an extraordinary rate. This growth however, comes with a heavy price to security leaders now tasked with an ever growing external attack surface.  Almost every firm today is likely to host a growing visibility gap. The internet-facing IT assets individuals and teams within firms generate, and the amount defenders know about, tend to be two different numbers. With the volume of unknown assets soaring, this gap is a major security issue. 

Every internet-connected asset your organization owns or relies upon could be compromised by threat actors. As a simple rule, if an IT asset used by your business talks to the internet, it’s part of your external attack surface. This includes everything from SaaS surfaces and cloud instances to software applications and on-premise hardware appliances. 

To see where external attack surfaces begin and end, security leaders need to turn the floodlights back on. At a time when, according to a 2021 survey by Forrester, 92% of organizations experienced a cyber attack in the last 12 months, and 7 out of 10 organizations have been compromised as a result of an unknown asset, there isn’t any other choice. 

Unfortunately, a large part of the typical external attack surface is very well hidden. Working with hundreds of companies over the past 18 months, an average of 30% of the assets we discovered were unknown to the security teams tasked with securing them. For a typical organization, at least 1 in 3 internet-facing assets don’t officially exist. This is a huge problem. 

You Can’t Protect What You Don’t Know About

From new threats to buzzy solutions, it can be challenging to keep up with the cybersecurity landscape. But ever since cyber attacks became a thing around 30 years ago, one truth has remained: you can’t defend assets you don’t know about. A recent Palo Alto Networks study found that almost 75% of internet-connected devices in healthcare contain at least one exploitable vulnerability.

Attack surface visibility isn’t just a problem for the assets you can’t see. When 30% or more of your attack surface is outside your field of vision, securing the remaining two-thirds is harder. This is because hosting unknown and unmanaged assets means your security program is likely built on false assumptions. With a sizable chunk of your IT suite essentially invisible, the attack vectors you think you need to worry about might not be the ones you really need to focus on most. In this kind of situation, the information you get from pen tests and security audits will also be inaccurate. Ultimately, an obscure external attack surface will waste security investment and diminish security ROI. 

Meanwhile, your visibility problem gives threat actors a massive advantage. You might not be able to see all of your internet-connected network assets, but as they conduct reconnaissance on your organization, cybercriminals certainly will. Thanks to developments in modern malware, even minor breaches of unimportant endpoints can become major attacks. 

The iterative evolution of evasive techniques has turned malware like remote access trojans (RATs) into almost undetectable criminal tools. Meanwhile, privilege escalation remains an important focus point. In April this year, we saw a new privilege escalation tool, KrbRelayUp, revealed on Github. With these developments making lateral movement easier, the things you don’t know about are only getting more dangerous.

The Two Trends Making Visibility Worse

The fog surrounding external attack surfaces is getting murkier, but to find out what’s really making things worse, Randori surveyed over 400 IT decision-makers. Two key trends stand out.

The first is the decentralization of IT. Once upon a time, pretty much every IT application an organization used went through a centralized deployment process. Today, the polar opposite is true. From marketing teams to developers, almost anyone inside an organization can create IT assets autonomously. 

The other trend-making visibility worse is that security teams are out of the loop. The way IT professionals work inside an organization is changing fast, but security teams are still relying on traditional IT services as a source of truth. In a world where in a single day, an HR team can create a new domain with a third-party provider and an engineering team can misconfigure a Kubernetes deployment, this status quo leaves defenders two steps behind. 

What Organizations Are Doing to Bridge the Visibility Gap

In response to the growing visibility gap plaguing security leaders, organizations are taking a three-pronged approach to revitalizing their security strategy.  

First, to stop the bleeding, security teams are investing in solutions that give them a second point of view on their external attack surfaces. Attack surface management solutions like Randori are now the number one security hygiene investment for 2022 among enterprise security decision-makers. 

The concept of attack surface and asset inventory management is changing too. We are seeing more organizations re-orientate their technological solutions and their security teams towards continuous monitoring. Instead of a quarterly or annual activity, figuring out what’s putting corporate networks at risk is becoming a constant process. 

Finally, and perhaps most importantly, security is coming into the picture earlier. Rather than a bolt-on extra to initiatives started across other parts of the business, more firms are taking steps to involve security teams at the beginning of new initiatives and projects.

Click here to get started with a free attack surface assessment 

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.