Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

December 21, 2022

Why Your SOC Needs Attack Surface Management 

By: Randori Blog

Share on facebook
Share on twitter
Share on linkedin

Keeping track of network-connected assets in fast-moving IT environments is a significant challenge for every security operation center (SOC). 

SOCs are the air traffic control towers of corporate IT. They turn chaotic and inherently insecure IT environments into safer places and prevent minor incidents from turning into total disasters.

Just like in the aviation world, a SOC’s ability to reduce risk depends on it being able to see what’s going on within its area of responsibility. If a SOC cannot spot malicious activity or investigate threats, the organization’s ability to stop threats and maintain operations will fail. 

This kind of risk-on environment would be familiar to anyone working in a control tower at a major airport. However, the level of visibility that SOCs accept would shock them. 

If an airport’s air traffic controller room could not see 20% of its local airspace, it would close runways immediately. If a SOC is aware of 80% of the assets connected to the organization’s network, it is doing comparatively well.

Only 30% of IT decision-makers are confident they can see more than 85% of their endpoints.

Unknown assets pack an outsized punch when it comes to breach risk. Last year, almost three-quarters of cyberattack victims were compromised due to a vulnerability in an endpoint or other asset they did not know about. 

This lack of visibility would be unacceptable in any other critically important operation. It should not be accepted by SOCs either.  

Cloud Migrations Have Pushed Asset Management to the Brink

The rise of infrastructure as a service (IaaS) has sped up asset deployment and made it difficult for SOCs to keep track of what’s really connected to their networks.

For as long as IT has been at the heart of business operations, asset management has been challenging. Factors like personal and organizational changes have always meant that some assets don’t turn up on registers.

However, even though asset management has always been challenging, what’s changed in the last few years is that IT has become decentralized.

91% of organizations have moved some or all of what they do into public and hybrid cloud environments. 

IaaS has upended the traditional model of asset deployment, and development cycles are now a fraction of what they used to be. This is great for business flexibility but creates significant security issues. Asset deployment often happens outside the scope of what SOCs and security teams know about.

According to a Gitlab survey from 2021:

  • 20% of developers say they are releasing code 10 times faster than ever.
  • Almost half (42%) of developers agree that security testing now happens later in the development process than needed.

Digital transformation trends like moving to the cloud and remote and hybrid working have also empowered DevOps teams to deploy new technologies such as artificial intelligence and machine learning. 

Unfortunately, in these kinds of environments, security often lapses. In Redhat’s 2022 state of Kubernetes Security report, 93% of respondents reported they recently had a security incident in their Kubernetes environments.

The advent of DevSecOps shows promise. But security is still a secondary concern to speed in most cloud-forward organizations. 

The reality is that for most organizations, moving to the cloud has happened too fast. As a result, security teams are playing catch-up when it comes to keeping logs of their assets. 

Traditional Asset Management Strategies No Longer Work

Asset management challenges make it harder for SOCs to do their jobs.

However, an organization defines or operates its SOC, its effectiveness depends on how much visibility it has into its attack surface.

For example, a core SOC capability is being able to tie malicious activity back to specific user IDs and IP addresses. If an in-house or managed SOC cannot confidently do this, the organization won’t be able to reliably investigate security incidents or validate the effectiveness of its security controls. 

Even mature SOCs that have established configuration management databases (CMDBs) still struggle with determining their endpoint layouts. Due to factors like shadow IT, an up-to-date CMDB is likely to miss around 20% of endpoints

Security teams often try to use their security tool stacks to spot these gaps through telemetry. However, this method also creates significant blind spots. Because unknown, unmanaged assets are where the most significant risks come from, using endpoint tools to track asset inventory creates a confirmation bias. 

Meanwhile, threat actors are actively looking for internet-facing assets with vulnerabilities that SOCs don’t know about.

The best way to stop attackers is to get to unknown and vulnerable assets before they do and go on the offensive. 

ASM Is Now an Essential Tool for Asset Management

Attack Surface Management (ASM) helps SOCs find and secure vulnerable known and unknown assets.

When they practice ASM, security teams go on the offensive. Instead of waiting for an unknown asset to be compromised, ASM uses the same techniques that hackers do to let security professionals strike first. 

Attack surface management means finding and fixing attack vectors before threat actors exploit them. Teams conduct ASM with various tools and processes, such as Continuous Automated Red Teaming. Their goal is to discover, test, and remediate network-connected assets.

ASM tools like Randori Recon allow organizations to discover and prioritize the vast number of unknown assets that lurk within their network. This process is ideal for organizations that use cloud-hosted assets and have dynamic IT processes.

Bringing ASM Benefits to Your SOC

However, finding out what assets exist is only half the battle. With Randori, security teams not only get a list of what’s on their network. They also receive prioritized recommendations into what assets they need to fix first. 

This capability allows security teams to go on the offensive and give their SOCs a deep understanding of their attack surface.

Get a demo of Randori’s ASM toolkit to see how ASM can help your SOC manage its asset inventories.

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.