Top 5 attack surface challenges related to security operations

According to newly published ESG research, just over half of all organizations (52%) say that security operations are more difficult today than they were two years ago. When asked why, 41% pointed to an evolving and dangerous threat landscape, 38% identified a growing and changing attack surface, 37% said that alert volume and complexity are driving this change, and 34% blamed growing use of public cloud computing services.

Now most of these challenges are déjà vu all over again, impacting security teams year after year. There is one exception, however: The growing attack surface. Certainly, the attack surface has been growing steadily since we all started using Mosaic browsers, but things really took off over the past few years. Blame Amazon, COVID, or digital transformation, but organizations are connecting IT systems to third parties, supporting remote workers, developing cloud-native applications, and using SaaS services in record numbers. When you take all these factors into consideration, enterprise organizations typically use tens of thousands of internet-facing assets.

Meeting the attack surface challenges

Yup, a growing attack surface is poised to upend the old security operations apple cart, but what affect is it really having? ESG asked 376 security professionals this very question. Survey respondents cited five challenges the growing attack surface presents.

• Requires deeper relationship with developers. This response reflects a gap between software development and security as organizations develop more cloud-native applications and push new features to production apps on a continuous basis. Are they using serverless functions? Connecting to insecure APIs? Leaving sensitive data on open S3 buckets? In many cases, security teams don’t know the answers to these questions. Cloud security posture management (CSPM) can help, but these tools aren’t ubiquitous and may be hoarded by cloud development groups. Bridging the security/developer gap should be a high priority for all CISOs.
• Leads to a re-evaluation of current tools and processes. This is another common bugaboo that continues to plague security operations teams. To discover and manage the attack surface, organizations tend to start with existing tools – asset management systems, vulnerability scanners, log management, CSPM, etc. They soon realize that gathering data from disparate systems can take an eternity – 43% of organizations claim it takes more than 80 hours to do a full attack surface management inventory. Since data comes from multiple systems, someone has to sanity check the results, leading to overhead and human error. The result? Sixty-nine percent of organizations claim that they’ve suffered a cyber-incident due to an unknown, unmanaged, or mismanaged attack surface asset.
• Increases the volume of vulnerabilities and related patching cycles. This is simple math. More assets = more vulnerabilities = more patching cycles. Some organizations have the processes and resources to keep up; many don’t.
• Slows security investigations and response actions. In this case, security analysts may not have access to all the data they need and end up chasing it down across different data sources. This contributes to the frequency of security incidents described above due to extended dwell times as analysts try and figure things out. It’s also likely that incident response actions are incomplete as security and IT teams remediate some systems but miss the full scope of an attack across their amorphous attack surface.
• Results in visibility gaps. The growing attack surface leads to visibility blind spots – a security analysts’ nightmare. As the tired but accurate security yarn states, “You can’t manage what you can’t measure.”

These and other issues have increased attention on attack surface management at enterprise organizations as CISOs realize that these challenges can lead to damaging cyberattacks. The industry has responded in kind with a dizzying pace of M&A activity: DarkTrace grabbed Cybersprint, IBM snapped up Randori, Mandiant acquired Intrigue, Microsoft scooped up RiskIQ, Palo Alto Networks bought Expanse Networks, and Tenable purchased BitDiscovery. VC-backed startups like CyCognito, Cyberpion, and Upguard, as well as third-party risk management vendors like BitSight and Security Scorecard also play in this space.

Five years ago, few companies talked about attack surface management, but times have changed, and it is now an enterprise security requirement. Ignore attack surface management at your own peril.