Michiel de Lepper
In this article:

In today’s cyber security world, the rise of ransomware and other threats means that security needs to be at the forefront of every organization. How does your organization stack up against threats trying to disrupt your business? How do you manage risk and prioritise issues in your environment? 

Given today’s threat landscape, reducing your attack surface is as critical as having the right tools and processes in place to defend yourself against malicious actors. The larger your organization’s attack surface is, the higher your risk is of a breach. After all, prevention is always better than remediation.

Let’s start with the basics; What is the Attack Surface? 

Your attack surface is a collection of points within your environments which malicious actors can leverage to infiltrate your IT infrastructure. A lot of times when people talk about the attack surface, it is always all the external points of your environment (ie: the gaps in your walls through which someone can enter unseen), however in my opinion there is an internal attack surface as well. This is what I would call the secondary attack surface. So lets define both of these:

Primary attack surface: 

All the external points of your environment which malicious actors can leverage to infiltrate your IT infrastructure. 

Secondary attack surface:

All the internal points of your environment which malicious actors can leverage to further the attack, things like moving laterally, deploying payloads like ransomware or exfiltrating data. 

Both are equally as important to remedy, but human nature often only focuses on the primary attack surface. Let’s build the biggest wall we can, so the bad guys can't come in. 

The reality of today’s IT Security landscape however is that no single environment is 100% secure. As we have learned over the years, it's no longer a matter of if you get breached, it’s a matter of when you get breached and how you minimise the impact of that breach. 

This is of course nothing new, and we can look back in history to see many examples of this.
One prime example of this is Beaumaris Castle in Wales, UK, where we see multiple walls within the castle in case the main outer wall was breached. In medieval times this was called a concentric castle, in our current day within the IT Security Space, we call it Defense in Depth.

 [Source: https://en.wikipedia.org/wiki/Beaumaris_Castle ]

The Challenges of Attack Surface Reduction

The principle of attack surface reduction seems fairly straightforward and easy to implement, but over time the sprawl of software and applications alone has grown exponentially within any given organization. This makes it extremely challenging to gain visibility of where your vulnerabilities are located, and the disjointed nature of current environments makes this even harder, resulting in a lot of manual work and correlation to even begin to get an understanding of your entire attack surface. 

Add to this the global shortage of skilled staff, lack of automation, contextual information and the lack of effective communications between SecOps and IT Ops and you’re left with a near impossible task to even gain visibility, let alone attempt to remediate any gaps in your environment. 

Let’s drill down a bit deeper into this and walk through some of the challenges.

Lack of visibility:

As mentioned above, the sheer number of applications in your environments can be a challenge alone, but this is compounded by the fact that every application will release information about vulnerabilities, best practices and security hardening in numerous different ways like KB articles, Best Practice documents, social media and forums to name a few. This requires you to keep on top of those sources, somehow know whenever they release new information and then actually read it. 

Lack of Context:

Once you have the information, you somehow need to translate this to relevant information for your specific environments. Ie; does this actually apply to me and do I need to take action? 

This is however not the only context you will need. Since you have limited resources, how do you decide which issues to fix first? So you will need to know criticality and relevance in order to start prioritizing things. How do you get this? You guessed it… more manual work! 

Lack of Automation:

Without proper automation it is humanly impossible to both remediate your initial issues, and stay on top of any issues that spring up within the normal operation of your environments. The sprawl in your environment is simply too large to effectively manage this manually. 

In summary, without the right combination of automation, context, prioritization and monitoring, any attempt to gain a firm grip on these issues is virtually impossible to achieve, or at a cost that is unsustainable for most, if not all, organizations. 

Yet the need is very much apparent for organizations to have the attack surface reduced and minimise risk… So how can you? 

Leveraging Runecast to effectively minimize your Attack Surface. 

With Runecast, you gain a single source of truth which can be leveraged by IT Ops, SecOps and DevOps to gain insights into misconfigurations, vulnerabilities and both Regulatory and Security compliance, all with criticality and known exploited contextual information. Allowing you to effectively gain visibility, prioritization and remediation, across all your workflows and across all your relevant operational stakeholders.   

Would you like to delve deeper?

Listen to my talk on Attack Surface Reduction during SecOps360 Day.

The video length is 32 minutes.

Meet other Runecasters here:

Run Secure and Compliant Workloads Anywhere

Let Runecast detect and assess risks, so you can be fully compliant in minutes.

Get Free Trial