If you are still running conventional perimeter-based security, you are living dangerously. Threat actors could breach your network easily from anywhere and destroy your business.
The conventional “castle-and-moat” perimeter-based security approach worked well when the attack surface was small and limited. The attack surface is all potential entry points that attackers can use to compromise systems. It includes physical endpoints, code vulnerabilities, and more.
Today’s cloud-dominated networks have a vast attack surface that extends outside the enterprise perimeter. As businesses innovate and diversify, they add entry points and vectors that threat actors exploit.
Reducing the attack surface becomes critical to keep the network safe.
Here are the ways to do it.
Improve Visibility and Control over the Attack Surface
As the attack surface spreads out, blind spots emerge. These days, enterprise IT teams rarely have full visibility over their network.
And threat actors exploit such a situation to the hilt. Half of all enterprises experience a cyber attack on an unknown or unmanaged asset.
The reasons for the growth in blind spots are many.
Most enterprises grow organically. Over time, they end up with complex and unwieldy networks full of dependencies. At least some enterprises are guilty of poor designs, which make the architecture complex.
Business exigencies often lead to shadow IT. Users spin up a virtual server or a cloud account without the knowledge or approval of the IT department. This creates silos and also vulnerabilities in the network.
Reducing the attack surface requires improving visibility and gaining control over the network. To remediate a vulnerability, the system admin first has to be aware of the vulnerability-laden asset. Following are the ways to make all connected assets visible.
- Undertake a comprehensive asset inventory to identify all connected devices, applications, and services.
- Scan the network and review logs to identify hidden assets. Dedicated tools automate the task.
- Map each identified asset to individual business units and integrate it into the network.
- Disable unused devices and endpoints.
- Do not retain unneeded endpoints. Today’s networks are scalable, and system admins can add new endpoints when needed.
- Take proactive steps to end shadow IT. This requires a two-pronged approach. First, address the issue at the policy and governance level. Next, take active ground-level steps to enforce governance.
- Standardise the hardware and software. Reducing variety eliminates complexity. It also simplifies support and maintenance.
Most enterprises underestimate the power of simplicity. Simplifying the network improves visibility and allows enterprise IT greater control over the attack surface.
Monitor the Attack Surface
Reducing threats depends on a proactive attack surface management that co-opts monitoring, contextualisation, prioritisation, and remediation.
Active monitoring of the attack surface enables prompt detection of threats or vulnerabilities. Prompt detections enable rapid countermeasures.
Speed is a critical success factor. The faster the IT team can identify vulnerabilities and secure assets, the less time attackers have to exploit them.
Malicious actors deploy sophisticated tools that scan internet-facing assets in minutes. Most attackers scan vulnerable internet-facing internal assets within 15 minutes. IT teams, on the other hand, often need 12 hours to discover their system vulnerabilities. And this assumes that the IT team has visibility on the vulnerable asset!
To monitor threats and reduce the attack surface,
- Configure firewalls to flag out-of-ordinary application behaviours. Examples of such behaviours include launching executable files or attempting downloads. But make sure the firewalls can recognise legitimate software that exhibits such behaviours.
- Perform periodic vulnerability assessments and penetration testing side-by-side to regular monitoring. These tests identify the vulnerabilities and make explicit system weaknesses. Such insights enable targeted remedial strategies.
- Deploy advanced analytics and automated tools to identify and remediate threats in double quick time.
Contextualise and Prioritise Threats
Contextualising and prioritising threats is an important part of proactive attack surface management. Most enterprises do not have the resources to address all risks. Even if they do have it, going after all threats may be a waste or an overkill.
Contextualising is analysing threats and vulnerabilities in the context of specific risk factors. Prioritisation addresses vulnerabilities in order of importance. It can be on the basis of the risk magnitude or potential impact. By contextualising and prioritising, enterprises can focus resources on the risk and impact areas that impact them.
For instance, an e-commerce company faces greater risks to its online platforms than a business that operates offline. Likewise, a financial institution faces different risks compared to a healthcare provider.
Platforms such as Cloudflare offer the latest threat intelligence data. Such information enables enterprises to assess risk factors and prioritise better. The protection becomes much more potent and current.
Remediate Threats
There are several ways to remediate the prioritised threats. The best approach is enterprise and threat-specific. Nevertheless, here are the best practices applicable for all situations.
Update Software Regularly
All digital assets running in the network have software. Up-to-date software keeps the code free from vulnerabilities and reduces the attack surface.
- Deploy the latest security patches to eliminate vulnerabilities that hackers access. Up-to-date security patches keep the operating systems and applications protected from the latest threats.
- Upgrade the software from time to time to ensure clean and secure code. Such updated software remains free from legacy vulnerabilities and drawbacks.
Institute Robust Data Governance
Effective data and access rules reduce the attack surface.
- Define robust password policies that comply with the latest standards released by NIST and other agencies. Access policies that use Single sign-on (SSO) and multi-factor authentication further boost security.
- Apply content filtering. Filter safe and unsafe websites.
- Set data loss prevention policies to regulate file transfers. These policies thwart users from siphoning off sensitive data.
Upgrade and Configure Firewalls
Modern firewalls come with advanced features that reduce the attack surface.
- Intrusion detection capabilities monitor network traffic for suspicious patterns. The IT team can detect and block potential attacks in real-time.
- Configuring the firewalls with specific rules limits access to only necessary services and ports. Only approved devices with the necessary security safeguards and controls can access the network.
- Microsegmentation divides the network into smaller units. It limits the scope and impact of any potential attacks that evade the security deployments in place.
Implement Zero Trust
Traditional security models trust devices and users within the network by default. Zero Trust works on the principle of “never trust, always verify.” It does not trust any user, device or service within the network, regardless of the location or reputation.
Zero trust reduces the attack surface by:
- Adopting the principle of least privilege, which limits access on a need-to-have basis.
- Establishing micro-segmentation
- Continuous verification to validate the identity and trustworthiness of users, devices, and applications.
Zero-trust consolidates all the security measures to reduce the attack surface.
Cloudflare’s Zero Trust platform offers an integrated, everywhere security approach. It consolidates secure web gateways, cloud access security broker, and DNS filtering.
Disparate, complex security systems no longer work for modern and distributed enterprises. Effective protection requires state-of-the-art tools such as Cloudflare’s Everywhere Security. The platform unifies protection across employees, applications, APIs, and networks. It offers robust identity verification and context-based, least-privilege access per resource.
