Attack Surface Management

Show Notes

As attack surfaces expand rapidly, so does cybersecurity risk from undetected and unmanaged assets and devices.  

Ivanti surveyed 7,300 IT and security professionals to understand the scale of the problem and provide strategies for comprehensive attack surface management. 

Ivanti's latest research report demonstrates how effective attack surface management (ASM) combines people, processes and technologies that empower teams to continuously discover and manage their internal and external assets.   

Get more resources 

To read the report and access additional media, including presentation-ready slides and downloadable charts and graphs, visit ivanti.com/asm-report  

For more Ivanti research on IT, security and the future of work, visit ivanti.com/research. 

About Ivanti 

Ivanti elevates and secures Everywhere Work so that people and organizations can thrive. We make technology work for people, not the other way around. Today’s employees use a wide range of corporate and personal devices to access IT applications and data over multiple networks to stay productive wherever and however they work. Ivanti is one of the only technology companies that finds, manages and protects each IT asset and endpoint in an organization. Over 40,000 customers, including 88 of the Fortune 100, have chosen Ivanti to help them deliver an excellent digital employee experience and improve IT and security team productivity and efficiency. At Ivanti, we strive to create an environment where all perspectives are heard, respected and valued, and we are committed to a more sustainable future for our customers, partners, employees and the planet. For more information, visit ivanti.com and follow @GoIvanti. 

Chapters

• 0:00: Introduction
• 0:35: Part 1: Attack surface expansion
• 2:37: Part 2: Siloed data
• 4:03: Part 3: Prioritization
• 6:02: Part 4: Supplier risk
• 8:04: Part 5: Action steps
• 12:50: Outro

Transcript

Organizations’ attack surfaces are expanding quickly. Research from Ivanti examines the scale of the problem and strategies for comprehensive attack surface management. 

 You’re listening to the audio version of Ivanti’s Attack Surface Management Report, part of Ivanti’s state of cybersecurity research series. To see more Ivanti research and to access additional media, including presentation-ready slides and downloadable charts and graphs, visit ivanti, I-V-A-N-T-I.com/research.  

 [Sting] 

 Part one: Attack surface expansion 

 Due to technological advancements and the evolution of Everywhere Work, organizations' attack surfaces are bigger and more complex than ever. 

 [Sting] 

 Problem today 

 Organizations are overseeing a fast-growing ecosystem of devices, tools and assets on their networks — all of which are proliferating rapidly. Yet they have limited visibility into this expanding digital universe.  

 More than half of IT professionals Ivanti surveyed say they are not very confident they can stop a damaging security incident in the next 12 months. And more than 1 in 3 say they are less prepared to detect threats and respond to incidents compared to one year ago. 

 [Sting] 

 Why it matters 

 The problem is not simply a matter of complexity (i.e., the proliferation of devices and assets leading to sprawl and inefficiency). This growing ecosystem is driving an ever-expanding array of vulnerabilities and exposures, which can lead to data breaches, downtime, noncompliance, reputational risk‌ and much more.  

 For these reasons and more, attack surface management, or ASM is now a mission-critical part of cybersecurity defense. (And Ivanti’s research shows increasing investments in ASM.) 

 ASM strategy supports continuous discovery and visibility into emerging threats and active exploits, as well as a data-driven method to prioritize and manage vulnerabilities.  

 As attackers grow more sophisticated, organizations must face these threats by planning and strategizing from the perspective of their adversaries: Where would an attack begin? What systems would be breached first? How would the attack unfold? 

 [Sting] 

 Part two: Siloed data 

 With so much structured and unstructured data generated every day across the digital ecosystem, critical signals about enterprise health and security are easy to miss. 

 [Sting] 

 Problem today 

 Large attack surfaces generate massive streams of data, but organizations are often not good custodians of that data — meaning it’s siloed or inaccessible to the people who need it to protect the organization and drive business outcomes. 

 [Sting] 

 Why it matters 

 Cybersecurity professionals report that data silos impact their ability to act quickly and decisively.  

• 82% say their productivity suffers due to data silos. 
• 40% say data silos slow incident response times. 
• 33% say a lack of alignment with other functions within the organization means stakeholders can’t agree on the right/best course of action. 

 In other words, data silos are not only inefficient; they limit insights and drive up exposure. But it doesn’t have to be that way. Cyber asset attack surface management tools can solve organizations’ data problems by integrating external attack surface management and digital risk protection services data, giving organizations unprecedented access to data, intelligence and visibility. 

 [Sting] 

 Part three: Prioritization  

 Organizations struggle to assess risks, prioritize a response‌ and act on threats in a coherent way. 

 [Sting] 

 Problem today 

 Organizations struggle fruitlessly to prioritize which vulnerabilities to mitigate due to a variety of confounding factors:  

 External factors, such as a fast-evolving threat landscape and an unprecedented volume and pace of vulnerabilities and attacks, and 

 Internal factors, such as poor visibility into their attack surface; an inability to assess the severity of existing vulnerabilities; and challenges coordinating and communicating a response. 

 Although 64% of organizations say they have a documented methodology for prioritizing security patching, when we look deeper, the findings are troubling.  

 Security professionals rate nearly all types of vulnerabilities (for example, active exploits, patches required for compliance, leadership directives) as at least “moderately urgent” if not “highly urgent.” And when all vulnerabilities are a priority … none are. 

 [Sting] 

 Why it matters 

 Given the persistent shortage of qualified security professionals, teams need to allocate resources effectively to keep their organizations secure — which is why prioritizing the organization’s risk response is so important. 

 How is this done? ASM uses algorithms and methodologies to output risk scores, which prioritize exposures based on factors that include the likelihood of an attack, the severity of the risk, the potential negative impact and more.   

 This type of risk management and optimization is critical, given the amount of internal and external data that security professionals must oversee and analyze. The result? Less downtime, fewer business interruptions‌ and an improved cybersecurity posture overall. 

 [Sting] 

 Part four: Supplier Risk  

An organization’s suppliers and vendors are an extension of its attack surface — but many don’t treat them as highly connected entry points for attackers.  

 [Sting] 

 Problem today  

A 2023 study by Capterra found that 61% of companies had been impacted by software supply chain attacks in the preceding 12 months.  

 Even so, Ivanti’s research finds that fewer than half of organizations (46%) have identified the vulnerable third-party systems and components in their software supply chain — though an additional 39% say they plan to do this in the coming year. 

 [Sting] 

 Why it matters 

 Your vendors’ and partners’ attack surfaces are extensions of your organization's attack surface. A single breach in your software supply chain can have damaging impacts — on revenues and reputation, as well as on compliance risk and liability exposure. One example: Target’s massive data breach a decade ago was due to attackers getting ahold of credentials stolen from a third-party vendor … a refrigeration and HVAC systems manufacturer, hardly the entry point most would imagine for a damaging breach. The retailer later revealed it booked $162 million in expenses in 2013 and 2014 related to that event, equivalent to $213 million today.  

 To prevent such attacks, ASM can monitor internet-facing assets to help you better understand your organization's holistic risk profile, including risks introduced by your supply chain. And it can play a vital role in vetting new suppliers, vendors, partners and even acquisition targets.  

 Gartner 2023 research finds that, “despite a dramatic rise in software supply chain attacks, security assessments are not performed as a part of vendor risk management or procurement activities. This leaves organizations vulnerable to attacks.” 

 [Sting] 

 Part five: Action steps 

 Experts weigh in on how organizations can understand the full dimensions of their attack surface vulnerabilities and take steps to manage that risk. 

 [Sting] 

 Set priorities, harmonize data and leverage automation, says Dr. Srinivas Mukkamala, Ivanti’s Chief Product Officer. 

  In today's digital landscape, we're redefining what constitutes an asset. It's no longer just about physical devices. A myriad of asset types are emerging — transforming closed networks into open systems running on IP protocols. This shift has significantly expanded the "blast radius" for organizations of all sizes, exposing them to increased risks due to misconfigurations and internet exposure.  

 I recommend following a principle called DEER: Discover, enumerate exposures, remediate.  

 The real challenge to the DEER principle is the sheer amount of data organizations must harness and leverage. On average, every organization has 60 to 70 different sources of data coming at it. There are five things an organization needs in order to effectively manage all this data: 

1. The ability to ingest the data.  
2. The ability to normalize the data.  
3. The ability to label the data.  
4. The ability to prioritize the data based on an attacker's intent, and 
5. An understanding of what the organization’s priorities are.  

 Once you have a clear prioritization, you need to build up a very robust remediation strategy. And each step of this can be done as a shift-left (which is developer-centric) or shift-right (which is security-centric).   

 Next comes automation, where service management can come into play. Develop automated workflows for device management, as well as writing tickets to developers, ops and security teams. Then create automated workflows to ensure that remediation is happening with very little human intervention. 

 [Sting]  

 Identify supply chain vulnerabilities and make them part of the calculus, says Daren Goeson Ivanti’s Senior Vice President of Product Management. 

 Organizations need to pay more attention to supply chain and vendor security. To do it effectively, consider adopting these four directives:  

 

1. Establish clear vendor security requirements that align with organizational policies and comply with industry regulations such as GDPR and HIPAA. These standards should be clearly communicated to all vendors and suppliers. 
2. Conduct thorough risk assessments of your vendor ecosystem to understand how well each supplier meets security requirements today. Conduct regular audits and compliance checks to ensure ongoing adherence.  
3. Make sure vendors are an integrated part of your incident response plan (IRP), especially if they have access to your organization's systems and data. This will ensure there’s a predefined process for managing incidents involving vendors. 
4. Ensure that security measures are incorporated into contractual agreements with vendors, to hold them accountable and ensure a mutual understanding of each party's role in maintaining security.  

 Above all, your approach with vendors should be collaborative, encouraging regular communication about potential threats and ways to improve security measures together. 

[Sting]  

 Keep in mind: Sophisticated attack surface management is dynamic above all else, says Rex McMillan, Ivanti’s Vice President of Product Management 

 Organizations need to understand emerging external risks — particularly those unique to their specific industries and markets —  and how those risks interact with internal vulnerabilities.  

 You cannot evaluate risk without context. Your security team may find a vulnerability in a supplier’s software that’s a “5” (i.e., medium). Not so bad. But an attacker may discover it and think, “that’s only a 5, but if I pair it with this other vulnerability, I now have RPE capabilities."  

 Attack surface management software and prioritization have to take into account the dynamic nature of each vulnerability and each finding that's out there. As vulnerabilities morph and trend, or if they get tied to ransomware or get exploited, an ASM solution will identify how to drive and change those prioritizations dynamically.  

 The state of our software changes daily, but some of those may not be implemented internally. Somebody else can influence and change our attack surface by exploiting a minor defect — and that suddenly becomes a top priority. So, good attack surface management is highly dynamic, plugged into trends‌ and continuously reevaluating risk based on new data.  

[Sting]  

  If you enjoyed listening to this report and want even more Ivanti research, you can subscribe to this podcast to get the latest Ivanti research in your feed as soon as it’s released.  

 You can read the report, download charts and graphs and presentation-ready slides, and see the rest of Ivanti’s research at ivanti, I-V-A-N-T-I.com/research.  

  And if you’d like to hear even more audio content from Ivanti, check out Executive Summary with Jeff Abbott, a podcast exploring the latest research in IT, security, and the future of work, and what they mean for your business strategy. In every episode, Jeff is joined by a new business leader for a free-ranging discussion, unpacking the research findings and connecting them to real-world leadership experience.  

  You can follow Ivanti on social media at Go Ivanti, and you can visit us at ivanti.com to learn more about our products and solutions.  

  Thanks for listening!