Operational resilience | Risk Management & Reporting

September 27, 2022

Sometimes new terms enter the lexicon that represent a genuinely new technique or approach to a problem; other times those similar sounding techniques can turn out to be solving a different problem. This linguistic dance of marketers and analysts ends up simply creating confusion in the mind of the prospective buyer.

This brings us to the topic of the blog, Attack Surface Management. It’s something that we’re all hearing more about and even executives are talking about it; but why is it so important? Basically, it’s about maintaining effective cyber posture in a changing IT risk environment. It’s intended to provide organisations with greater visibility of their IT assets, any emerging points of vulnerability between those assets (attack surface) and a measure of the deployed security controls that protect them.

Posture

Cyber posture is an assessment of the effectiveness of your cyber security controls or your overall security status. It’s always been an important consideration for security teams. It can change over time and so clear visibility of all your IT assets and the ability to identify and re-prioritise any emerging risks is an important and ongoing task, hence the need to actively manage your attack surface.

The transformation of digital architectures and changing threat landscapes has meant organisations are constantly exposed to changing attack surfaces or shifting points of potential unauthorised access. The increasing number and scale of ransomware and other attacks, the devastating stories from victims and the growing demands by insurers for companies to increase the levels of their security controls, has heightened awareness of the importance of cyber posture for both operations and senior executive teams.

The better managed the attack surface, the lower the level of unmanaged risk and so the better its cyber posture. These ongoing shifts in cyber risk have meant that security and risk teams need better information about their attack surface area or vulnerability to attack. Hence a new source of risk information – Attack Surface Management (ASM).

Some helpful Attack Surface Management definitions

There are a number of different ASM technologies emerging (see below), that can provide varying degrees of helpful risk information about changes to your IT asset vulnerabilities. What is so powerful about ASM is that it looks at your enterprise and its posture from the perspective of an attacker – looking for security gaps to exploit. Some of course will come from potential attacks against inadequately protected Internet facing assets. But, your internal IT assets (and attack surfaces) are also at risk. Vulnerabilities to APIs, phishing and malware attacks are just some of the internal attack vectors.

To gain the best information about your particular IT assets, their potential vulnerability and how ASM can help however, it’s important to understand that not all technologies are the same; nor do they provide the same information. It’s easier to consider ASM as a class of technologies comprising 3 different techniques:

  • Cyber Asset Attack Surface Management (CAASM): A technology that provides an accurate view of both internal and external IT assets to accurately measure and manage the effectiveness of security controls and prioritise any risk or vulnerability gaps requiring mitigation across the enterprise.
  • External Attack Surface Management (EASM): Technology and processes that provide an “outside-in” scan of the Internet to identify external internet-facing enterprise assets and systems that might be at risk from emerging Internet threats.
  • Digital Risk Protection Services (DRPS): Technology or services that offer visibility to external threat intelligence from the Internet, social media and even the dark web to contextualise potential threat actors and their tactics, techniques and procedures.

The difference between these techniques is the fidelity and utility of the information they collect.

Depending on the technology chosen, ASM can provide information for organisations to identify rogue or shadow IT assets and improve the management their cyber posture. The type of technology and the source of the information it provides will determine the timeliness and utility of that information.

Visibility and Measurement

The demand for improved visibility of assets and their associated risks – “observability” in some circles – has been driven by the ongoing increase in cyber attacks as discussed, as too has the emergence of cyber security risk as a corporate and regulatory agenda item. The visibility of the ongoing risks impacting your attack surface is of growing importance for all stakeholders.

So too is the need to be able to measure the relative adequacy of your controls, for prioritisation and risk management purposes. If it’s a critical vulnerability or affecting a high priority asset it’s important to be able to identify that fact and get onto it quickly. As you might expect, how the risk is measured is key to identifying its true priority for management. The more accurate the measurement, the more reliable the ASM process and ultimately your security risk decision making.

Gartner estimates that fewer than 10% of organisations have adopted an ASM technology with most still relying on less reliable manual processes. The demand for increasing rigour in risk management activities by regulators and directors will undoubtedly lead to broader adoption in the near future.

ASM is becoming an important element of effective cyber security posture management – better visibility and accurate assessment of your changing security controls are critical to the active management of your cyber posture.

CAASM or Cyber Security Posture

Directors, senior executives, and security and risk teams, each now with a degree of accountability for cyber security management, are seeking better answers to the question: “What is the risk?”. Evidence based ASM information is increasingly required to support the growing needs for risk management and oversight. Cyber insurers, for example, were finding that the use of externally sourced risk information only, did not provide them with an adequate risk picture. As you may be aware, they now demand that if organisations are seeking re-insurance they maintain much higher levels of security control.

Enter CAASM, a ASM technique that identifies and measures cyber security attack surfaces to provide an actionable ASM report. It systematically measures the quality and coverage of the cyber security controls across an organisation. Whether as a service, or increasingly as a stand-alone technology, CAASM solutions are predominantly used for rapid empirical IT risk auditing, accurate security control reporting and the prioritised management of vulnerability gaps. They inform both operations and senior executive teams of the health of the cyber safeguards protecting your data and IT systems.

With its speed, visibility and quantitative measurement, CAASM systems remove the reliance on subjective risk assessments that are sometimes the limitation of other ASM techniques. By replacing that anecdotal information with evidence-based metrics, CAASM systems provide reliable ASM information for both operational and senior executive teams responsible for cyber security risk decision making.

Positive outcomes from ASM

Huntsman Security’s CAASM solutions, use a systematic approach to group the risks associated with each security control and align them with the detection, containment and recovery phases of ransomware or malware attacks (in line with UK, Australian and US guidance) for ease of risk management.

Each solution provides a different level of attack surface intelligence. CAASMs show the state of the organisation’s attack surfaces for compliance monitoring or malware attack readiness reporting and provide a clear view of the overall security control effectiveness. They highlight what assets are protected and which remain exposed and need attention.

The upshot of all of this is that rising cyber threats, shifting vulnerabilities and their greater potential to impact business operations has hastened the need for ASM solutions (like Huntsman Security’s SmartCheck for Ransomware and Essential 8 Auditor) that provide timely, data-driven IT risk information and objective attack surface insights to all the stakeholders responsible for the management of cyber security risk. These newer CAASM technologies enable the more informed management of any changes in the attack surface and inevitably, enhance active posture management.

BLOG POSTS

Related Cybersecurity Content

Joint Advisories keep coming: Heads in the clouds

April 10, 2024

As predicted in early 2024 another joint advisory was recently released from the Five-eyes intelligence and cyber security community. This time the advice relates to governments and corporations moving to cloud infrastructure...

Read more

Operational Resilience – Your obligations and FCA PS21/3

March 18, 2024

Operational resilience requirements are being rolled out across the UK and beyond. UK finance firms are required to improve their operational resilience in accordance with Financial Conduct Authority (FCA) Policy Statement PS21/3 (the Policy).

Read more

Getting value from your cyber investments

February 5, 2024

A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.

Read more

Agency resilience, compliance & reputation: a cyber governance perspective

January 31, 2024

The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.

Read more

How to improve access to cyber insurance & re-insurance

October 13, 2023

As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.

Read more

A tale of two conferences

October 6, 2023

Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]

Read more

2022’s least wanted: Rockstar vulnerabilities that should be has-beens

September 28, 2023

In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies[1] of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]

Read more

Active management for operational and cyber resilience

September 27, 2023

The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]

Read more

Applying an Australian regulator’s cyber audit findings, in a UK context

September 26, 2023

The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]

Read more

Cyber Gap Measurement & Evidence – The New Standard of Quantifiable Internal Assessment

September 18, 2023

<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]

Read more

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.

Marketing(Required)
Agree(Required)