Attack Surface Lessons with Expanse - Know Your Asset Inventory

Editor's note: Expanse has since been rebranded as Cortex Xpanse.

In the supply chain discipline, inventory management has long been studied and optimized. Countless books, websites, and business school classes have been devoted to the art of inventory management. Yet, in information technology and security, inventory management remains elusive.

Case in point, one Expanse customer, a CISO, explained that having a complete and accurate inventory or “system of record” is the foundation of any security program. We’ve heard this statement repeated by security leaders across organizations of all shapes and sizes. “You can’t protect what you can't see” comes to mind and in 2020, this became a huge problem for technology and security teams. As a result of COVID-19, digital transformation within organizations has moved to light speed. Organizations' assets have rapidly moved externally, become fragmented, and in many cases ephemeral.

A recent Gartner report summarizes the trend:

Most businesses have complex interconnections of servers, cloud instances, desktops, laptops, mobile devices, Internet of Things (IoT) and more. These assets are dynamic, seemingly borderless, and continuously moving and growing. As this footprint increases, so does the organization’s threat exposure. Maintaining asset inventory is fundamental to any robust cybersecurity program and being cognizant of this inventory is fundamental to a vulnerability management program.

(Source: The Essential Elements of Effective Vulnerability Management, October 2020)

Let’s explore the inventory problem in more depth. The enterprise shift from inside to outside has been driven by a set of rapid digital transformations, presenting unique opportunities and challenges:

• Cloud: At first, cloud adoption was driven by cost savings. However, with a pandemic, the cloud now brings accessibility. Whatever the driver, try walking into a physical data center these days.
• Mobility: With remote work, many enterprise assets are not set up for secure remote work, as laptops at home are often connected via insecure home routers potentially exposing corporate communications, data and more.
• Website sprawl: Many organizations have websites deployed across many hosting providers. How do you see and maintain them all? How can you ensure they conform to compliance and security standards?
• Supply chain: With the continued attacks against the supply chain, like the SolarStorm attack, and the onset of CMMC and Section 889, the importance of supply chain security has garnered significant attention this past year. Whether it is jointly owned, managed assets, or infrastructure wholly managed by a third party, many enterprises suddenly have to understand a completely foreign universe.
• Governance: Security teams need to develop governance standards and policies around all assets, even those they can’t see.

There is one more thing to add into the mix. What are malicious actors doing? Take VPN as an example. Threat actors actively scan for issues. In fact, there have been reports coming from the U.S. government highlighting how nation-state threat actors exploit the VPN vector. Even ransomware gangs are exploiting vulnerable VPN infrastructure and RDP exposures to distribute their malware to exposed workstations. Our own research shows that attacks correlate with external exposures as well.

In security terms, this boils down to a CISO’s worst nightmare, an ephemeral attack surface. Worse, the rate of flux for this attack surface is driven by cloud workloads being spun up and down, remote employees traversing networks with variable protection, and shadow IT. Protection remains elusive. As CISOs tell us, the rapid rate of change means that even organizations with mature vulnerability management programs can only identify around 80 percent of their attack surface. This situation leaves security teams struggling to answer “Where are my assets?” never-mind even asking, “How do I secure my assets?” In an increasingly common scenario, CISOs face going before the Board of Directors after a breach occurs and have to say, “I didn’t know about that asset.”

Here are some sample assets we’ve seen:

• An internal development environment that was publicly accessible. It was backed by a self-signed certificate, signed by a remote developer at the company.
• A development database server publicly exposed in cloud IP space, outside of the corporate cloud. This development environment was running multiple services, including critical remote access protocols (RDP).
• Multiple RDP exposures in cloud and consumer dynamic IP space.
• A firm allowed unauthenticated access and control to over hundreds of building subsystems, including security door locks, fire suppression systems, and power to multi-hundred ton physical power and cooling systems.
• The administrative interface for an actively used records management system exposed on the public internet.

So what is the prescription? Today, most major compliance mandates require a basic step one: asset inventory. In today’s fast moving environment, this starts with the recognition that you have to look for externally facing assets and that you can see, at best, 80% of what you actually have. This requires first understanding what you have exposed externally by building a complete external asset inventory including:

• Devices including IoT and new remote work from home assets which often lack sufficient network security protection;
• Cloud infrastructure that is being spun up and down at a rapid rate;
• Third party and supply chain risk; and
• Certificates, IP addresses, risky services, and risky communications.

Inventory management has been a deeply studied area in supply chain management which teaches some valuable lessons for cybersecurity. As one noted supply chain expert put it, “‘You can’t improve what you can’t measure’ exemplifies the backbone of a sound inventory management system.” Only with cybersecurity, the equivalent is: you can’t secure what you can’t see.

You can learn more through our white paper here about how to defend your attack surface by continuously discovering, tracking, and managing assets.