External attack surface monitoring is critically important to GDIT customers. But what is it?
Simply put, your external attack surface is what attackers see when they look at your organization. It includes your physical networks, cloud, third-party services and even your supply chain. Protecting this surface is complex because the surface itself is dynamic and changing all the time. Add to that, the tools and methods at a cybercriminal’s disposal are also complex and changing all the time. The attack surface for agencies is also rapidly expanding, driven by more remote devices, apps, and the move to the cloud. This is why a holistic approach to monitoring your external attack surface is so important. And there are five practical, actionable things decision makers can do to shore up their defenses.
1. Understand What You’re Monitoring Presently
Teams should start by understanding and, if necessary, evolving their current monitoring approach. We call this defining the potential attack surface. Are you monitoring everything? Do you have the full picture of where your risk is? Are you satisfied with what you’re doing? Are your vulnerability tests as comprehensive as they could be? It’s important to understand what networked assets you have and assess the overall health of your environment.
2. Take an Outside-in Look
What does a cybercriminal see when they look at your organization? Where would they see an opportunity to attack? Taking this view of your entire attack surface can give you a new lens as to where there is room – and critical need – for improvement. A key component of zero trust architecture is micro-segmentation, which divides workloads into logical segments, which are easier to secure and monitor. Cyber attackers also have a harder time making lateral movements if they do penetrate one of the segments.
3. Identify Assets in Need of Modernization
Once you’ve taken a hard look at your organization, identify where there is a need for a new monitoring approach. For example tools used to monitor workloads in the cloud can be different from the tools used for monitoring physical systems. What is the need, how great is it, and how quickly could you make changes? It’s important for agencies to develop and effectively implement strategies and align investments that deliver security and enable their missions.
4. Prioritize Actions
You can’t do everything at once. As agencies build and adopt zero trust strategies, we’re recommending they start with areas that need the most attention and make incremental improvements over time. Decide what you’ll turn to next, and so on and so on. For many agencies, starting with a pilot and moving legacy systems into the new environment one at a time may make the process more manageable. This offers you a plan and a case to, if necessary, request the resources you’ll need to continue executing it.
5. Operationalize
Apply any updated external attack surface monitoring tools and develop a process ongoing maintenance. Endpoint detection and response (EDR) capabilities enable IT teams to see how endpoints are accessing your network and data at a granular level. Establish an incident response strategy and inform all necessary stakeholders. Examine whether policy changes are needed and implement them as soon as possible. With new data from EDR, artificial intelligence can continuously look for irregular activity and automatically enforce policies when a threat is detected.
These are real-world, repeatable steps that every organization can take to improve the security of its external attack surface. Observed recent intrusions took advantage of zero-day vulnerabilities, software supply chain attacks, ransomware, and exposed operational technology. Attack surface monitoring capabilities are one way to empower the security operations team to gain comprehensive visibility and mitigations for possible exposures from threats targeting similar vulnerabilities.
Every day, GDIT applies our knowledge and experience as part of comprehensive security operations for customers. We help them better understand their environments and risk, evaluate their entire attack surface, and stay abreast of new applications and technologies that can help protect their assets.