Analysing the attack surface

News by Jon Friedman

Enterprises today are under more pressure than ever to minimise their "attack surface." That is, they need to detect Indicators of Exposures (IOEs), identify vulnerabilities and capture and correct misconfigurations in security and network devices in both physical and virtual environments. This is an extremely challenging assignment. The IT organisation must locate tens-of-thousands of vulnerabilities and misconfigurations concealed on its network, analyse and prioritise those vulnerabilities and misconfigurations and remediate the most critical.

Clearly, automated tools are needed to perform these activities at scale. But what types of tools are needed most? How automated are IT security groups today? How satisfied are they with their capabilities and what are their priorities in terms of improving them?

CyberEdge conducted a survey for Skybox Security that is intended to answer these questions. It includes responses from 275 IT professionals around the world who work at companies with 500 or more employees. The report presents data about topics such as:

  • Current practices: How data on vulnerabilities and misconfigurations is being used today.
  • Collecting and discovering data: What automated tools are used to collect and discover data?
  • Analysing and prioritising data: How satisfied are organisations with their current ability to analyse and prioritise vulnerabilities and misconfigurations?
  • Remediation and provisioning: Which remediation processes are most (and least) automated?
  • Priorities going forward: What areas related to managing vulnerabilities and misconfigurations are the highest priority for automation?

Some of the key findings of the survey include:

  • In general, organisations tend to be most automated in, and most satisfied with, their ability to push patches to servers and to endpoints.
  • The areas where organisations were least automated, and least confident, were related to (a) collecting data about cloud-based systems and applications and (b) analysing and remediating firewall rules that violate policies and regulations, making those the areas with the most room for improvement in the immediate future.
  • Remediation and provisioning processes (with the exception of pushing patches) were significantly less automated than other tasks covered in the survey.
  • Organisations using an attack surface visibility tool were significantly more likely to be satisfied with their capabilities to analyse and prioritise data. Having an attack surface visibility tool had a particularly strong impact on an organisation's satisfaction with its ability to address compliance issues and regulatory requirements.
  • The areas where improving automation is the highest priority in the immediate future are managing the remediation of vulnerabilities, analysing and prioritising vulnerabilities and managing the remediation of misconfigurations and rule violations. 

Enterprises today are still struggling to uncover Indicators of Exposure and to analyse, prioritise and correct vulnerabilities and misconfigurations.

At the same time, the survey results suggest progress. Significantly more respondents said that the ability to perform key tasks has become easier in the last 12 months than said the tasks have become more difficult.

The data also shows a clear correlation between automated processes and satisfaction. Those task areas where the most organisations used automated tools were also the areas where the most organisations were satisfied with their ability to perform the tasks, and the fewest were dissatisfied. 

For example, a near-perfect 92 percent of organisations use an automated tool to detect vulnerabilities on hosts and servers, while only 54 percent use an automated tool to assess security controls on cloud-based systems and apps. This correlates with satisfaction: 81 percent are somewhat or very satisfied with their capabilities in the former area and only 60 percent in the latter. 

The survey took a close look at the value of using an attack surface visibility tool, and found it to be significant. For tasks involving collecting and discovering security data, organisations with an attack surface visibility tool tended to be somewhat or very satisfied 20 percent to 30 percent more often than their peers without such a tool. For tasks related to analysing and prioritising data, organisations with an attack surface visibility tool were satisfied from 13 percent to 33 percent more often.

The data also points to areas that need improvement, particularly for tasks involving remediation and provisioning. Around half of the organisations (between 44 percent and 53 percent) have processes that are primarily or completely manual for activities such as remediating misconfigurations on servers, provisioning firewall rules, remediating systems and data access rules, and remediating firewall rules that violate policies. There were also weak spots in other areas; for tasks involving data collection, respondents were least satisfied with the ability to collect data about security controls on virtual systems and with security controls on cloud-based systems and applications.

Automated tools are needed to improve performance in these areas. This survey provides data on what processes for detecting, prioritising and remediating vulnerabilities and misconfigurations are most and least automated today.

The extent of automation of processes related to vulnerabilities and misconfigurations, and satisfaction with current capabilities, tend to go together. For the most part both are highest for tasks related to collecting and discovering data, a bit lower for tasks related to analysing and prioritising data and lowest for remediation tasks (except for pushing patches, which is highly automated). 

This pattern suggests that many organisations can profit from investing in tools to automate aspects of remediation (and provisioning rules to devices and firewalls), although automation in other areas will also increase satisfaction. 

Organisations emphasising compliance and policy enforcement should be especially alert to opportunities to deploy an attack surface visibility tool. The survey data showed that organisations using an attack surface visibility tool were significantly more likely to be satisfied with their capabilities to analyse and prioritise data.

For full details on this CyberEdge Group report, visit Skybox Security here

Jon Friedman, CyberEdge

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews