Research reveals enterprise security leaders are suffering from attack surface blindness

News by Davey Winder

'Attack surface blindness' is holding back better enterprise cyber-security posture. 89% of security leaders struggle with visibility and insight into trusted data: IoT devices (20%) applications (18%) privileges (15.5%)

Newly published research, questioning more than 200 senior security leaders from organisations of all sizes, has revealed that 'attack surface blindness' is holding back better enterprise cyber-security posture.
The Security Leader's Peer Report, commissioned by Panaseer and published today, has concluded that efforts to improve enterprise cyber-security posture are being hamstrung by a lack of visibility into technical assets and security controls. 
The report found that some 89 percent of security leaders at large enterprises struggle with visibility and insight into trusted data, and 31 percent were understandably concerned about how this impacts upon regulatory compliance. 
When asked about the assets into which they had least visibility, perhaps unsurprisingly IoT devices topped the list (20 percent). However, it may come as more of a surprise, and certainly a worry, that applications (18 percent) and privileges (15.5 percent) weren't that far behind. Given that every "senior security leader" will inherently understand, you would hope, the importance of controlling privileged access within any security posture framework, that they appear to have relatively poor visibility into this area is of huge concern. "They may recognise the importance of managing privileged access" Charaka Goonatilake, CTO at Panaseer, told SC Media UK, "but will likely lack the capability to gather privilege data from all the siloed systems and subsequently analyse and make sense of this data."
Indeed, the report also calls out the dangers that complex and fragmented IT environments bring to the security party. The security control areas that respondents pointed to as having least confidence in included privileged access management (fourth on the list) and application security (seventh) despite these both being in the top three 'least visible' listing.
SC Media UK asked Goonatilake, why there is this apparent disconnect? "I suspect the low confidence controls are due to historical attack trends which have shown the human as the weakest link through which endpoints can be compromised to establish a foothold on a target network" he says.
So why are large enterprise security leaders still, in 2019, struggling to get visibility not only of the technical assets they need to be aware of from that security posture position, but also the security controls that form such a core part of their defences against those who would do them harm? This isn't rocket science, is it? 
"Our research has found the average enterprise has around 16,500 undiscovered certificates in their network," Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi told SC Media UK, "the scale of the problem means it’s impossible to handle manually so security teams need access to tools which can automate the discovery and visibility process." Yet the Panaseer research found that 55 percent of organisations have more than 50 security tools and this 'tool overload' exacerbating the visibility problem by creating siloed reporting.
"We seem to have gotten ourselves into the thinking that as long as we’re logging ‘something’ we’ll be able to figure out what happened," warns Naaman Hart, cloud services security architect at Digital Guardian, "the missing link here is that if this data were centrally compiled and reviewed proactively then you’d identify gaps in this logging and improve the visibility you have."
Then there is the technical hurdle to visibility that is encrypted traffic. "While encryption ensures the confidentiality of data it inhibits visibility requiring additional layers and resources to decrypt the traffic before inspection" explains Radware’s EMEA security evangelist, Pascal Geenens, who adds "decrypting and inspecting traffic from employees leads to loss of privacy and will require the consent of each employee." Which goes part of the way to explaining why tackling attack surface blindness is more complex than it at first appears. 
"The technology we use is constantly changing and we add more and more to this with new technologies and software," argues Boris Cipot, senior security engineer at Synopsys. The problem of legacy tech within the enterprise that cannot be easily upgraded courtesy of policy restrictions or even a misplaced, 'if it ain't broke' culture just add to the attack surface blindness. "Overseeing this *is* becoming rocket science," Cipot concludes.
So what is the answer to gaining appropriate levels of visibility into enterprise technical assets and security controls to maintain a secure posture? Sergio Loureiro, director of cloud solutions at Outpost24, suggests getting the basics right can go a long way. "Enterprises must take a proactive and risk-based approach to security" Loureiro told SC Media UK, "and move beyond component assessment of networks, devices, applications and cloud to understand the full extent of their security exposure and risk levels through continuous testing and adjustment of their security controls."
We will leave the last word with Bob Reny, EMEA CTO and principal engineer at Forescout, who reminds us that this isn't about deploying Security Information and Event Management (SIEM); it is about IT Asset Management (ITAM) with better streamlined visibility and automation. "Otherwise," Reny concludes, "enterprises will be unable to identify and fix those critical blind spots that bad actors are just waiting to exploit..."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop