Revisiting Attack Surface Management in the Cloud

The attack surface has evolved thanks to the advent of cloud/multi-cloud/hybrid cloud operations. And what companies need to do to secure these environments has also evolved. Let’s dive right in.

Understanding attack surface management

Attack surface management tries to identify and manage an organization’s external assets for vulnerabilities and exposures before malicious actors can exploit them. This race is crucial to cybersecurity in an era of cloud, hybrid/remote work, and bring-your-own-device models. Valuable assets include applications, IoT devices, cloud platforms, user accounts, and a whole host of other possibilities. As the attack surface grows with the adoption of new technologies, it becomes even more crucial for security teams to understand what they’re up against.

JupiterOne’s recently released “State of Cyber Assets Report” provides valuable insights into the current state of enterprise cloud assets. The report analyzed more than 291 million assets, findings, and policies, revealing a jaw-dropping 133% year-over-year increase in these assets. To compare, the average number was 165,000 in 2022. In 2023, it was nearly 400,000. The number of security vulnerabilities or unresolved findings also increased to a staggering 589%. 

This presents several challenges for cybersecurity teams. The pressure to defend an ever-expanding attack surface has demanded unprecedented levels of visibility, automation, and practice, whether teams are resource-strapped or not. According to JupiterOne’s report, the average asset value in 2023 is over $17,000, a lot of value left vulnerable without a clear plan. It’s not enough to simply react; threats move too fast for that. This calls for a proactive, comprehensive approach to attack surface management.

Why the attack surface changes in the cloud

With a bit of thought, most companies understand that the cloud expands the attack surface. Cloud environments introduce a plethora of new potential entry points for cyber threats. As organizations move their data and applications to the cloud, the traditional perimeter-based security approach becomes obsolete. 

Companies also understand that cloud environments are highly dynamic and agile. Changes in evolving cloud assets create new security challenges, and organizations must adopt continuous monitoring and real-time visibility to keep track. But that isn’t all that’s changing the game:

Shared responsibility model: Cloud service providers (CSPs) operate under a shared responsibility model. They’re responsible for the security of the underlying cloud infrastructure, but the company itself is responsible for security data, applications, and configurations. This division of responsibilities requires a shift in security strategies and puts organizations in an active position.

Shadow IT and shadow cloud: The cloud’s ease of accessibility can lead to the phenomenon where employees deploy cloud services and applications without the IT department approving or providing oversight. This creates unauthorized—and subsequently unmonitored—cloud assets, expanding the attack surface without the organization’s knowledge. Companies need to identify and secure these shadow assets to create a comprehensive security strategy.

Varying security postures: Companies operating a multi-cloud environment will encounter a variety of security postures, and each organization’s cloud architecture can differ significantly. This disparity can lead to inconsistent security practices and configurations across the cloud environment. Reevaluating the attack surface requires organizations to standardize security policies, configurations, and best practices to ensure a cohesive and robust security approach across all cloud assets.

What companies miss

It’s a familiar story. When thinking about the attack surface, companies often miss the inclusion of shadow IT and unmonitored third-party assets. Shadow IT refers to the use of unauthorized or unapproved applications, services, or devices by employees within an organization. These could be cloud services, mobile apps, or other IT resources that employees use without the knowledge or approval of the IT or security departments.

Similarly, third-party assets are external systems, applications, or services connected to an organization’s network or interact with its digital assets. These could include vendor platforms, partner APIs, or other external services that the company relies on for various business functions.

The problem with both shadow IT and third-party assets is that they often operate outside the scope of the company’s traditional security measures and visibility. Since they are not officially recognized or monitored, they can introduce unknown vulnerabilities and become weak points that threat actors might exploit to gain unauthorized access to the organization’s systems or data.

Several reasons contribute to this oversight:

• Lack of Visibility: IT and security teams may not have comprehensive visibility into all the assets connected to their network, especially when employees use unapproved tools or when third-party services are integrated without proper oversight.
• Decentralization: In larger organizations or those with distributed operations, different departments or business units may independently adopt various tools or services without a centralized approval process.
• Agility and Convenience: Employees may turn to shadow IT to quickly address their specific needs, believing it enhances their productivity without realizing the potential security risks.
• Third-Party Risk Management: Companies may focus primarily on their internal security posture and overlook the security practices of their third-party vendors and partners.

Addressing the shadow IT and third-party asset blind spots is crucial for a comprehensive attack surface management strategy. To mitigate these risks, companies should:

• Encourage an open and transparent communication culture, allowing employees to report the use of unauthorized tools without fear of repercussions.
• Conduct regular audits to identify and monitor shadow IT applications and services.
• Implement strong third-party risk management practices, including thorough assessments of vendors’ security practices and contractual agreements that enforce security standards.
• Leverage advanced threat intelligence tools that continuously scan and identify potential third-party assets connected to the organization’s network.
• Educate employees about the risks associated with shadow IT and the importance of adhering to the organization’s approved technology stack.

By addressing these overlooked aspects of the attack surface, companies can significantly enhance their security posture and minimize the risk of cyber threats originating from unmonitored or unauthorized assets.

The role of unified cyber insights

Unified cyber insight plays a crucial role in attack surface management in the cloud. It refers to the comprehensive visibility and correlation of security data from various sources across an organization’s entire cloud infrastructure. This unified view allows security teams to gain a holistic understanding of their cloud-based assets, potential vulnerabilities, and overall security posture, which is essential for effectively managing the attack surface and mitigating security risks.

Here are the key features of unified cyber insight in attack surface management in the cloud:

• Centralized visibility: Cloud environments are dynamic and distributed, with assets and data spread across multiple cloud service providers and regions. Companies need a centralized platform to aggregate and consolidate security data from sources such as cloud platforms, network devices, applications, and user activities to enable security teams to keep track of all cloud assets and activities.
• Identifying shadow IT and shadow cloud: Identifying unauthorized or unapproved cloud services and applications used by employees and external cloud services that interact with the organization’s network is critical to managing the modern attack surface. This visibility helps organizations bring shadow assets under the umbrella of formal security measures, reducing potential vulnerabilities.
• Correlation of security events: Unified cyber insight correlates security events from different cloud platforms, network devices, and other sources so that security teams can better detect patterns and trends indicative of malicious activities or security breaches.
• Early threat detection: Security teams can set up proactive alerts and responses to unusual activities, enabling them to address potential threats before they escalate into full-fledged attacks. This proactive monitoring is key to staying ahead of evolving threats.
• Compliance and auditing: A modern attack surface requires simplifying compliance monitoring and reporting for cloud environments. It helps organizations track adherence to industry regulations, data protection laws, and internal security policies, facilitating audit trails and ensuring compliance with relevant standards.
• Improved incident response: If a security incident happens, unified insights and visibility accelerate incident response by providing security teams with a complete view of the attack surface and the affected assets. This enhanced visibility enables quick containment and remediation actions to minimize the impact of the breach.
• Data access and collaboration: Collaboration and data sharing between different teams within the organization is such a positive thing. It fosters a culture of transparency, allowing security teams to access data from systems owned or administered by other departments. This collaboration is essential in a multi-cloud environment, where multiple teams are responsible for various cloud assets.

Unified insight is a vital component of effective attack surface management in the cloud, thanks to a comprehensive view of cloud assets, activities, and security events. It shifts from a reactive security posture to a proactive one by providing centralized visibility and correlation capabilities and minimizing potential risks and vulnerabilities in the rapidly evolving cloud environment.

See also: A Secure Multi-cloud: A Real Possibility or Just a Pipe Dream?

Managing a distributed modern attack surface

Dealing with the distributed modern attack surface more efficiently requires companies to make a decisive shift from a reactive to a proactive security posture. Here are some best practices that companies can implement to make that shift and manage the distributed attack surface more effectively:

• Continuous Visibility and Monitoring: Implement comprehensive and continuous visibility across all cloud environments, including multi-cloud and hybrid cloud architectures. Leverage cloud security solutions that provide real-time monitoring and centralized dashboards to detect potential threats and vulnerabilities and alert security teams.
• Standardization and consistent security policies: Develop standardized security policies and configurations across all cloud service providers and environments to reduce potential gaps and inconsistencies that threat actors might exploit.
• Identity and Access Management (IAM): Strengthen IAM practices by adopting multi-factor authentication, role-based access controls, and least privilege principles.
• Cloud-native security tools: Utilize cloud-native security tools and technologies provided by cloud service providers. These tools are designed to address specific cloud security challenges, unlike those designed for a traditional attack perimeter.
• Automated Security Measures: Integrate automation and orchestration to enhance security operations and incident response so that security teams can focus on critical issues and speed up response times.
• Threat Intelligence Integration: Integrate threat intelligence feeds to stay informed about the latest cyber threats and attack patterns. Using threat intelligence, organizations can proactively anticipate potential attacks and implement appropriate defenses.
• Regular Security Assessments and Audits: Conduct regular security assessments, penetration testing, and audits of cloud environments. These assessments help identify vulnerabilities and weaknesses in the distributed attack surface, allowing organizations to address them promptly.
• Vendor and Third-Party Risk Management: Establish strong vendor risk management practices, especially when using third-party cloud services or relying on external vendors for critical functions. Assess the security practices of these partners and ensure they adhere to robust security standards.
• Cloud Security Training and Awareness: Remember the human element, and provide comprehensive cloud security training to all employees, including company policy on shadow IT (it doesn’t have to be a total ban). An informed and security-aware workforce is a valuable defense against cloud-related threats.
• Incident Response and Disaster Recovery Plans: Develop and regularly test incident response and disaster recovery plans specific to the organization’s cloud environment. A well-prepared response plan mitigates the impact of security incidents and minimizes downtime in the event of a breach.
• Cloud Security Experts and Managed Services: If companies don’t have the onsite expertise to create a holistic security plan, they should consider leveraging the expertise of cloud security professionals or managed security service providers (MSSPs) who specialize in cloud security. Their knowledge and experience can provide valuable guidance and support in managing the distributed attack surface.
• Stay Informed About Cloud Security Trends: Keep abreast of the latest cloud security trends, best practices, and emerging threats in the cybersecurity landscape. Regularly attend industry conferences, and webinars, and participate in cloud security communities to stay informed and learn from others’ experiences.

A proactive and comprehensive approach to cloud security not only protects critical assets but also enables organizations to embrace the full benefits of cloud technologies while mitigating potential risks. The attack surface has changed, but companies have the right resources to adapt and implement an attack surface management plan that works.