In this episode of The Security Strategist podcast, host Richard Stiennon, industry analyst and author, speaks to Craig Roberts, Principal Software Engineer at Rapid7, about digital exposure and the increasing challenges of Attack Surface Management (ASM).
The conversation peels back the layers of hidden vulnerabilities and misconfigurations that plague today’s digital world. The speakers offer expert advice into how businesses can better understand, prioritise, and manage their expanding attack surfaces.
"It's all about the kind of different steps an attacker takes. The attack surface simply means when an attacker can exploit to get to my goal and align to my mission," says Craig Roberts, Principal Software Engineer at Rapid7.
Attack Surface Goes Beyond External Scans
Also the Co-founder of Noetic (acquired by Rapid7), Roberts’ journey into attack surface management began from a practical observation. He found that many cybersecurity incidents came from overlooked assets. Such incidents could be unmonitored servers or lack of Endpoint Detection and Response (EDR).
"We set out to raise that hygiene bar through preventative controls," he explains. The typical view of an attack surface is often limited to external website scans. "That's only a small piece of it these days. It's often where an attacker will start. It’s an initial foothold. Everything past that point is also still an attack surface."
Emphasising the diverse nature of attack vectors, Roberts adds, "We don't have a homogenous way. Attackers both initially gain access and then start moving towards their target." This means that a single misstep or vulnerability across any of these areas can allow an attacker to achieve their objective.
Holistic Exposure Management Looking ahead, Roberts recommends CISOs to focus on having all enterprise data and understanding their environment across all assets. These assets are – cloud, users, and traditional infrastructure.
Then, layer on an understanding of "exposures" rather than just Common Vulnerabilities and Exposures (CVEs). This includes cloud misconfigurations, identity-related issues like MFA misconfigurations, and, zero-days.
"Treat those in a similar way because at the end of the day, we need to prioritise those exposures because the attacker isn't going to care about the weapon they use," Roberts concludes. This holistic approach, built on foundational trust in shared data across various security vendors and tools.
Such a strategy is crucial for gaining a central view of risk and efficiently mitigating the diverse threats facing modern enterprises.
A key takeaway from the discussion is the importance of understanding an organisations’ assets and how critical each is. Roberts argues that, while organisations may spend significant effort on re-scoring and building "vulnerability intelligence pipelines," it’s not often known which critical assets those vulnerabilities reside on.
"The asset is a really important thing. How important that is to your business, and what data and mitigations it has in it hugely affects the risk of that vulnerability," he stresses.
Takeaways- Understanding the attack surface is crucial for effective cybersecurity.
- Attackers exploit various vulnerabilities to achieve their goals.
- Prioritization of vulnerabilities is essential due to the overwhelming number of CVEs.
- Zero-day vulnerabilities pose significant risks that require immediate attention.
- IoT devices present unique challenges in vulnerability management.
- Effective management of attack surfaces can deter opportunistic attackers.
- Visibility into assets and their configurations is key to risk management.
- Collaboration between security vendors enhances data sharing and threat response.
- Organisations must treat all exposures equally, regardless of their nature.
- A proactive approach to security can reduce the likelihood of successful attacks.
Chapters00:00 Introduction to Attack Surface Management
03:02 Understanding the Evolving Attack Surface
05:55 Types of Attackers and Their Motivations
08:52 Prioritizing Vulnerabilities and Exposures
12:09 Zero-Day Vulnerabilities and IoT Challenges
15:04 Management Strategies for Attack Surfaces
17:56 The Importance of Asset Visibility
20:57 Key Takeaways for CISOs
About Rapid7
Rapid7, Inc. (NASDAQ: RPD) is on a mission to create a safer digital world by making cybersecurity simpler and more accessible. We empower security professionals to manage a modern attack surface through our best-in-class technology, leading-edge research, and broad, strategic expertise. Rapid7’s comprehensive security solutions help more than 11,000 global customers unite cloud risk management and threat detection to reduce attack surfaces and eliminate threats with speed and precision. For more information, visit our website, check out our blog, or follow us on LinkedIn or X.