How IT audits can reduce your attack surface
For many CIOs and their IT teams, audits are a painful inconvenience. Traditionally audits involved building detailed spreadsheets with data manually collected from various IT asset management systems. A modern technology management platform can transform this painful, error-prone manual process into a powerful way to reduce an enterprise’s attack surface.
As technology becomes more and more embedded in enterprise processes, attack surfaces are rapidly expanding to now include:
- Laptops and thin clients (Windows, MacOS, ChromeOS)
- Smartphones (Android, iOS)
- Tablets (Windows, iOS)
- Installed software
- SaaS
- Cloud infrastructure
- Smart connected peripherals
The average employee today has a laptop and a smartphone accessing corporate networks. They most likely have smart peripherals such as monitors with wireless connections. On those devices they use a growing array of SaaS products, each of which presents a vulnerability for data compromise. Many will still have traditional software installed, which likely is unpatched.
Their devices are likely running Windows, Android, MacOS, or iOS. If you add servers, they are probably also running Linux. Cloud computing, with its infinite menu of software and appliance types, further expands the potential attack surface. More recently, with COVID-19 forcing work-from-home, the attack surface has expanded to include VPNs and home Internet routers never really designed for corporate management.
Each surface has its own set of risks. An Android device may hold the risk of malware installed via a rogue Android app. A SaaS service holds a risk for credential theft that could be used to access other services or information theft. The upshot? Today’s IT teams have their hands full covering the waterfront of attack surfaces. In fact, the attack surface of today in medium and larger enterprises is so diverse that it defies traditional manual attempts to map and measure. It’s changing too quickly and has too many facets for even the savviest IT teams.
What’s more, it is actually impossible for security teams to properly apply every patch in a timely fashion. That’s because more and more, unpatched vulnerabilities are published in the wild and remain without an approved patch for a month or longer. Researchers at Palo Alto Networks found that four out of five public exploits are published online before their CVEs (common vulnerabilities and exposures) are published. This is not even counting situations where CVEs are issued without patches! On average, there is a 23 day interval between exploit publication and CVE release. During this time period, finding an exploited device or service and removing it from the network is the only option. In other words, not having an accurate and easy attack surface map can hinder and delay responses to unpatched Zero-Day exploits.
IT Audit surface and attack surface are identical
The reality of IT audits required for compliance with advanced certifications like SOC2 and ISO2700 is that they closely mirror efforts by security teams to identify every possible attack surface. Perfect coverage or mapping attack surfaces probably exceeds what is required for auditing and certifications. But those processes create a solid baseline for attack surface auditing which can be further augmented to incorporate more granular attack surface risks over time.
The key mental shift is this; you have automated systems to scan your networks for attached IP addresses and devices, or to monitor accessed services. But those systems cannot easily link an IP or an accessed service to an individual, a location, or a time. They tell security teams “There is an unexpected connection” but little more than that. Modern, agentless technology orchestration platforms address this problem from the other direction. They tap into all existing agents and collection systems (employee directory, SSO, etc.) to build a comprehensive database of laptops, smartphones, SaaS, etc.
IT Audits Tip: Start from ownership rather than detection
Rather than starting from an IP address, they build a database around who owns what asset, and where that asset is located. Because they are agentless and can be run frequently, IT audit sweeps can function continuously and audit large chunks of the IT ecosystem. Coincidentally, each incremental update from agents and collection points dynamically updates what is effectively an attack surface map.
The main difference becomes the stakeholder point of view. Audit teams are trying to automate the painful manual processes of building a snapshot in time. Security teams are trying to create a real-time database of asset ownership and location – attack surface – to enable quicker incident responses or better risk management. The same automation can also be leveraged to validate security controls are in place (malware/AV) or that systems are encrypting or that all laptops have run their latest security updates.
The good news? Both your audit team and your security team will thank you for saving them massive amounts of time and eliminating painful repetitive processes better accomplished by machines than humans.