Attack Surface Management
Ivanti’s State of Cybersecurity Research Report Series
Organizations’ attack surfaces are expanding quickly. Research from Ivanti examines the scale of the problem and strategies for comprehensive attack surface management.
As of April 1, 2024, all Ivanti operations in your region will be assumed by IVM EME. For sales questions please visit https://www.ivmeme.com
Ivanti’s State of Cybersecurity Research Report Series
Organizations’ attack surfaces are expanding quickly. Research from Ivanti examines the scale of the problem and strategies for comprehensive attack surface management.
Share article
01
Due to technological advancements and the evolution of Everywhere Work, organizations' attack surfaces are bigger and more complex than ever.
Organizations are overseeing a fast-growing ecosystem of devices, tools and assets on their networks — all of which are proliferating rapidly. Yet they have limited visibility into this expanding digital universe.
More than half of IT professionals Ivanti surveyed say they are not very confident they can stop a damaging security incident in the next 12 months. And more than 1 in 3 say they are less prepared to detect threats and respond to incidents compared to one year ago.
50%of office workers say they use personal devices at work. |
32%of those, say their employers don’t know. |
The problem is not simply a matter of complexity (i.e., the proliferation of devices and assets leading to sprawl and inefficiency). This growing ecosystem is driving an ever-expanding array of vulnerabilities and exposures, which can lead to data breaches, downtime, noncompliance, reputational risk and much more.
For these reasons and more, attack surface management (ASM) is now a mission-critical part of cybersecurity defense. (And Ivanti’s research shows increasing investments in ASM.)
ASM strategy supports continuous discovery and visibility into emerging threats and active exploits, as well as a data-driven method to prioritize and manage vulnerabilities.
As attackers grow more sophisticated, organizations must face these threats by planning and strategizing from the perspective of their adversaries: Where would an attack begin? What systems would be breached first? How would the attack unfold?
Why ASM now?
As attack surfaces grow larger and more complex, so too must security strategies evolve and advance.
Traditional asset discovery and risk assessment identifies and takes inventory of hardware and software assets across the organization's network.
This is no longer good enough. ASM takes it a step further; it not only identifies assets, but evaluates the risks associated with both known and unknown assets across a broad digital landscape and recommends actions and sequencing of those actions.
02
With so much structured and unstructured data generated every day across the digital ecosystem, critical signals about enterprise health and security are easy to miss.
Large attack surfaces generate massive streams of data, but organizations are often not good custodians of that data — meaning it’s siloed or inaccessible to the people who need it to protect the organization and drive business outcomes.
How do IT and security professionals say data silos impact them at work? |
||
---|---|---|
I often need to access data stored in another system, but to get the information I am only able to speak to someone with access as opposed to getting the access required. |
I don’t always have all the data I need to make good decisions and I lose valuable time gaining access to it. |
Incomplete information means that I have to guess. |
Cybersecurity professionals report that data silos impact their ability to act quickly and decisively.
82%say their productivity suffers due to data silos. |
40%say data silos slow incident response times. |
33%say a lack of alignment with other functions within the organization means stakeholders can’t agree on the right/best course of action. |
In other words, data silos are not only inefficient; they limit insights and drive up exposure. But it doesn’t have to be that way. Cyber asset attack surface management (CAASM) tools can solve organizations’ data problems by integrating EASM and DRPS data, giving organizations unprecedented access to data, intelligence and visibility.
ASM tools: a primer
03
Organizations struggle to assess risks, prioritize a response and act on threats in a coherent way.
Organizations struggle fruitlessly to prioritize which vulnerabilities to mitigate due to a variety of confounding factors:
External factors: a fast-evolving threat landscape; an unprecedented volume and pace of vulnerabilities and attacks
Internal factors: poor visibility into their attack surface; an inability to assess the severity of existing vulnerabilities; challenges coordinating and communicating a response
Although 64% of organizations say they have a documented methodology for prioritizing security patching, when we look deeper, the findings are troubling.
Security professionals rate nearly all types of vulnerabilities (e.g., active exploits, patches required for compliance, leadership directives) as at least “moderately urgent” if not “highly urgent.” And when all vulnerabilities are a priority … none are.
Given the persistent shortage of qualified security professionals, teams need to allocate resources effectively to keep their organizations secure — which is why prioritizing the organization’s risk response is so important.
How is this done? ASM uses algorithms and methodologies to output risk scores, which prioritize exposures based on factors that include the likelihood of an attack, the severity of the risk, the potential negative impact and more.
This type of risk management and optimization is critical, given the amount of internal and external data that security professionals must oversee and analyze. The result? Less downtime, fewer business interruptions and an improved cybersecurity posture overall.
04
An organization’s suppliers and vendors are an extension of its attack surface — but many don’t treat them as highly connected entry points for attackers.
A 2023 study by Capterra found that 61% of companies had been impacted by software supply chain attacks in the preceding 12 months.
Even so, Ivanti’s research finds that fewer than half of organizations (46%) have identified the vulnerable third-party systems/components in their software supply chain — though an additional 39% say they plan to do this in the coming year.
Your vendors’ and partners’ attack surfaces are extensions of your organization's attack surface. A single breach in your software supply chain can have damaging impacts — on revenues and reputation, as well as on compliance risk and liability exposure. One example: Target’s massive data breach a decade ago was due to attackers getting ahold of credentials stolen from a third-party vendor … a refrigeration and HVAC systems manufacturer, hardly the entry point most would imagine for a damaging breach. The retailer later revealed it booked $162 million in expenses in 2013 and 2014 related to that event, equivalent to $213 million today.
To prevent such attacks, ASM can monitor internet-facing assets to help you better understand your organization's holistic risk profile, including risks introduced by your supply chain. And it can play a vital role in vetting new suppliers, vendors, partners and even acquisition targets.
Gartner® 2023 research finds that, “despite a dramatic rise in software supply chain attacks, security assessments are not performed as a part of vendor risk management or procurement activities. This leaves organizations vulnerable to attacks.”*
05
Experts weigh in on how organizations can understand the full dimensions of their attack surface vulnerabilities and take steps to manage that risk.
In today's digital landscape, we're redefining what constitutes an asset. It's no longer just about physical devices. A myriad of asset types are emerging — transforming closed networks into open systems running on IP protocols. This shift has significantly expanded the "blast radius" for organizations of all sizes, exposing them to increased risks due to misconfigurations and internet exposure.
I recommend following a principle called DEER: Discover, enumerate exposures, remediate.
The real challenge to the DEER principle is the sheer amount of data organizations must harness and leverage. On average, every organization has 60 to 70 different sources of data coming at it. There are five things an organization needs in order to effectively manage all this data:
Once you have a clear prioritization, you need to build up a very robust remediation strategy. And each step of this can be done as a shift-left (which is developer-centric) or shift-right (which is security-centric).
Next comes automation, where service management can come into play. Develop automated workflows for device management, as well as writing tickets to developers, ops and security teams. Then create automated workflows to ensure that remediation is happening with very little human intervention.
Dr. Srinivas Mukkamala
Chief Product Officer, Ivanti
Organizations need to pay more attention to supply chain and vendor security. To do it effectively, consider adopting these four directives:
Above all, your approach with vendors should be collaborative, encouraging regular communication about potential threats and ways to improve security measures together.
Daren Goeson
Senior Vice President of Product Management, SUEM, Ivanti
Organizations need to understand emerging external risks — particularly those unique to their specific industries and markets — and how those risks interact with internal vulnerabilities.
You cannot evaluate risk without context. Your security team may find a vulnerability in a supplier’s software that’s a “5” (i.e., medium). Not so bad. But an attacker may discover it and think, “that’s only a 5, but if I pair it with this other vulnerability, I now have RPE capabilities."
Attack surface management software and prioritization have to take into account the dynamic nature of each vulnerability and each finding that's out there. As vulnerabilities morph and trend, or if they get tied to ransomware or get exploited, an ASM solution will identify how to drive and change those prioritizations dynamically.
The state of our software changes daily, but some of those may not be implemented internally. Somebody else can influence and change our attack surface by exploiting a minor defect — and that suddenly becomes a top priority. So, good attack surface management is highly dynamic, plugged into trends and continuously reevaluating risk based on new data.
Rex McMillan
Vice President of Product Management, Ivanti
This report is based in part on two surveys conducted by Ivanti in late 2023 and 2024: “2024 Everywhere Work Report: Empowering Flexible Work” and “ 2024 State of Cybersecurity: Inflection Point”. In total, these two studies surveyed 15,000 executive leaders, IT professionals and office workers. This report also cites research from third-party sources.
*Gartner, Mitigate Enterprise Software Supply Chain Security Risks, By Dale Gardner, 31 October 2023 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
As of April 1, 2024, all Ivanti operations in your region will be assumed by IVM EME. For sales questions please visit https://www.ivmeme.com
Get key findings and survey results, including charts and graphs, in a presentation-ready format