Note: This is part 5 of a 5-part series in which we examine a smarter approach to attack surface management. Catch up on last week’s post first.
I love the term “attack surface management.” So much so that that’s what we named our solution portfolio. The term isn’t new, but I’m still sometimes asked whether I mean “asset management,” or “attack surface discovery,” — and whether I’m just adding some flair because #MaRKeTiNg. First of all, I’m insulted. Second of all, attack surface management isn’t just about monitoring known asset inventory, nor about finding shadow and legacy IT, though those things are important, and benefit from being well understood by most businesses ~foreshadowing~. Attack surface management covers aspects of both, but most importantly, it’s deployed within the context of real risk.
Define it, prioritize it, and action it… faster than your attackers.
That’s attack surface management.
While most of the security community understands this nuance by now, and needn’t look much further than the… now quite colorful headlines to illustrate its importance, sometimes “why” doesn’t always neatly translate to “how” and “when,” for the Board, your executive team, or your budget.
In this 5th (and final?!) segment of our Attack Surface Series, we’re reviewing how to build the business case for your Bugcrowd Attack Surface Management (ASM) solution. We’ll cover the basics of risk, resource, and reputational savings… as well as a few lesser explored topics. Like why choosing between commercial scanners becomes much easier when ASM recon experts use and/or develop their own for every engagement, and why you won’t go through another M&A without checking ASM Asset Inventory first.
Risk reduction is a complicated topic. There are lots of scenarios I could paint that illustrate why having a dedicated attack surface management solution will help close gaps in current processes, and reduce business risk. But, as per above, I know you’re not here to learn “why” this is important, you’re here because you want to explain to your peers “why now.” Sometimes the easiest way to do that is through dollars and cents.
I would be remiss if I didn’t try to sneak a sure-to-be polarizing conversation about ROI into this blog. Security ROI is one of the more hotly debated phrases in the industry today, but, like sourdough bread experiments during stay-at-home orders, you get out what you put in. Could you simply weigh the average cost of a breach versus the cost of a solution, sure, but that’s highly unlikely to work with your CFO, and doesn’t provide a way to quantitatively compare whether one solution is more or less likely to reduce risk over another. Industry secret- we all say we reduce risk.
To mitigate this, The SANS Institute created a comprehensive equation for assessing security investments that personalizes the math to reflect your unique environment, as well as the average impact of the solution in question. As such, this has become a popular method for demonstrating the risk reduction potential for your target investment.
The Return On Security Investment, or ROSI formula requires a business to estimate their annualized loss expectancy (ALE), or the monetary loss from a single incident, multiplied by the number of times such an incident might occur, multiplied by the mitigation ratio, or the expected impact of risk-reduction activities, minus and then divided by cost of solution. That was a mouthful, and might be easier to conceptualize like this:
ALE x Mitigation Ratio – Cost of Solution
ROSI = ___________________________________
Cost of Solution
Yea that was much easier. Now to apply this to Attack Surface Management. Gartner once estimated that one-third of successful attacks would be against unknown or unprioritized assets. If that has been, or could be true for your organization, then your ALE might be a little higher. It might also be higher if your attack surface has suddenly expanded due to digital transformation, M&A, or a host of other events that often lead to an explosion of unknown, and potentially vulnerable assets.
As for the mitigation ratio, Bugcrowd ASM has uncovered an average of 93% more attack surface over known customer seed data. Because we also risk-rank and prioritize findings, organizations can then quickly decommission, or move priority assets into active testing programs focused on rooting out high-risk vulnerabilities. To better qualify this metric for your particular environment, our expert Security Engineers can provide a simple assessment with preliminary results in as little as 48 hours.
Great news! Attack Surface Management will save you Attack Surface Management headcount. Oh… you don’t have that? Well sit tight for just a moment. It’s true some large organizations have full-time resources dedicated to hunting for unknown attack surface. But skill, bandwidth, team size, availability, scope, and more can limit scale, and quality of results. Additionally, lack of integration, automation, or reporting can slow time to respond. Attack Surface Management – Asset Risk closes this gap by connecting organizations to a global network of reconnaissance experts with the skills and experience best suited to your unique environment, to quickly find, and prioritize assets according to real risk of attack.
If, on the other hand, you’re amongst the organizations that don’t have a dedicated function for reducing unknown attack surface, you may avoid the pitfalls listed, but it’s likely you’ll face your own set of costly challenges when attempting to spread the work across multiple teams.
Asset management alone is often ripe with inefficiencies due to manual processes, and human error. Automating discovery is great, but automating cross-company alerting and management around at-risk assets as they evolve, can save weeks in manual tracking and review for IT teams everywhere. Attack Surface Management – Asset Inventory provides both. With a pre-indexed view of much of the internet, ASM-AI provides rapid inventory population and categorization, and enables organizations to create customized change-management alerts for things like open ports, vulnerable software versions, or soon-to-expire certificates. Open APIs and publicly available services ensure that information can be disseminated to any number of business functions outside security including IT, marketing, sales, finance, and more.
Yes, a breach will likely create some bad press for your organization. But you already know that. And you’ll say, “Right, but that’s a crapshoot and I’m already doing everything I can to avoid one.” Fair! Very fair. So let’s instead talk about the things that you’re probably not looking for.
I glossed over it a bit above, but what happened to this large security and accounting firm is quite serious. And the purpose of linking this article isn’t to shame the organization, as forgotten subdomain takeovers happen frequently, but rather to illustrate the impact in ways that might be more readily digested by any less-technical recipients of your business case.
Subdomain takeover is the process of registering a new domain name to gain control over another domain. The act isn’t technically a “breach,” which is why it’s often missed by scanners, leading to significant reputational damage more often than we’d like to believe. An earlier blog in this series, authored by our own recon-hacker turned sec-ops leader, Michael Skelton, summarized why this is so:
“In my own hunting experience I’ve come over a top-tier, publicly traded company which had a subdomain takeover that had been performed by an attacker and turned into a cannabis company (likely for Blackhat SEO efforts). The site was set up for a team offsite that was then decommissioned, but the DNS record had remained active and then used by the attacker to reclaim that subdomain. Why didn’t scanners pick it up? Ultimately, because once a compromise has already occurred most scanners will no longer view them as a vulnerability. Scanners aren’t built to suss out brand inconsistencies, after all. But the potential public relations fallout could have caused reputational damage equal to any breach.”
ASM – Asset Risk relies on human ingenuity to tackle issues like this — the things that take creativity, ‘thread-pulling’ and years of experience to find. While scanners can identify known business problems, there are currently no automated solutions in market capable of identifying the unique business inconsistencies that result in costly reputational damage like this.
Nothing helps expedite a business case for attack surface management quite like an impending disruption of said attack surface. While business transformation activities are excellent catalysts for upping your game here, the urgency isn’t quite as palpable as say, a sudden and unplanned shift to remote work, or time-sensitive M&A. Both of these events require quick and decisive action, with little room for error.
Mergers & Acquisitions are incredibly complex events, making asset tracking all the more difficult. Finding unknown or unprioritized assets belonging to each organization is one matter, but tracing ownership across several layers of change management, hundreds of manually-populated spreadsheets, and several public and private databases is an entirely different ballgame– one that attackers are playing in parallel.
Once again, no commercially-available tools do a very good job with this particular use case, as you might expect with any activity that’s composed of several hundred intricately connected manual interactions. Fortunately, people are great at people problems. Especially those with years of experience tracking such behavior, and powered by automation and tooling designed to expedite analysis.
More on that tooling in the next section…
Choosing the Right Solution
When building the business case for your Attack Surface Management solution, I’m willing to bet you’ll be asked at least once, “why xyz automated solution can’t do the same?” I love this question. Genuinely. I’ve been waiting all blog to get to it. To answer this question we’ll have to divide it in two:
The first is focused on a comparison of tools capable of automatically discovering and managing connected assets. This is easily addressed by ASM – Asset Inventory, as it is the only software-based solution that leverages a pre-indexation of the internet and several proprietary attribution methods to rapidly assemble entire asset inventories while continuously hunting for more.
The second has to do with discovering and actioning vulnerabilities within those assets, in order to better inform how they are prioritized and actioned. For this, you may be asked to build a business case comparing ASM – Asset Risk to several commercially available vulnerability scanners, the deficiencies of which are enumerated in previous blogs, but we’ll take a summarized look here as well.
Whether driven by pattern-matching (looking for known CVEs) or AI (looking beyond what’s clearly defined), both types of vulnerability scanners face serious limitations without human help. AI-based scanners have trouble making “judgement calls” on attribution and exploitation, while rules-based scanners face data-freshness issues, with the time between CVE posting and active testing often spanning weeks or months.
However, despite their limitations, both types of tools can thrive with a bit of human guidance. Our recon experts are welcome to use, or build their own automated tooling for any ASM – Asset Risk engagement. So when customers ask why Asset Risk is better than the scanner they’re considering, we like to ask, “Which are you considering? Because if you’re having trouble choosing, our recon experts have likely have either helped build them, are using several open-source versions, or have engineered something even better.”
In other words, making the business case for Attack Surface Management isn’t really about “why ASM over any one solution” — it’s “why any one solution when ASM gives you access to so much more.”
Adding it Up
The Bugcrowd Attack Surface Management portfolio combines the scale and persistence of software-based discovery and management solutions, with the creativity and impact of the world’s best recon hackers. Customers have uncovered an average of 93% more unknown attack surface, with clear prioritization and risk-ranking as determined by our ‘always on’ global community of trusted and experienced reconnaissance experts. If you’re interested in learning more about this solution, or need some help building your own business case, contact us today!