Let me tell you a little spooky tale that you may find eerily familiar. A marketing team builds a site for an event, but “forgets” to loop-in the IT team.. After the event, the site is forgotten– for all but curious attackers who find it once it becomes vulnerable.  This old site just might now be the downfall of them all… MUAHAHAHAHA. 

Ok, maybe that’s a little dramatic. But October is Cybersecurity Awareness Month, which is a good reminder to increase awareness on those ghostly forgotten assets or spooky shadow IT. Chances are, you have more assets hidden in the shadows than you think.

Attack Surface Discovery: A Hair-raising Statistic

According to a recently published research report by ESG Attack Surface and Vulnerability Management Assessment, two-thirds of senior security professionals believe it’s harder to defend and monitor attack surface than it was just two years ago. The reason?  Increased attacker sophistication and unwieldy attack surface expansion top the list, which additionally includes:

  • Increased data to collect, process, and analyze (56%)
  • Moving to the cloud (45%)

But there is a silver lining.. This increase has also led to some positive attention towards attack surface discovery and management, especially when it comes to loosening purse strings. Of the surveyed organizations, 70% plan to increase spending on attack surface discovery and monitoring solutions over the next 24 months. 

Attack Surface Discovery Tips That Will Help You Rest in Peace

As ESG divided their analysis into three subsets based on security maturity, it’s easy to extract how more mature organizations are handling these problems today: 

Tip #1 – Leading organizations diversify their methods

Vulnerability scanners,  inventory analysis,  asset reconnaissance programs, and open-scope bug bounty programs top the list of methods these organizations use to reduce risk of unknown or unprioritized assets falling into the wrong hands. 

Tip #2 – Leading organizations build collaborative processes between security and IT teams

Security and IT working hand-in-hand… I don’t even need a Halloween pun to show how scary life can be without it. In the white paper, 49% of organizations surveyed said that attack surface management is a shared responsibility. So, communicate, build processes together, and develop common goals to reduce the chance of things slipping through the cracks.. 

Tip #3 – Leading organizations deploy continuous monitoring

No matter how you slice it, leading organizations #Can’tStop #Won’tStop looking for hidden attack surface. 72% report conducting attack surface discovery on a continual basis, and it’s paid off, resulting in a greater number of vulnerabilities uncovered than their “less mature” counterparts. According to the report, “Leaders find problems because they are better at looking for problems.” 

Leading security organizations also differ in how they plan to invest in future attack surface, and vulnerability management endeavors, including:

  • Provide internal training to the cybersecurity staff (43%)
  • Buy new tools/technologies (40%)
  • Integrate technologies with security operations and/or software development tools for process automation (34%)
  • Hire dedicated personnel (31%)

Implementing similar practices  could mean that when bad actors come trick-or-treating for unprotected attack surface, they’ll be met by locked doors and dark porches. I recommend reading the ESG report for more insight into how leading organizations are building their attack surface and vulnerability management strategies.  I hope it helps as you attempt to shine a light on the hidden attack surface skeletons that may be in your closet.