Listen to learn about the differences between attack surface management, vulnerability management, and endpoint security management.
David Monnier (Chief Evangelist and Team Cymru Fellow at Team Cymru) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss attack surface management.
Listen to learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Very excited today to talk to, someone about attack surface management.
We've been talking a lot about how to keep the the, the edges of your environment, secure and and the various ways to do that. We've talked a little bit about zero trust. If you haven't had a chance to yet, make sure you go back and watch that one. We thought that it would be a great time, to talk about this topic.
So I have David Monnier here talking to me. He's the chief evangelist and and, team Kumri fellow at team Kumri. David was invited to join team Kumri in two thousand and seven. Prior to that, he served in the US Marine Corps as a noncommissioned officer then went to work at Indiana University.
There, he drove innovation in a high performance computing center, helping to build some of the most powerful computational systems of their day. He then transitioned to cybersecurity, serving as lead network security engineer at the university and later helped to launch the research and education networking ISAC. At Team Kumari, he has been systems engineer, a member of the community services outreach team, and a security analyst. David led efforts to standardize and secure the firm's threat intelligent infrastructure, and he served as team lead of engineering establishing foundational processes that the firm relies on today.
After building out the firm's client success team, he recently moved back to the outreach team to focus once again on community services such as assisting CSIRT teams around the globe and fostering collaboration and data sharing within the community to make the Internet a safer place. With over twenty years of experience in a wide range of technologies, David brings a wealth of knowledge and understanding to threat analysis, system hardening, network defense, incident response, and policy. He's widely recognized among veteran industry practitioners as a thought leader and resources. As such, David has presented around the globe to trust groups and at events for network operators and security analysts.
David, thank thank you for joining me.
Thanks, Joe. Thank you for having us.
Did I miss anything key before we launch in? People love to know where people come from and how they got there.
No. Nothing at all. In fact, I may have learned a thing or two myself as you know. Just kidding.
If your bio was anything like mine, you just had a long sit down with somebody from the marketing team who who just grilled you until they got all the good parts, and then they wrote it up to make you sound cool.
It it's precisely the case.
I actually, had written one much longer, and this version that they trimmed it down is much nicer.
So I'm I'm I'm grateful for their input for what you said.
It's always nice to have people on your side. So Absolutely. Let's start at the beginning. So we have a lot of people who listen to to this show who are quite technical.
And then we have people who are on the non technical side who are really learning things. A lot of people in the c suite who really wanna understand why they should care about this topic. And so, it can be difficult to spread out that knowledge to those different, types of people. But if you could keep that in mind and and let us know, from the very beginning, what's an attack surface?
Well, an attack surface, is kind of a broad term, that incorporates, a few different various components, which you would think of, typically, you think of as separate pieces, oddly enough. But when you step back and consider them in more of a strategic view, you start to realize that they go together. And those pieces are, you could describe them as, kind of your your systems. So, your servers, your workstations, this type of of system view, and all of the services that they are offering. So perhaps mail services or web services, things like that.
And those kind of, like, obvious technical components, are usually where people tend to kind of stop, when they think of what is an attack surface because they, when you think of the word surface, I think a lot of people imagine it as, something tangible, something, that you can reach out and touch. Right.
And in the case of attack surface, when we're talking about cybersecurity, that's not always necessarily the case.
There are other components that make up your attack surface as well. And those include things like accounts, which is not something you can really touch at all, but, you know, account management, falls, in into that vein as well.
And then so are, in in some cases, can be things like your brand.
You know, that might be part of your attack surface. Like, if someone were to undermine, your label, what what happens to your business then? You know? And what we approach the notion of attack surface as is a collective term to describe all of the parts of your operation that are exposed to external risk.
And so we take a kind of a broader view, and broad enough that we also include, things that in the past, typical attack surface didn't take into consideration.
One of which, of course, is, like I mentioned, the accounts. Right? So, some huge percentage of of attacks include compromised accounts. So we consider the an account to be, you know, part of your tax surface.
But, in addition, to those, kind of views, I guess, our thought was we should also add intelligence to it. And when we consider what we consider intelligence, it may be a little bit different, typically, than the view. But our, our background as a company, team Comrie, we've been, largely a threat intelligence supplier, into security products, since our our company was started almost two decades ago. And we have, really focused on being an intelligence company, up until the last, say, year and a half.
Mhmm.
And what we had hoped, to be able to do, was take all of the global insight, because we basically, you know, observe miscreants doing miscreant things, and we observe kind of, what the state of the Internet looks like, meaning how many devices are infected with things, how many devices are being used to attack other people, you know, these types of concepts. And we marry that with, an attack surface, management tool, and that's where the management part comes in. Right? So we've defined what is an attack surface, and then now what what is the management part?
And, the management part to us was so you have this idea of an attack surface where people can can, probe you, can try to get access to your infrastructure, can try to do these types of things, you know, bad things to you. But wouldn't it be great to also know, like, who was targeting you? Or if the devices, that are under your control, maybe they're already compromised. Maybe they're already known to be participating in some type of botnet or something like that.
And, maybe, that's been happening since you last patched even. So maybe from your typical, like, vulnerability management perspective, maybe the host looks like it doesn't have a problem, but it's only because you patched it after it had been compromised.
And what you're using to determine does this host have a problem or not, is frankly outdated information Okay.
Because you're you didn't realize it was doing something. You didn't know to know, you know, that type of model. Right. So what we've done, is we've taken this notion of an attack surface and then the notion of management, and we've added both, intelligence to it in the sense of, you know, what we have, potentially seen, hosts doing or how they've been behaving in the wild. We've taken that, added that to the attack surface, and then we've added a a a an additional part, which is business intelligence. So, when you think of, like, a typical, vulnerability management service, let's say Mhmm.
They usually, like here's here's let's say, we have two hosts, host a, host b, and they're both active directory servers.
They're running, Microsoft's full suite on it. And a typical tool, would do some type of external scan of that host, and they would see what services were running, on that specific host, and they would, you know, tell you, hey. This is an active directory server, and it has this problem or that problem, or maybe it has no problems. But, it would identify and tell you, hey.
Judging by the services that are running on this on this host, we think it's an active directory server. But now imagine, like I said, we have two hosts. Right? We have host a and host b.
And imagine that host a is your actual AD, and you know that this is the one you're using, but maybe host b is some development instance that you're using. Right?
Right.
We wanted to add a capability to let, users apply their what they know about their infrastructure to say, oh, wait. This host, host a, is our actual active directory server, But host b, though I still want to hear about it in case, you know, needs, a patching or, you know, in case there's some problem identified with it, I still want to hear about it, but definitely prioritize post a any instance to it, float it to the top. Right? So that's how we, if you will, kind of pivoted on what is a typical notion of attack surface management. And sorry.
That was I know I kinda went into the next part of of, I assume, what you were gonna ask, but the the two just kinda go to get it.
My mind. But, no, that that, that what I find interesting is that it seems like what you're saying is that your your approach or your your concept of attack service management, it takes vulnerability management, which people are very familiar with, and then contextualizes it. Is that would that be fair?
Yeah. And in fact, I I guess, when you describe it that that way, I guess I I am leaving out some pieces here because I I I as a practitioner, I talk about the more exciting parts, at least in my mind.
So I guess I should take a step back from that, and actually also highlight that attack surface management, the management component of it, includes asset discovery.
So one of the biggest, culprits outside of, stolen accounts is what people refer to as shadow IT.
Mhmm.
And this is, you know, the devices or the services, that were stood up for some temporary purpose, oftentimes some type of development, effort or research, effort, or in some cases, it's like a QA moment. Like, let's spin up an instance and take a look at it. A lot of times, real data gets put on these instances, you know, because you're trying to make sure it's working.
Right.
But then it gets forgot about and and forgotten, and and the development team maybe doesn't take it down, or maybe they didn't talk to the security team before standing it up, and maybe nobody knows it's running except for some developer somewhere. So asset discovery, is a big piece, of what is attack surface management is you have to know what you have. Right. And and, oftentimes and and, again, this is me, you know, being excited about the the differentiators, if you will. But, oftentimes, the the a typical approach is is like to say, okay.
Let's say we have, you know, a block of one thousand twenty four IP addresses that are, you know, free for us to use. And and, we know the range of those IP addresses, and so you put that into your asset discovery tool, and it goes out and scans all those IP addresses for you. First, checks to see which hosts are there, then for each host that is there, it maybe, you know, does some enumerative service scan on it.
And then what services are running, then perhaps you do some type of vulnerability assessment, you know, where you, scan it to see if if any of these services, need to be patched or out of date. That's all fine. But the reality is is that in the modern computing world, much of the assets that you're making use of don't live within your, prefix that you maybe have been assigned.
That that's the issue I see all the time, and I'm glad you're you're talking about that because the the the people that I work with, this is this is not like like an edge case of, oh, well, what if we can't find some of our things? Most organizations cannot find all of their devices. So I'm sorry. I interrupted you. Please go ahead.
No. No. That's your I wish, some of the details. I I I I, you know, because as we've been working with people over the years, we get to see people's kind of bad days. You know?
Yeah.
And I I wish I could give you real numbers, but I think people would be upset.
But it's a huge percentage of organizations in the world have have little handle, if any, on, what they're asking.
So Yeah. Yeah. So so we saw that, as well. And so what we, set out to do was take a more dynamic approach to discovery. So, like, for example, if your company is using AWS, and you're spinning up instances and you're working in it. Right? And let's say you're using some existing, product, which I I I won't pick on anybody's products because that's I I don't mean this as an example of why people's products fail.
So I won't name any particular. But if you were to take your you know your network prefixes, you put it in your scanner, and you go out and and and scan your assets, you're not gonna be scanning your AWS cloud instances because it's they're not in your prefixes Right. Typically. I mean, it is possible to to map your IPs up to Amazon space.
That's not the way most of it is.
Yeah. Don't do it. They they don't typically do it. So now are you gonna go out and you could, you could go license your security product to cover all of Amazon's address space, which I guess, you know, that's, that has some some potential, but, you know, that's also that's a losing battle. No one's really gonna go do that. So what you really need is someone or something that can help you identify those assets that are in that space that might be yours.
And how we accomplish that is, like I said, we've we've been in the, intelligence business for almost twenty years now. And what we have focused on is understanding what the surface of the Internet looks like at any given time.
And we've been doing that, like I said, for, like, two decades, as an intelligence supplier and everybody else's security products. So we're very, very good at knowing, what the surface of the Internet looks like at a given time and how it's behaving. So what we do is we take our, analytical capabilities, and we have our intelligence analysts, sat down. We sat down and figured out what automated discovery methods that we could use based on, intelligence that we had access to. So think passive DNS, think, certificate crawling, banner crawling, this type of, information that you can get by kind of tickling the surface of the Internet, if you will.
Right.
And, and then when when, someone goes to make use of our ASM, platform, they are it's still powered by our pure signal.
So we have an intelligence, platform we call Recon, and then we have this attack surface management platform that we call Orbit. They're both fueled by what we refer to as Pure Signal, and that's our kind of collective data.
Mhmm.
So we take that Pure Signal, and we, turn that into an automated asset discovery capability, and we go even one step further, in that we assign, an intelligence analyst to work with the partner to help, train that modeling, if you will, to say, like, yeah. We do this type of business, but not that type of business. So if you see things that look like this, they're probably ours. But if you see things that look like that, they might not be ours.
You know, that type of determination. So we keep a human, involved, in in that mix as well. So that automated asset discovery with intelligence applied then as well, kind of, helps to inform then the secured the vulnerability management step. So now so we're think you know, logistically, right, we're going from asset discovery.
So this is your inventory and your asset management. Then once you've identified it, understanding, its vulnerabilities, which then can also t into, understanding what hosts need to be maintained and and, patched, but then we incorporate that threat intelligence with it as well so you know which host maybe you just need to rebuild that there's no point in in even patching this one. It was compromised a week ago or, you know, that type of of insight. So and we do it as a continuous discovery model.
So we don't, like, just look once a week. We don't look you know, it's continuous. So, basically, each of the, assets that are being tracked in our Orbit platform basically has a continuous query, you know, looking for things that might be related to it, in the petabytes of data we collect every day.
This episode is brought to you by SecurityMetrics shopping cart monitor inspect. It's a revolutionary new product that can help you detect any problems with your shopping cart security, allowing you to effectively improve your ecommerce security. Here's what I know about it. A lot of times people say, well, hey, I am PCI compliant because I passed my SAQA.
Great. You're missing most of the things that people are actually stealing information from right now. Shopping Cart Monitor was created to actually close those gaps and help you against things like made cart and other known ecommerce issues. To learn more about this shopping cart monitor, head to our website www.securitymetrics.com/shopping-cart-monitor.
You you probably wouldn't be surprised to learn that, a lot of the organizations that I work with are still doing this very manually. You know? Absolutely. Going around and saying, hey.
What do we have out there? And and nobody can find that out just by talking to other people. No. Because they're people leave the company.
They don't remember.
There are a lot of reasons why it's very difficult to find, assets.
Yeah. Very much so.
And, that's part of what drove us, to make the decision. So, historically, you know, we've been an intelligence company. That's been our focus. And ASM, is often seen as a security tool, but we don't see it that way. We actually see it as an intelligence tool.
But when we sat down and tried to, look in the marketplace, to do our typical model, which was supply intelligence into somebody else's product Right. The what we found was there, like, most of the products didn't do all of the things that we as intelligence practitioners would consider to be critical pieces of ASM. And on top of it, what we found is that the tools out there that did kind of do some of those things, people weren't adopting. They weren't making use of it because it didn't do the rest of the things.
So, So you had to build your own.
And and I think a lot of that you talk about it in in a your recent, report, that, team can re put out. I did not read the entire report because it's massive. So if people are really wanna go deep dive on this topic, they can they can find this report on your website.
But it starts with this statement. The legacy approach to attack surface management falls short of what modern organizations require contextual awareness.
Security teams increasingly suffer from threat intelligence sensory overload while still unable to achieve the visibility they need to protect the organization, its infrastructure, and mission critical digital assets. And then later, it asks this question, is ASM already in the trough of disillusionment?
And I thought, oh, that's a that's a dismal view of attack surface management. But can you expand on that for me? Is it really that bad?
Yeah. Well, we were very surprised to learn this. So we are a I don't know what the right word to describe us, would be, I guess, reserved. We're a very reserved business. We're not, I mean, we're risk takers, in the sense that, you know, here we are in business. Right? Mhmm.
Which is a risk to everybody to begin with.
But we are not reckless.
We're not like, we see our obligation to stay in business, to be, a fruitful and profitable company. We see that as as our obligation, as as a a business. Right? And so when we first started to get the feel that, there wasn't a good fit for any existing products out there that could make use of our intelligence to take ASM to where we thought it needed to be, we didn't immediately say, See, we're geniuses and everybody are fools, and here we go. We didn't do that.
Yeah. The Hebrews will hit you if you do things like that.
That's right. You know what they say about assume. Right? How they how they spell that. But, anyway, so what we did is we went out to validate what we thought we saw, and we, we went out and interviewed, just about four hundred and just a little less than four hundred and fifty practitioners.
Some of these practitioners were, strategic, as well. So think, big shops where where, you have a split between your executive, leadership and your, let's say, middle leadership and then your practitioners, all the way down to the small teams where there's just, like, five people total on the team, and your executive, person is an executive practitioner as well. Okay. So they're the not only the decision maker, they're the person who's gonna get out and do it. But we came up with this bunch of questions, that we wanted to get a feel for, like, a, is there a market here? Is there an opportunity, for us to create something new that's meaningful and beneficial to society, which is our focus, as a business. Everything we do, by the way, is steered by this kind of idea.
Our mission company mission is to save and improve lives, and we take it very seriously.
So we didn't wanna make a product that's, you know, wait we're gonna waste anybody's time. We don't wanna make a product because we believe you can get more money, you can get more servers, you can get more everything. You can't get more time. So that's the the number one asset we look to protect of our customers and our partners is their time.
And so we sat down and asked them, you know, what's where are the issues that you're seeing, in these set of tools and and what could make them better? And we were very surprised to hear how many people who were making use of ASM, so meaning they they recognized a value when they heard about it the first time Mhmm.
Which the the first approach has been, like I said, has largely been the static model where you have to know a bunch of stuff already. Like the person who's going out using it, you have to know this stuff. Well, if if all you know is your, you know, IANA assigned IP space and you don't know, you know, how many, storage buckets you have in Amazon. You don't know how many, Azure instances you have in Microsoft.
You don't know. I mean, if you just don't know those things, if you don't know to know, well, the actual is not gonna know either then. You're because you don't know to inform it. Right?
Right.
So what we found was a lot of I don't wanna call use the word spite, but quite a bit of jade, quite a bit of, quite a bit of, you know, a lot of a lot of clouds, over that horizon. And and people were, they were very honest, about, a little bit more than a third of them said they didn't plan to, keep ASM around, that they were going back to their previous methods because they didn't see, any, true return on investment, for what they had purchased. Mhmm. And, I mean, that goes without saying. Right? That's a problem.
Yeah.
If you've gone out and and and invested in some, some platform Right.
That you then say, well, we didn't get anything out of it. I mean, the last thing you wanna do is is be the CISO telling the board how you spent a bunch of money Yeah.
This last quarter and didn't get anything out of it.
And the time, not just the money, but people that and and it can be very demoralizing for groups that are implementing things when they fail to have to regroup and go in a different direction. So so it sounds like you you had all of this great information that could really help organizations, but the big gap you came across was there wasn't an ASM that could intake that. So you've you you decided to close that gap by creating your own.
That's right. We, we went, so first what we did, is we first sat down to look and see, is there something we could do instead of this? Is there, like, a a middle ground, that wouldn't require us having to start something completely new? Mhmm. And we concluded there wasn't.
So then we thought, okay.
If we're gonna do this, we need to start with some people who know what they're doing. Mhmm. So we made an acquisition, of a company in Israel called Amplicide.
Mhmm.
And, we've started with their core product as kind of the starting point, and, started to add, all of, the components that I've described, you know, the automated discovery Mhmm. The threat intelligence applied onto it, and then the modification to allow, the company to apply their own business intelligence to it, those kind of three main facets, started to build those into them. And and we have a product now, that we think is, well, the next evolution, if you will, of it. And, we've had a lot of folks take a look at it.
The, Brad Lepore, who was the, Gartner veteran who actually helped coin the term external attack surface management Mhmm.
With his, input as well, we, felt it was we were comfortable enough to call it ASM two point o. Meaning, this, is the next evolution of this.
And that if your tool isn't doing anything ASM, but really, it it takes a different approach and has a a broader, way of and and deeper way of looking at things.
Exactly. And not just broader and deeper, but, actually, like, when you think about when you're adding, in externally, provided intelligence Mhmm. You know, signal applied to it, You're getting an attacker's view also, so you can start to see what bad guys know about you.
And that's not something that your typical in house view is gonna provide to you, because you just, you know, you you just don't can't, typically get that kind of vantage.
So that's what, that's what we did. We we, added all these parts that we felt were, special and unique.
And, well, like I said, it's ASM two point o.
Well, thank you. This this has been very informative, and I would encourage people to go, again, read that report, learn more about your organization. Is there anything else you wanted to tell us about about what's going on with your either your company or or the the, the ASM two point o before we close?
Well, yeah. Sure.
I I I will tell folks that, you know, we aren't the first people to see the flaws in the first, approach to ASM.
Keep in mind that there's lots of folks out there that who already had products in the marketplace, and there those are the products that the people the four hundred and fifty people that we chatted with are saying they're not gonna stay subscribed to.
So, I would encourage people, if they're in the market or in the consideration, for looking for an attack service management tool, I would encourage them to look at, how modern of a tool is it? Like, meaning is it something that's been around for ten years?
If it has, you might wanna ask yourself, is it doing everything, that the new world needs, which is this, off prem cloud dynamic, stand it up. You know, there there are instances out there where people have, Kubernetes, Kubernetes instances where they have an IP address or service running on it for, like, thirty five seconds. Mhmm. Like, if your ASM tool can't track that type of granularity, if it's only IP based, if it's, you know, this type of stuff, I would encourage you to stop and ask yourself, is this how I'm computing? Is this how is this what our workflow looks like? Is this, is this tool gonna match what we're actually doing?
And I would I would wager it probably doesn't if the tool isn't, like, you know, pretty much brand new, because I I really think, especially within days of work from home Mhmm.
You know that it's really gone around the whole planet.
Yeah.
I really don't think the days of kind of these static assets, I I don't think they're coming back.
Yeah.
I think dynamic, assets is here to stay.
It's more cost effective.
It's, you know, much more operationally risk friendly. Mhmm. If you think about you know, cloud computing has all the reasons why cloud computing, was popular to begin with Yeah. Are turning out to be not only true, but important as as we had realized, you know, to begin with.
Yeah. Of course. You know, I I like your point about the the work from home and the work remote. The the we don't have people in offices relying on the protected network the way we have in the past and and and being in far flung places.
I've always felt that that this more remote model was coming on slowly, but people had a hard time knowing how to, manage people who were not in the office that so the lazy default answer was, you know, the butts in seats. I'm I'm managing my people because I could see them. But now that we've proven to all of us that there are other ways to manage things, I I think you're right. I don't think we're ever going to go back to old ways of doing things.
I don't think we're ever going to to go back from from using, cloud solutions the way we've been using them. And so having, evolving the attack surface management tools, I agree, is a is is something that's definitely needed in throughout the industry.
Excellent.
Well, I'm gonna put you down as the four hundred and fifty first person to the Sounds good.
David, thank you again for for joining me today. It was really a pleasure talking to you, and I I really enjoyed learning more about, what you have going on there.
Yeah. Thanks, Jen. If anybody, has any questions or, wants me follow-up, they can reach us at c y m r u dot com.
That'll redirect you to our full domain, but that one's easy to read.
That for sure. Thank you very much. Alright.
Bye bye. Thank you, John.
Cheers. Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
