Reading time: 3 subtlety
Last updated on January 13, 2022
Every organization has an attack surface, made up of all the hardware, software, SaaS resources and cloud-based assets that connect to the Internet. Everything from web servers and web applications to network assets, IoT devices, social media content, your Shadow IT – even your critical vendor environments – are all part of your attack surface.
How do you approach the proactive monitoring and management of something so vast, complex and temporary?
To talk about the security value of attack surface management tools and services, a final episode of The Virtual CISO Podcast introduces Steve Ginty, RiskIQ’s Threat Intelligence Director. The host of the podcast is John Verry, Pivot Point Security CISO and Managing Partner.
Managing vulnerabilities and threats through attack surface management
In the RiskIQ model, attack surface management begins with Big Data analysis. From there, RiskIQ offers various ways to view and process the data to support security targets like threat intelligence, response to incidents or overall security operations, as part of its PassiveTotal investigation platform.
“What PassiveTotal allows organizations to do is come up with a suspicious or malicious IP domain, and ask us to provide everything we know about this instance on PDNS [protective DNS], Malware, WHOIS, our scanning infrastructure, etc. We basically allow organizations to make an assessment of whether something is good or bad, and if it is bad, does it have any other associations? Like, does this IP have other domains that could be malicious? “Did the player use the same WHOIS email address to register multiple domains?”
The main value of this capability is to make threat intelligence available from an aggregate perspective of the Internet, which can help RiskIQ customers evaluate and examine events more quickly.
Bigger data equals sharper insight
Sorting the signal from the noise remains a major ongoing challenge. But there is power in tracking consistent and repeated observations on a huge scale.
“Because we perform this crawling and active scan on a daily basis, we can see something as malicious,” Steve claims. “It’s more towards domains and hosts, but we’ll add things with high loyalty to each of our blocklists. So, if we’ve seen that specific host and URL in a phishing campaign, the URL is bad. If we see the host associated with multiple URLs, once it reaches the threshold .
Because the entire Internet is so cloudy and dynamic, malicious resources are often reused at lightning speed. “I was looking at something that was Cobalt Strike two months ago, and today it’s part of Slack’s CDN because it’s an AWS IP address,” says Steve. “It’s something we wrestle with and talk about a lot.”
Again, the benefit of RiskIQ visibility and analysis is to reduce noise and speed up time to insight. Implementing their list of blockages within your environment is a great example of how attack surface management can yield proactive results in reducing exposure.
What next?
To learn more about how attack surface management can help your company, you will find the full Episode with Steve Ginty here: EP # 69 – Steve Ginty – Can You Benefit From Attack Surface Management? – Pivot Point Security
Looking for more insights on cloud security management? Take a look at this exhibit with John Grunge, CTO at OpsCompass: https://www.pivotpointsecurity.com/podcasts/ep64-john-grange-head-in-the-clouds-multi-cloud-security-governance/
