Attack surface management (ASM) is the process of maintaining visibility into an ever-changing network environment so that security teams can patch vulnerabilities 和 defend against emerging threats. 那么,an是什么 攻击表面? 这是你的整个网络, on- premise和off, 以及攻击者可能进入的潜在弱点.
Forrester将攻击面管理定义为不断发现的过程, 识别, 盘点, 并评估实体的IT资产的风险. 基于以上的一切, we can safely assume this is something security teams have regular difficulty staying on top of 和 addressing. Limited visibility in an environment means you don’t know about everything that could possibly hurt the organization 和 the business.
如果能见度有限, 请记住,应用程序开发中的任何类型的过程都可能由于 缺乏可观测性 例如代码在生产环境中的行为. 简单地说, limited visibility into the 攻击表面 renders unreliable many aspects of business operations 和 security.
安全组织可以通过管理漏洞来监视和管理攻击面, 定期测试web应用程序, 自动化 军事反应,并获得最新的可视性 indicators-of-compromise(国际石油公司). 没有一种正确的方法来管理整个攻击面, 特别是在大型企业组织中. 但, 通过增加能见度, 安全团队可以开始定制操作并搜索特定于其环境的解决方案.
攻击面管理很重要,因为它提供了可见性, 上下文, 和 prioritization needed to address vulnerabilities before they can be exploited by attackers; it’s critical for teams who want a deeper underst和ing of their key risk areas. 攻击面管理还有助于制定IT, 安全人员, 领导层也知道哪些地区容易受到攻击, 因此组织可以找到最小化风险的方法.
Aspects of the process – like vulnerability assessments 和 penetration testing – are best practices teams can leverage to gain visibility 和 上下文 into where breaches might occur along the 攻击表面. This overall 攻击表面 analysis strategy can increase awareness of both technical 和 process-related risks.
外部攻击面管理(EASM) is the process of 识别 internal business assets that are public-internet facing 和 monitoring vulnerabilities, 公共云配置错误, 暴露的凭证, 或其他可能被攻击者利用的外部信息和流程. No inventory of these assets will be perfect; the goal being to obtain as close a snapshot as possible to help evaluate 云安全态势.
如上所述,错误配置可能在您的脆弱性中扮演重要角色. Properly configuring any cloud environment plays a key role in protecting it from a broad range of threats, 无论是蓄意攻击还是无意的错误.
EASM solutions are increasingly focused on 识别 rogue external assets that could be part of an organization’s 攻击表面. 他们应该能接入威胁信息,激活 威胁狩猎 so practitioners can underst和 what bad actors are doing in the wild 和 how it could bleed into the internal environment.
They should also be able to leverage external threat intelligence from the post-perimeter 攻击表面 to properly detect 和 prioritize risks 和 threats, 从最近的网络端点到周围的深和 黑暗的网络. 这样做的额外好处是降低了整体信噪比.
围绕外部攻击面映射的挑战有很多, 但这并不意味着没有合适的SOC解决方案. 不管这个团队是在一个地方还是分散在世界各地, 全球分布的劳动力必须确保其现代攻击面. 让我们来看看这些挑战中的几个亮点:
The ephemeral nature of maintaining the bulk of operations in the cloud means that there is no defined perimeter like in the “old days” of on-prem-only. 这个范围是不断变化和扩大的, so the challenge of distributed IT ecosystems that host 和 house an organization’s clouds is that it can be difficult to monitor 和 secure a national or global perimeter that lies beyond firewalls 和 other protocols that protect local networks.
Collaboration between traditionally siloed teams can be a challenge when attempting to monitor 和 map your 攻击表面 for budding threats, 特别是当这些团队可以在地理上分布时, 这是否意味着远程工作者的网络, 区域办事处, 或者跨国公司总部. 这些天, there is a greater focus on solutions that can provide the shared view 和 common language that can bring together those traditionally siloed teams to work toward a common goal of threat prevention.
已知和未知资产之间不断加入网络, 你的攻击面每天都在增长和变化. 大多数情况下,这是因为公司的增长,这是一件好事. 然而, 任何值得他们的才能的SOC都希望确保扩展的边界尽可能安全. Automating operations can certainly cut down on the time it takes to secure an expanding 攻击表面, 允许开发人员和安全分析人员更紧密地协作并确定漏洞的优先级.
This includes extensive scanning to discover systems 和/or assets that may be particularly open to threats. 这些类型的资产可以是应用程序构建中的任何内容, 个人资产进入公司网络, 到供应链合作伙伴的硬件/软件. 最后一点特别令人关切, 因为现有的大多数公司都利用多个供应商的服务, 每个人都利用他们自己的多个供应商的服务——等等等等.
这种复杂性和对众多合作伙伴网络的依赖,凸显了超越发现的必要性, 加速扫描和实时领域的可见性. 威胁行为者的入侵手段越来越快, 安全组织必须跟上开发时间持续缩短的步伐.
Regular testing – of varying types – is a reliable way to ensure applications 和 systems are properly secured. 从那里,你可以决定需要采取什么行动来加强周边.
了解潜在风险或威胁的背景非常重要. Data sprawl 和 complexity can lead to an unwieldy 攻击表面 that poses major challenges to security operations (SecOps) teams looking to fully underst和 threats 和 manage vulnerabilities at an ever-increasing pace.
上下文ualized threat intelligence can help provide insights into every layer of your tech stack so you can effectively prioritize 和 respond to risks 和 threats. 这不仅仅意味着情报反馈,还意味着理解公众可访问性, 存在漏洞, 资源是否与业务关键型应用程序相关联, 和更多的. 漏洞具有一定程度的风险,网络上的每个资产也是如此. 因此, it’s crucial to have strategies in place that prioritize remediation of the most sensitive risks before they become real threats.
在一个安全组织中可能出现的安全问题的绝对数量, 不管是在SOC还是其他地方, 不一定是团队阻止威胁和修补漏洞的能力的指示器. 现代攻击面包括内部部署环境和云环境. 这种蔓延包括这样的场景 身份和访问管理(IAM) 当每个资源和服务被分配角色时,处理数百万个不同身份的团队. 每个角色都有自己的可利用权限和特权.
去年, 88%的组织报告说他们计划增加在, 除此之外, 改进警报上下文和优先级. Automating processes like risk analysis 和 workflow frameworks can vastly decrease the complexity 和 enormity of evaluating which incidents are in the most need of timely remediation.
实现并持续执行内部遵从性和法规是至关重要的, 如果适用的话——尽可能缩小攻击面的标准.
Rigorously adhering to compliance policies can have the benefit of accelerating response time in that smaller 攻击表面. 通过尽可能多的自动化, 当攻击或破坏发生时,你可以减小爆炸半径. Shifting security left is an example of how those st和ards can also create a culture of faster response. This means integrating security earlier into the application development/deployment process via continuous template scans while builds are taking place 和 also post-deployment.
随着网络的发展,攻击面也在扩大. 对于攻击者来说,这是一个很大的空间,可以找到进入并最大限度地利用它. 与, 如上所述, 上下文威胁情报和优先级, 随着时间的推移,你可能会表现得像个攻击者, 保持领先一步,在问题被利用之前解决问题. Automated remediation plays a critical part in the ability to rapidly address one potential threat after another.