Analyzing the attack surface
Analyzing the attack surface

Enterprises today are under more pressure than ever to minimize their “attack surface.”

That is, they need to detect Indicators of Exposures (IOEs), identify vulnerabilities and capture and correct misconfigurations in security and network devices in both physical and virtual environments. This is an extremely challenging assignment. The IT organization must locate tens-of-thousands of vulnerabilities and misconfigurations concealed on its network, analyze and prioritize those vulnerabilities and misconfigurations
and remediate the most critical.

Clearly, automated tools are needed to perform these activities at scale. But what types of tools are needed most? How automated are IT security groups today? How satisfied are they with their capabilities and what are their priorities in terms of improving them?

CyberEdge conducted a survey for Skybox Security that is intended to answer these questions. It includes responses from 275 IT professionals around the world who work at companies with 500 or more employees. The report presents data about topics such as:

  • Current practices: How data on vulnerabilities and misconfigurations is being used today.
  • Collecting and discovering data: What automated tools are used to collect and discover data?
  • Analyzing and prioritizing data: How satisfied are organizations with their current ability to analyze and  prioritize vulnerabilities and misconfigurations?
  • Remediation and provisioning: Which remediation processes are most (and least) automated?
  •  Priorities going forward: What areas related to managing vulnerabilities and misconfigurations are the highest priority for automation?

Some of the key findings of the survey include:

  • In general, organizations tend to be most automated in, and most satisfied with, their ability to push patches to servers and to endpoints.
  •  The areas where organizations were least automated, and least confident, were related to (a) collecting data  about cloud-based systems and applications and (b) analyzing and remediating firewall rules that violate  policies and regulations, making those the areas with the most room for improvement in the immediate future.
  • Remediation and provisioning processes (with the exception of pushing patches) were significantly less  automated than other tasks covered in the survey.
  • Organizations using an attack surface visibility tool were significantly more likely to be satisfied with their  capabilities to analyze and prioritize data. Having an attack surface visibility tool had a particularly strong  impact on an organization's satisfaction with its ability to address compliance issues and regulatory  requirements.
  • The areas where improving automation is the highest priority in the immediate future are managing the remediation of vulnerabilities, analyzing and prioritizing vulnerabilities and managing the remediation of misconfigurations and rule violations.

Enterprises today are still struggling to uncover Indicators of Exposure and to analyze, prioritize and correct vulnerabilities and misconfigurations.

At the same time, the survey results suggest progress. Significantly more respondents said that the ability to perform key tasks has become easier in the last 12 months than said the tasks have become more difficult.

The data also shows a clear correlation between automated processes and satisfaction. Those task areas where the most organizations used automated tools were also the areas where the most organizations were satisfied with their ability to perform the tasks, and the fewest were dissatisfied.

For example, a near-perfect 92% of organizations use an automated tool to detect vulnerabilities on hosts and servers, while only 54% use an automated tool to assess security controls on cloud-based systems and apps. This correlates with satisfaction: 81% are somewhat or very satisfied with their capabilities in the former area and only 60% in the latter.

The survey took a close look at the value of using an attack surface visibility tool, and found it to be significant. For tasks involving collecting and discovering security data, organizations with an attack surface visibility tool tended to be somewhat or very satisfied 20%-30% more often than their peers without such a tool. For tasks related to analyzing and prioritizing data, organizations with an attack surface visibility tool were satisfied from 13% to 33% more often.

The data also points to areas that need improvement, particularly for tasks involving remediation and provisioning. Around half of the organizations (between 44% and 53%) have processes that are primarily or completely manual for activities such as remediating misconfigurations on servers, provisioning firewall rules, remediating systems and data access rules, and remediating firewall rules that violate policies. There were also weak spots in other areas; for tasks involving data collection, respondents were least satisfied with the ability to collect data about security controls on virtual systems and with security controls on cloud-based systems and applications.

Automated tools are needed to improve performance in these areas. This survey provides data on what processes for detecting, prioritizing and remediating vulnerabilities and misconfigurations are most and least automated today.

The extent of automation of processes related to vulnerabilities and misconfigurations, and satisfaction with current capabilities, tend to go together. For the most part both are highest for tasks related to collecting and discovering data, a bit lower for tasks related to analyzing and prioritizing data and lowest for remediation tasks (except for pushing patches, which is highly automated).

This pattern suggests that many organizations can profit from investing in tools to automate aspects of remediation (and provisioning rules to devices and firewalls), although automation in other areas will also increase satisfaction.

Organizations emphasizing compliance and policy enforcement should be especially alert to opportunities to deploy an attack surface visibility tool. The survey data showed that organizations using an attack surface visibility tool were significantly more likely to be satisfied with their capabilities to analyze and prioritize data.

For full details on this CyberEdge Group report, visit Skybox Security here.

Jon Friedman, CyberEdge