Ask the Expert: What is the difference between vulnerability management and attack surface management?
Kirk Hogan, Chief Innovation Officer at Iceberg Networks and Allan Liska, CSRIT at Recorded Future, sat down to answer some questions that they are hearing about how organizations can prepare for all levels of vulnerability, including how to get the best vulnerability prioritization, knowing where to look for vulnerabilities and in fact, if they are the MOST critical, as well as how to inject best practices of management and tools to help organizations elevate their approach. The following is an edited transcript of the conversation.
Kirk Hogan: When we think about a vulnerability, it is a potential exploit on something and we’re gonna stick with cyber. So it’s likely a cyber asset, something that you can reach with an IP address, something that’s got a blinking light, whatever it is, but let’s consider that a piece of surface, right? It literally is a piece of surface. But a vulnerability management program doesn’t really consider it as a piece of surface, it considers it as an asset independently. And we don’t understand how it necessarily interplays with the other parts of your environment — and the environment is people and process and technology at this point. So we don’t understand how it interplays necessarily, but we’ll figure it out when we have to address vulnerability. And I understand why people get here, and it’s an evolution. So when a vulnerability comes in, they assess to see whether it’s important enough to fix, if it is, they fix it, and then they confirm it’s fixed, and they move on to the next one in the list. But it is more proactive than incident management. But it is less proactive as attack surface management. And now, the difference, for me anyways, is attack surface management is understanding everything that is facing the inside and outside worlds that is of a cyber nature. And that is everything. Because as we expand the surface through IoT, all these devices BYOD, the network barriers have been broken down. So all of this surface is now very expansive. So that’s the difference in concept. And before I go any further, do you, Allan, have any ideas on that as well?
Allan Liska: I think your point about the interconnectedness is really important, because attacks work in stages, you know, I think that’s fairly well accepted now. So understanding how an exposed Citrix server that might be vulnerable, connects to the internal network, which connects to the Active Directory, domain controller, which will then be exploited by a threat actor, again, whether it’s nation state or cyber criminal, and really understanding how one vulnerability here that’s unpatched, can lead to the exploitation of your entire network data being stolen. And everything else that could possibly go wrong, is, I think, a big part of that attack surface management process.
Kirk Hogan: I mentioned people, process and technology, and I’m not going to go too far down in the future looking area. But I think you’ll find that in the future people will be considered part of the attack surface as well. And then they are now informally, but when you think about what phishing really is, phishing really is a human attack surface. Because they’re preying on psychological attributes, willingness or the fear of missing out — I need to be able to understand what’s behind that link — and then it works. And that’s not a technology, that’s not a cyber surface, that is a human surface. So attack surface management is really about understanding everything that can penetrate that veil. And when we then when we think about that, now we can start to design what is our response for these different elements within an attack surface, and certainly, we’re more proficient at the technology pieces, and it’s probably the right priority because we’re an avenue into technology. So they really want what the technology will give us. So I think that if we consider that and then we can prioritize, and this is the other premise that I think is important for attack surface management, is prioritize what you need to define. So yes, you’ve got 1000s or 10s of 1000s of these IT assets. You don’t have to do it all at once, but start somewhere where you are using gut instinct, or some intelligence, some data, what are your most critical assets, and I’ll call those human processes and technology. Again, and if we identify those, and get a model in place, that helps us articulate inventory, identify what the interrelationships are within the attack surface, and then we can expand that because once we trust the model, it allows us to identify it and protect it, then we have confidence that it really doesn’t matter how big the attack surface gets — things to get on our surface now have to do some some sort of governance in order to become part of our surface. Vulnerability management assumes you already have done some sort of a calculation, but as we also described is that risk changes. It changes in the context of the outside world and the inside world. So I believe that once we get into tech service management, it goes beyond the traditional vulnerability management solutions which are technology based, and there’s a small business unit responsible for that. But we think about attack surface management now we’re including a lot of other functions. It can be the IT function, asset management function, HR function — a lot of these functions now need to feed into attack surface management. The benefit to the organization if they focus on this is that you will have a better understanding, that will support many of the other functions — you will have intelligence around context that will support a strategy. You’ll have contextual information around things like budgetary investment, and these things are not possible if you don’t think about attack surface management.
See all the Ask the Expert videos in this series:
Ask the Expert Part 1: Why CVSS isn’t enough?
Ask the Expert Part 2: How can I make my vulnerability solution more responsive?
Ask the Expert Part 3: How do you level up your vulnerability management?
Ask the Expert Part 4: What is the difference between vulnerability management and attack surface management?