Attack surface management

All possible entry points for unauthorized access and exploits make up an attack surface. The goal of attack surface reduction is to keep the total attack surface as small as possible by sealing entry points for exploitation. Targets are identified and risks are assessed based on what a bad actor might perceive as an attack opportunity. The most common attack vectors are users, web, network, endpoints, applications, and data. Attack vectors will grow along with the organization, but the attack surface can be reduced.

Expanding attack surfaces: Reasons why

  • 1. Sophisticated vulnerabilities: It is common for new and intricate vulnerabilities to emerge as technology advances, either due to coding errors, design flaws, or unintended interactions among different components. Attackers have additional entry points through these vulnerabilities.
  • 2. Lack of visibility: Organizations may lose sight of certain parts of their infrastructure when adopting new technologies and devices, leaving blind spots for attackers to exploit.
  • 3. Complexity of security controls: In large organizations with intricate networks and numerous applications, the more complex the security measures become, the more likely there will be misconfigurations or overlooked vulnerabilities.
  • 4. Adoption of cloud computing: As cloud adoption grows, numerous benefits have been realized, including scalability and cost efficiency. Cloud, however, is at risk of supply chain attacks when bad actors infiltrate it through unsecured third parties.

Sealing the surface with Endpoint Central

Endpoints are the main point of entry, provide valuable information, and represent a network. Endpoint density increases attack surface size. In order to minimize the attack surface and strengthen an organization's overall security posture, effective endpoint security and management is crucial.

1. Detection

By continuously monitoring the network, create pinpoint transparency into what comes in and what goes out of your network

i) Visibility:

You can't manage what you can't measure. With real-time data from multiple touchpoints, spot everything at a glance.

  • Asset discovery & tracking
    With live notifications and predefined inventory reports, identify, control, and track all endpoints within your network.
  • Vulnerability assessment
    Based on severity, age, and exploit code disclosure, scan for vulnerabilities and prioritize those that pose the greatest threat.
  • Data discovery
    Detect and catalogue data as it is newly created or transferred within the network, enabling historical and predictive evaluations on the identified data.
  • Sensitive data classification
    Establish sensitivity classifications for data and implement appropriate controls to prevent unauthorized access.
  • Web activity tracking
    Monitor usage of websites, extensions and web apps to quantify usage of work-related sites and limit access to non-work sites.
  • Device audit
    Check for presence of anti-virus, port usage, encryption status on devices to ensure compliance with security policies.

ii) Anomaly detection:

Using intelligent detection algorithms, identify patterns and anomalies in network traffic that may indicate unauthorized activities.

  • Behavior monitoring
    Set baseline behavior for each endpoint and user, using machine learning algorithms to identify abnormal patterns to trigger alerts for further investigation.
  • Misconfigurations
    Monitor configuration drifts and correct them immediately.
  • High-risk software
    Flag and eliminate high-risk software like EOL, peer to peer and remote connection software.
  • File integrity monitoring
    Detect unauthorized changes and tampering by monitoring file handling and generate mirror copies in password-protected shares.

2. Prevention:

Once the attack surface is defined, take proactive measures to protect the surface and the network from potential compromise. Establish the exact behavior you want your endpoints to follow so you can stay confident.

i) Endpoint hardening:

  • Allowlisting & blocklisting
    Create rule-based allowlists and blocklists for devices, software installation, websites, extensions and web apps to limit the access to only authorized parties.
  • Geo-fencing
    Establish geographical boundaries for endpoints, restricting access from unauthorized locations.
  • Kiosk mode:
    Enforce a kiosk mode allowing only approved websites and web apps
  • Conditional exchange access
    Specify conditions for accessing Exchange services.

ii) Micro-segmentation:

A network segmentation prevents attackers from moving vertically, while micro-segmentation prevents them from moving laterally at the device and application levels.

  • Application and user privilege management
    Ensure zero-trust security with role-based and time-based privileges for applications.
  • Data leak prevention
    Maintain proper control of external and internal data transfers, prevent data leakage, restrict lateral file movements, and prevent copying based on the size and type.
  • USB device management
    Keep track of USB device usage to prevent unauthorized data transfers or malware infections.
  • JIT access
    Provide temporary access privileges to users only when necessary, reducing the attack surface.
  • Containerization
    Compartmentalize the personal and corporate data on BYODs with logical containers.
  • Admin rights removal
    Remove unnecessary administrative privileges to minimize privilege misuses.

Remediation

Although robust preventive measures are in place, if the surface is breached, it is important not to be taken by surprise and to have a plan in place.

Incident response automation:

Endpoint Central triggers predefined responsive actions, to ensure rapid containment and eradication of malicious trails.

  • Recovery and rollback
    Implement quick recovery mechanisms and rollback mechanisms to restore affected endpoints to a known secure state.
  • Zero-day mitigation
    Deploy zero day patches, and prebuilt & tested mitigation scripts to prevent any further exploitation.
  • System quarantine
    Keep compromised systems or endpoints isolated to prevent the spread of malware.
  • Dis-engage devices
    In extreme cases, initiate a complete wipe for resetting the device or corporate wipe for leaving personal data untouched in BYOD devices.