Understanding Your Attack Surface: The Key to Effective Exposure Management

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, Tenable security engineer Aaron Roy shares how he led the integration of attack surface management with exposure management. You can read the entire Exposure Management Academy series here.

Knowing your attack surface is fundamental to cybersecurity today. But many questions come to mind:

• What exactly is the attack surface?
• Why does it matter?
• How do you even go about figuring it all out?

I’ll try to answer those questions in this post. In my short time as an information security engineer at Tenable, our shift to exposure management has really brought home just how critical cyber asset attack surface management (CAASM) is.

Understanding the attack surface

I think of the attack surface as the perimeter of a house. Every door, window and maybe even a loose brick is a potential entry point. The larger the house, the more points of entry.

Now, although it’s not as tangible as your house — in fact, it’s amorphous — the same goes for your digital environment. Every application, server, cloud instance and endpoint connected to the internet is part of your attack surface. If you don't know all those entry points, how can you possibly secure them?

Moving beyond vulnerability scans

You might be thinking, "We've got vulnerability scans. Isn't that enough?"

Well, sure, they’re important and we’d be lost without them. But traditional vulnerability management is just a piece of the puzzle. Exposure management gives you a broader perspective. In addition to identifying known vulnerabilities, exposure management gives you an understanding of the entire landscape of potential risk. This includes external attack surface management and the assets you might not even know you have.

How our ASM integration worked

Let me give you an example from my recent work on integrating Tenable Attack Surface Management with the Tenable One Exposure Management Platform.

Tenable Attack Surface Management helps you discover all the external domains and subdomains related to your organization. It's like finding all the hidden entrances to your digital house. One really good feature is that you can integrate this data with your vulnerability management and web application scanning tools.

Suddenly, you’ll see the big picture.

By integrating Tenable Attack Surface Management with Tenable Vulnerability Management, from which we can now launch scans, we gained enhanced visibility into external assets and web applications. The attack surface management data is then automatically integrated into the Tenable One platform, which gives us the additional ability to manipulate it in context with other Tenable One findings.

Although it was a great help for discovering previously unknown external assets and initiating scans, a more significant aspect of the Tenable Attack Surface Management integration was its synergy with Tenable Web App Scanning. Because Tenable Web App Scanning is dedicated to identifying vulnerabilities within web applications, often customer-facing external sites, the Tenable Attack Surface Management integration proved highly valuable. It enabled the review of discovered domains and subdomains from Tenable Attack Surface Management directly within Tenable Web App Scanning, adding these to existing scans and schedules without leaving the application. 

Integrating Tenable Attack Surface Management with Tenable Web Application Scanning lets us automatically identify and add newly discovered domains to our scanning schedules, which is a real game-changer.

This streamlined the process of identifying new web applications within our domains, automatically reporting them and eliminating the need to manually ask application owners for updates. This integration made reviews more efficient and enabled the addition of new scans and the elimination of irrelevant domains, such as 404 pages, that Tenable Attack Surface Management found.

Instead of relying on application owners to tell you about new sites (which, in reality, doesn't always happen), you can proactively discover them. And you might even find some old ones you’ve forgotten about.

My move from engineer to detective

One thing I've learned is that data from various sources can sometimes disagree. That conflict often requires a bit of detective work.

A tool might report something as XYZ, but is it really? You have to dig deeper and double-check the data. Think of it like checking your calculations during a test. Some might blindly trust a calculator without a second look. But it’s better to check, right?

The shift to a broader exposure management approach, facilitated by these integrations, involved a significant increase in data sources. Our team moved from managing data from 10-15 applications to potentially double or triple that number. This necessitated a rigorous process of detective work and data refinement to ensure accuracy and actionability. 

Moving from just a few data sources to many can seem daunting. But it's not about complicating things. It's about getting a clearer picture.

The core challenge was verifying that the ingested data from various sources was correct and consistent. My team had to meticulously work through processes previously owned by other resources or teams, constantly iterating and refining them to optimize their effectiveness.

Moving from just a few data sources to many can seem daunting. But it's not about complicating things. It's about getting a clearer picture. Sure, there’s work involved in checking and refining data from diverse sources, especially if that data was previously owned by another team with unique processes.

But in the long run, having all this information at your fingertips clarifies things. You’ll see the full scope of potential exposures.

The future of exposure management

Looking ahead, the goal of the exposure management team is to further streamline this process by ingesting all these disparate data sources and making them actionable in the simplest way possible for different teams, including the software development lifecycle. A key element of this ongoing shift involves integrating tools like those from Tenable’s recent acquisition Vulcan for security orchestration and ticketing. 

The ultimate aim is to automate most of our currently manual processes, enabling frequent reporting of accurate and actionable information to stakeholders. This comprehensive approach ensures that we report all findings and vulnerabilities and that we monitor and adhere to SLAs for all products.

Takeaways

Having a clear plan of attack, pun intended, is vital. You can’t just wing it. 

In our team, we’re working to inventory all the information from these new sources, understand how they worked before we took over and figure out how to make it even better. This involves refining processes, adding security orchestration and ensuring all our data is accurate and actionable. Plus, we can use Tenable One to analyze the data in context. 

Ultimately, it's about knowing our attack surface, scanning it thoroughly, and making sure we can report on everything. That's how you manage exposure effectively. It’s not just about ticking boxes. It's about truly understanding what’s out there and taking the necessary steps to protect it.

Exposure management is an ongoing process. It's about evolving, adapting and always striving for better visibility. For me, that's what makes it so interesting.

Learn more

• Check out the Tenable exposure management resource center to discover the value of exposure management and explore resources to help you stand up a continuous threat exposure management program.