For many of the region’s businesses, the cloud is home now, and Web applications feed a burgeoning appetite for customer and employee experiences. But there is a dark side to the Web application. It often works with personally identifiable information (PII) and is, therefore, a target for those engaging in financial crime, corporate espionage, and a range of other activities that cause people to turn to cybersecurity specialists.
Web applications are like any other software. They have their vulnerabilities, and some in the digital ether spend their lives poking and prodding to uncover and exploit these flaws. They waltz through weak walls, taking advantage of misconfigurations and failures in integrity, patching and authentication. If being aware of these holes is Step One in defending against attacks, a closely related Step Two would be to find and decommission the Forgotten Web Server. These public-facing service hosts are tempting tunnels to threat actors, as are any unsecured Web assets.
Chasing down and adequately protecting everything is a challenge. Siloed tools do not cover both internal and external apps. Other related tools may be part of an AppSec (application security) program. This is the point solutions problem, we hear about so often, especially since IT suites have become so complicated in the wake of mass cloud migration. SOC teams are bogged down daily in tedious, manual, and suboptimal tasks that lead to precious little value added. Teams routinely miss vulnerabilities in critical apps, risk spreads, and teams become more stressed waiting for catastrophe.
The top priority must be discovering Web assets, wherever they reside, and their operationalisation within the AppSec program. Otherwise, there is no route to the reduction of both the total cost of ownership and the mean time to repair. The process of discovery must be an integral part of the security strategy. Put simply: how can we protect what we cannot see? We need a multi-step plan that serves the enterprise’s AppSec program. And to execute the plan, we need a new capability called external attack surface management (EASM).
EASM allows SOCs to automate the discovery of all external digital assets, including all Web applications, domains, and subdomains. Once built, this inventory forms the foundation of effective protection measures. When executing this step, the average organisation finds that somewhere between 20% and 40% of their Web assets are not protected by the AppSec program because they were previously unknown. It turns out that comprehensive inventories and 360-degree visibility are all but synonymous. And once the AppSec team has added these newly discovered assets to their purview, they are far better able to protect the environment as a whole.
EASM approaches asset discovery by using an organisation’s company name or top-level domain (TLD) name to run a sweeping search that identifies and monitors any asset created. EASM is sensitive to organisational structures such as subsidiaries and can easily handle structural changes such as mergers and acquisitions. Nothing can hide from the search — no asset domain or subdomain. EASM augments the discovered information with WhoIs data, DNS records, and SSL certificate details. These data points provide the necessary context to monitor all assets’ creation date, type, and ownership.
The GCC region is no exception to the global trend of slim budgets and skills gaps leading to under-resourced security teams. Trying to plug every vulnerability is an impractical proposition. EASM brings the capability to automate the reliable discovery of all assets and their prioritisation for attention by the AppSec team. With careful categorisation, Web applications can be queued for patches or reconfiguration in a way that accounts for on-hand human resources.
Business-criticality information combined with risk-profile data adds another layer of visibility — a functional heatmap of priority that allows security analysts to use their time wisely and ensure that internal and Internet-facing assets are strengthened or, at the very least, their vulnerabilities are remediated.
Now for security
The remediation process itself should now be an efficient and straightforward one. All assets are accounted for, and those that pose the greatest risk to the enterprise are ranked in an action list. But EASM is not just about removing vulnerabilities; it also allows deploying security measures to protect applications and end users.
Deep scans look for risky misconfigurations in Web applications, while dynamic testing of APIs checks for runtime weaknesses. Some 80% of all Web traffic now comes from API calls, so testing interfaces has become critical to the security of organisations. EASM identifies API endpoints and their operational methods and requirements. Its Web application scanning (WAS) component can also flag exposed PII on Web applications and help security teams discover applications that are collecting PII. With this information, organisations can better manage their PII exposure and hence the risk of non-compliance with privacy laws and other security standards.
EASM can identify malware infections, enabling threat hunters to go after attacks as they happen. This ability to protect customers and website visitors bolsters the brand’s reputation and engenders trust in value chains and supply chains. Signatures and reputation checks cover known malware, while advanced heuristics and behavioural analyses go after the dreaded zero-day threats.
In today’s hectic multi-cloud, hybrid environments, in which remote employees introduce unpredictable risk elements on an hourly basis, a little control is a welcome thing. The SOC deserves EASM, the one means available for lifting the fog and bringing the environment — risk and all — into focus.