With each passing year, companies’ networks grow. Increasing amounts of data, expanded business partnerships, and the introduction of new technology to replace outdated methods of conducting business all contribute to this growth. Consequently, the network attack surface is growing proportionally.
Stopping or limiting network sprawl seems impossible given today’s business requirements. At the same time, the onus for securing growing networks—whether they’re on-premises or in the cloud—falls to security teams. The argument could be made that a security practitioner’s job is actually risk reduction; everything else supports risk management. Securing the network, encrypting databases, and correctly configuring devices? All means to risk reduction. Patching and testing vulnerabilities? Risk reduction. All the while one thing is clear: as companies’ networks containing valuable data and applications grow, cybercriminals will target those networks to make a profit, access secrets, or disrupt normal operations.
To reduce risk, defenders must shrink the network attack surface. Shrinking the attack surface isn’t a simple matter, though. Security teams can’t insist the business stop collecting data or adopting technology that makes employees’ lives easier and more efficient. It can’t disallow development using containers or access from mobile devices. What’s more, it’s far from enough to ring-fence the network and call it a day.
Today’s cyber attackers invariably exploit the easiest vulnerability to enter companies’ networks undetected. However, the initial entry point is rarely the intended target. Attackers almost always use a multi-step process for exploiting exposed network pathways to move laterally towards companies’ most valuable data and applications.
Within any given network there may be hundreds or even thousands of these network pathways, yet most security and networking teams don’t know what those pathways are much less which ones offer the shortest viable paths that allow attackers to efficiently reach their target. Focusing in on risk reduction, without a clear understanding of all the ways an attacker could reach its target, it is impossible to decrease the number of those available routes—and thus reduce the network attack surface. First, though, defenders need an assessment of all assets in the environment before they can quantify how attackers might use the network to exploit the assets that are stored and communicating there.
Identify assets and exposures
If the purpose of the security program is to reduce risk to the business by mitigating cybersecurity risk, the first step should be to assess the network attack surface:
- What assets does the company have in on-premises data centers, the cloud, and container environments?
- Which assets are most critical to the business, i.e., which ones would materially impact the business if disrupted, damaged, or exposed?
- What and where are the organization’s most exploitable vulnerabilities (e.g., phishing, insecure code, unpatched systems)?
- How could an attacker reach the “crown jewels” if initial vulnerabilities are exploited?
- How are workloads and applications interconnected?
- What are the most likely pathways an attacker could use to move laterally toward business-critical assets?
Understanding the environment and exposure thereof requires ongoing assessment. Ideally a multi-pronged approach combining automated scanning and manual testing is used, but given the size and scope of most organization’s networks, the only way to stay continually up-to-date is automated discovery of assets and available network paths.
Network blindspots are a huge challenge when it comes to protecting data; implementing automated discovery tools can substantially improve network visibility and contribute to reducing risk.
Eliminate unnecessary pathways
Protecting the organization from cyber intrusions requires a multilayered strategy, and one effective way to reduce the network attack surface is to decrease the number of routes an attacker can use to reach target systems.
Offensive maps are an extremely valuable tool for analyzing which low-friction network pathways exist between attackers and targets, and for anticipating attackers’ next move given a view of all viable options. Once created, defenders can use their newfound network visibility to determine which vectors are most likely to be exploited, and block never- or infrequently-used pathways to and from critical assets to reduce attackers’ abilities to move laterally inside the network. In other words, pathways not required by applications but that exist simply because they are on a connected network should be blocked for use as a communication vehicle.
Apply microsegmentation at the workload level
Once an adversary gains access to the network through an initial exploit (e.g., phishing, software vulnerability), the security team must be able to prevent unauthorized access to and tampering with critical databases and applications. Limiting the number of paths attackers can use to travel from Point A to Point B helps localize focus, but it’s not enough. Revisiting the idea of a multilayered strategy to manage expansive network attack surfaces, microsegmentation at the workload level builds tight boundaries around companies’ sensitive data and systems.
Unfortunately, many security and networking professionals have an unfavorable view of microsegmentation. Old methods of microsegmentation using IP addresses and VLANs are kludgy, time-consuming, and expensive. Creating a firewall rule for a new application on the network can take hours, configuration issues can lead to outages, and static policies need to be constantly manually updated. In addition, network-based microsegmentation tools necessitate re-architecting both the network and application (i.e., translating “network speak” into “application speak”). It’s no wonder that microsegmentation is met with trepidation.
Modern microsegmentation, however, is based on software identity—using cryptographic attributes of the software, as opposed to the network, for control decisions. Especially given today’s dynamic network environments, not only is software identity a more reliable construct on which to enforce access decisions, but it eliminates the complexity of creating multiple rules for each application, reduces the time it takes to create policies, and results in policies that are supported across any platform (i.e., multicloud environments, containers). Further, application-centric policies adapt to the environment, which means that administrators can create and manage policies from one centralized location and retain visibility regardless of where workloads communicate.
Paring down the network attack surface to reduce overall organizational risk is not easy, to be certain. Simply keeping abreast of all resources across ever-growing networks is a massive challenge. However, in today’s complex threat landscape, it’s imperative for security and networking teams to simplify the protection strategy by improving network visibility and implementing application-centric, adaptive security control. To get started, organizations should:
- Identify the extent of the network attack surface, including systems, devices, users, workloads, and exposed network paths;
- Prioritize protection based on the criticality of assets and block network paths not required by business applications; and
- Use application-centric microsegmentation to prevent unauthorized access and communication on the network.