OPINION: Tarek Naja, Solutions Architect, at Qualys, believes that in order to overcome the complexities that come with moving workloads to the cloud, businesses need to leverage the capability of external attack surface management (EASM) to tackle their security issues head on. 
For many of the region’s businesses, the cloud is home now, and Web applications feed a burgeoning appetite for customer and employee experiences.
But there is a dark side to the Web application. It often works with personally identifiable information (PII), and is therefore a target for those engaging in financial crime, corporate espionage, and a range of other activities that cause people to turn to the cybersecurity specialist.
Web applications are like any other software. They have their vulnerabilities and there are some in the digital ether that spend their lives poking and prodding to uncover these flaws and exploit them.
They waltz through weak walls, taking advantage of misconfigurations and failures in integrity, patching and authentication. If being aware of these holes is Step One in defending against attacks, a closely related Step Two would be to find and decommission the Forgotten Web Server.
These public-facing service hosts are tempting tunnels to threat actors, as are any unsecured Web assets.
Chasing down and adequately protecting everything is a challenge. Siloed tools do not cover both internal and external apps. Other related tools may be part of an AppSec (application security) program.
This is the “point solutions problem” we hear about so often, especially since IT suites have become so complicated in the wake of mass cloud migration. SOC teams are bogged down daily in tedious, manual, and suboptimal tasks that lead to precious little value add. Teams routinely miss vulnerabilities in critical apps, risk spreads, and teams become more stressed waiting for catastrophe.
The top priority must be the discovery of Web assets, wherever they reside, and their operationalization within the AppSec program. Otherwise, there is no route to the reduction of both total cost of ownership and mean time to repair. The process of discovery must be an integral part of the security strategy.
Put simply: how can we protect what we cannot see? What we need is a multi-step plan that serves the enterprise’s AppSec program. And to execute the plan we a need new capability called external attack surface management (EASM).
Step 1. Asset inventory
EASM allows SOCs to automate the discovery of all external digital assets, including all Web applications, their domains, and their subdomains. Once built, this inventory forms the foundation of effective protection measures.
When executing this step, the average organization finds that somewhere between 20% and 40% of their Web assets are not protected by the AppSec program because they were previously unknown.
Comprehensive inventories and 360-degree visibility are, it turns out, all but synonymous. And once the AppSec team has added these newly discovered assets to their purview, they are far better able to protect the environment as a whole.
EASM approaches asset discovery by using an organization’s company name or top-level domain (TLD) name to run a sweeping search that identifies and monitors any asset created.
EASM is sensitive to organizational structures such as subsidiaries and can even easily handle structural changes such as mergers and acquisitions.
Nothing can hide from the search — no asset domain or subdomain. EASM augments the discovered information with WhoIs data, DNS records, and SSL certificate details. Together, these datapoints provide the necessary context to monitor creation date, type, and ownership for all assets.
- Asset triage
The GCC region is no exception to the global trend of slim budgets and skills gaps leading to under-resourced security teams. Trying to plug every vulnerability is an impractical proposition.
What EASM brings is the capability to not only automate the reliable discovery of all assets but to automate their prioritization for attention by the AppSec team.
With careful categorization, Web applications can be queued for patches or reconfiguration in a way that accounts for on-hand human resources.
Business-criticality information combined with risk-profile data adds another layer of visibility — a functional heatmap of priority that allows security analysts to use their time wisely and ensure that both internal and Internet-facing assets are strengthened or, at the very least, that their vulnerabilities are remediated.
- Now for security
The remediation process itself should now be an efficient and straightforward one.
All assets are accounted for and those that pose the greatest risk to the enterprise are ranked in an action list. But EASM is not just about removing vulnerabilities; it also allows the deployment of security measures to protect applications and end users.
Deep scans look for risky misconfigurations in Web applications, while dynamic testing of APIs checks for runtime weaknesses. Some 80% of all Web traffic now comes from API calls, so testing interfaces has become critical to the security of organizations.
EASM identifies API endpoints and their operational methods and requirements. Its Web application scanning (WAS) component is also able to flag exposed PII on Web applications and help security teams to discover applications that are collecting PII.
Armed with this information, organizations can better manage their PII exposure and hence the risk of non-compliance with privacy laws and other security standards.
EASM can identify malware infections, enabling threat hunters to go after attacks as they happen.
This ability to protect customers and website visitors bolsters the brand’s reputation and engenders trust along value chains and supply chains. Signatures and reputation checks take care of known malware while advanced heuristics and behavioral analyses go after the dreaded zero-day threats.
Sleep tight
In the hectic multi-cloud, hybrid environments of today, in which remote employees introduce unpredictable risk elements on an hourly basis, a little control is a welcome thing.
The SOC deserves EASM, the one means available for lifting the fog and bringing the environment — risk and all — into focus.
