Apr 12, 2024The Hacker NewsDevSecOps / Identity Management

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems?

Let’s break it down.

The challenge

Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or retrieving information from databases. Communicating seamlessly through APIs, they ensure the seamless operation of services for us users. However, to utilize these APIs, microservices must authenticate themselves using non-human identities and secrets, akin to programmatic access keys.

Now, consider the ramifications if a malicious actor were to obtain one of these non-human identities or secrets. The potential for chaos is immense—secrets could be stolen, data tampered with, or even the entire system brought to a standstill.

Without strong security measures, a system is wide open to these kinds of attacks. Companies need to lock things down tight to keep data safe and systems running smoothly.

The solution

What’s needed is a comprehensive suite of features to meet the needs of managing non-human identities.

Comprehensive secrets visibility

To manage non-human identities and secrets at scale you need a bird’s-eye view of all machine identities in your systems. From ownership details to permissions and risk levels, all this critical information needs to be centralized, empowering your security teams to understand the secrets landscape thoroughly. No more guessing games—just clear insights into non-human identities and their potential vulnerabilities.

Real-time monitoring & protection

To effectively oversee non-human identities, it’s crucial to employ real-time monitoring, enabling constant vigilance over your sensitive information. Any signs of dubious behavior should be promptly detected and flagged without delay. Whether it involves an unauthorized access attempt or an unforeseen alteration in permissions, ongoing scrutiny of secrets guarantees proactive defense against potential risks. Mere alerting isn’t sufficient; a comprehensive solution providing actionable steps for immediate resolution is imperative when suspicious activities arise.

Centralized governance

Centralized governance simplifies secrets management for non-human identities. By consolidating all security controls into one streamlined platform, it becomes easy for you to oversee access to non-human identities. From identification to prioritization and remediation, you need seamless collaboration between security and development teams, ensuring everyone is on the same page when it comes to protecting your digital assets.

Vulnerability detection & false positive elimination

Not all alerts warrant immediate alarm. Hence, vulnerability detection must extend beyond merely highlighting potential risks; it should differentiate between genuine threats and false alarms. By eliminating false positives and honing in on actual vulnerabilities, your security teams can efficiently address issues without being sidetracked by unnecessary distractions.

This is what it takes to manage secret security for non-human identities. It’s what we obsess about here at Entro.

Why Entro

With Entro’s non-human identity management solution, organizations can:

• Gain complete visibility of secrets that protect code, APIs, containers, and serverless functions scattered across various systems and environments.
• Identify and prioritize security risks, remediate vulnerabilities, and prevent unauthorized access to critical financial systems and data.
• Automate the remediation of identified security risks, saving time and resources for the security and development teams.
• Ensure compliance with regulatory requirements such as SOC2, GDPR, and others by maintaining robust access controls and security measures.

Get in touch with us to learn more about Entro’s machine identities and secrets management solution.

Apr 09, 2024The Hacker NewsPrivileged Access Management

As cyber threats loom around every corner and privileged accounts become prime targets, the significance of implementing a robust Privileged Access Management (PAM) solution can’t be overstated. With organizations increasingly migrating to cloud environments, the PAM Solution Market is experiencing a transformative shift toward cloud-based offerings. One Identity PAM Essentials stands out among these as a SaaS-based PAM solution that prioritizes security, manageability, and compliance.

Security-first, user-centric design

PAM Essentials boasts a user-centric and security-first design – not only prioritizing the protection of critical assets, but also ensuring a seamless user experience. By providing privileged sessions and access controls, PAM Essentials mitigates the heightened risks associated with unauthorized users, safeguarding critical data against potential breaches. Designed for ease of use, it ensures that robust security does not come at the expense of usability.

Simplified PAM approach with full visibility

One of the standout features of PAM Essentials is its simplified PAM approach, coupled with full visibility. Unlike traditional on-premises PAM solutions, PAM Essentials eliminates unnecessary complexities and the need for additional infrastructure investments. This streamlined approach not only reduces operational overhead but also provides organizations with comprehensive visibility into privileged access activities, facilitating proactive threat detection and mitigation.

Cost-effective and compliant

In today’s regulatory landscape, compliance is non-negotiable. PAM Essentials aids organizations in meeting compliance and industry-specific standards, ensuring adherence to regulatory requirements and enabling them to fulfill cyber insurance requirements. Its cost-effectiveness creates significant savings for businesses, eliminating the need for costly infrastructure and resource allocations associated with traditional PAM solutions.

Cloud-native architecture for scalability and flexibility

Built on a cloud-native architecture, PAM Essentials offers unparalleled scalability, flexibility and accessibility. This ensures seamless integration with cloud services, allowing organizations to adapt and scale their privileged identity management strategies in response to evolving business needs. PAM Essentials also provides a seamless experience for remote teams, enabling secure access to critical systems and resources from anywhere at any time.

Native integration and seamless experience

PAM Essential’s native integration with OneLogin access management solutions enhances its capabilities. By leveraging OneLogin’s robust identity and access management platform, PAM Essentials delivers a seamless privileged access management experience. This integration not only enhances security but also streamlines administrative tasks, improving overall operational efficiency.

Conclusion

As organizations navigate the complexities of modern cybersecurity threats and the constantly evolving digital landscape, the importance of effective Privileged Access Management cannot be overstated. PAM Essentials represents a shift in PAM tools, offering a comprehensive, cloud-native approach to security, manageability and compliance. With its user-centric design, simplified approach and seamless integration capabilities, PAM Essentials is set to redefine the future of Privileged Access Management, empowering organizations to safeguard their most critical assets.

Apr 03, 2024The Hacker NewsCybersecurity / Penetration Testing

Attack surface management (ASM) and vulnerability management (VM) are often confused, and while they overlap, they’re not the same. The main difference between attack surface management and vulnerability management is in their scope: vulnerability management checks a list of known assets, while attack surface management assumes you have unknown assets and so begins with discovery. Let’s look at both in more detail.

What is vulnerability management?

Vulnerability management is, at the simplest level, the use of automated tools to identify, prioritize and report on security issues and vulnerabilities in your digital infrastructure.

Vulnerability management uses automated scanners to run regular, scheduled scans on assets within a known IP range to detect established and new vulnerabilities, so you can apply patches, remove vulnerabilities or mitigate any potential risks. These vulnerabilities tend to use a risk score or scale – such as CVSS – and risk calculations.

Vulnerability scanners often have many thousands of automated checks at their disposal, and by probing and gathering information about your systems, they can identify security gaps which could be used by attackers to steal sensitive information, gain unauthorized access to your systems, or disrupt your business. Armed with this knowledge, you can protect your organization and prevent potential attacks.

A screenshot of the Intruder vulnerability management platform, which is designed to perform thousands of security checks, identifying vulnerabilities in web apps, APIs, cloud systems, and beyond.

What is the vulnerability management process?

1. Performing a vulnerability scan
2. Assessing your vulnerability risk
3. Prioritizing and fixing vulnerabilities
4. Monitoring continuously

What is attack surface management?

The main difference between vulnerability management and attack surface management is the scope. Attack surface management (ASM) includes asset discovery – helping you to find all your digital assets and services and then reducing or minimizing their exposure to prevent hackers from exploiting them.

With ASM, all known or unknown assets (on-premises, cloud, subsidiary, third-party, or partner environments) are detected from the attacker’s perspective from outside the organization. If you don’t know what you’ve got, how can you protect it?

Take the example of an admin interface like cPanel or a firewall administration page – these may be secure against all known current attacks today, but a vulnerability could be discovered tomorrow – when it becomes a significant risk. If you monitor and reduce your attack surface, regardless of vulnerabilities, you become harder to attack.

So, a significant part of attack surface management is reducing exposure to possible future vulnerabilities by removing unnecessary services and assets from the internet. But to do this, first you need to know what’s there.

What is the attack surface management process?

1. Discover and map all your digital assets
2. Ensure visibility and create a record of what exists
3. Run a vulnerability scan to identify any weaknesses
4. Automate so everyone who creates infrastructure can do so securely
5. ‍Continuously monitor as new infrastructure and services are spun up

Intruder’s attack surface management features help you to stay on top of changes in your environment, such as recently opened ports and services.

How does attack surface management differ from vulnerability management?

Vulnerability management is the process of identifying and prioritizing vulnerabilities in your IT infrastructure and applications. Attack surface management goes a step further by identifying and analyzing your attack surface – all the devices, entry points and exposed services that an attacker could potentially use to gain access to your systems or data.

Can you combine Attack Surface Management and Vulnerability Management?

While ASM and VM may have different scopes and objectives, they’re not mutually exclusive. Used in combination, they create a much more holistic, robust and comprehensive cyber security posture. By identifying your assets and vulnerabilities, you can prioritize your security efforts and allocate resources more effectively – which will help you reduce the likelihood of a successful attack and any potential impact.

How Intruder can help with ASM and VM

Ultimately, you want to leave no stone unturned when it comes to cyber security. Modern VM and ASM solutions like Intruder can detect vulnerabilities affecting your organization. It gives you greater visibility and control over your attack surface, monitors network changes and SSL/TLS certificate expiry dates, helps you stay on top of your cloud infrastructure, and allows you to pay only for active targets. Why not see for yourself with a free 14-day trial?

Mar 12, 2024The Hacker NewsCTEM / Vulnerability Management

In a world of ever-expanding jargon, adding another FLA (Four-Letter Acronym) to your glossary might seem like the last thing you’d want to do. But if you are looking for ways to continuously reduce risk across your environment while making significant and consistent improvements to security posture, in our opinion, you probably want to consider establishing a Continuous Threat Exposure Management (CTEM) program.

CTEM is an approach to cyber risk management that combines attack simulation, risk prioritization, and remediation guidance in one coordinated process. The term Continuous Threat Exposure Management first appeared in the Gartner ® report, Implement a Continuous Threat Exposure Management Program (CTEM) (Gartner, 21 July 2022,). Since then, we have seen that organizations across the globe are seeing the benefits of this integrated, continual approach.

Webinar: Why and How to Adopt the CTEM Framework

XM Cyber is hosting a webinar featuring Gartner VP Analyst Pete Shoard about adopting the CTEM framework on March 27 and even if you cannot join, we will share an on-demand link, don’t miss it!

Focus on Areas With the Most Risk

But why is CTEM popular, and more importantly, how does it improve upon the already overcrowded world of Vulnerability Management?

Central to CTEM is the discovery of real, actionable risk to critical assets. Anyone can identify security improvements in an organization’s environment. The issue isn’t finding exposures, it’s being overwhelmed by them – and being able to know which pose the most risk to critical assets.

In our opinion, a CTEM program helps you:

1. Identify your most exposed assets, along with how an attacker might leverage them
2. Understand the impact and likelihood of potential breaches
3. Prioritize the most urgent risks and vulnerabilities
4. Get actionable recommendations on how to fix them
5. Monitor your security posture continuously and track your progress

With a CTEM program, you can get the “attacker’s view”, cross referencing flaws in your environment with their likelihood of being used by an attacker. The result is a prioritized list of exposures to address, including ones that can safely be addressed later.

The Five Stages of a CTEM Program

Rather than a particular product or service, CTEM is a program that reduces cyber security exposures via five stages:

1. Scoping – According to Gartner, “To define and later refine the scope of the CTEM initiative, security teams need first to understand what is important to their business counterparts, and what impacts (such as a required interruption of a production system) are likely to be severe enough to warrant collaborative remedial effort.”
2. Discovery – Gartner says, “Once scoping is completed, it is important to begin a process of discovering assets and their risk profiles. Priority should be given to discovery in areas of the business that have been identified by the scoping process, although this isn’t always the driver. Exposure discovery goes beyond vulnerabilities: it can include misconfiguration of assets and security controls, but also other weaknesses such as counterfeit assets or bad responses to a phishing test.”
3. Prioritization – In this stage, says Gartner, “The goal of exposure management is not to try to remediate every issue identified nor the most zero-day threats, for example, but rather to identify and address the threats most likely to be exploited against the organization.” Gartner further notes that “Organizations cannot handle the traditional ways of prioritizing exposures via predefined base severity scores, because they need to account for exploit prevalence, available controls, mitigation options and business criticality to reflect the potential impact onto the organization.
4. Validation – This stage, according to Gartner, “is the part of the process by which an organization can validate how potential attackers can actually exploit an identified exposure, and how monitoring and control systems might react.” Gartner also notes that the objectives for Validation step includes to “assess the likely “attack success” by confirming that attackers could really exploit the previously discovered and prioritized exposures.
5. Mobilization – Says Gartner, “To ensure success, security leaders must acknowledge and communicate to all stakeholders that remediation cannot be fully automated.” The report further notes that, “the objective of the “mobilization” effort is to ensure the teams operationalize the CTEM findings by reducing friction in approval, implementation processes and mitigation deployments. It requires organizations to define communication standards (information requirements) and documented cross-team approval workflows.”

CTEM vs. Alternative Approaches

There are several alternative approaches to understanding and improving security posture, some of which have been in use for decades.

• Vulnerability Management/RBVM focuses on risk reduction through scanning to identify vulnerabilities, then prioritizing and fixing them based on a static analysis. Automation is essential, given the number of assets that need to be analyzed, and the ever-growing number of vulnerabilities identified. But RBVM is limited to identifying CVEs and doesn’t address identity issues and misconfigurations. Furthermore, it doesn’t have information required to properly prioritize remediation, typically leading to pervasive backlogs.
• Red Team exercises are manual, expensive, point-in-time tests of cyber security defenses. They seek to identify whether or not a successful attack path exists at a particular point in time, but they can’t identify the full array of risks.
• Similarly, Penetration Testing uses a testing methodology as its assessment of risk, and it provides a point-in-time result. Since it involves active interaction with the network and systems, it’s typically limited with respect to critical assets, because of the risk of an outage.
• Cloud Security Posture Management (CSPM) focuses on misconfiguration issues and compliance risks solely in cloud environments. While important, it doesn’t consider remote employees, on-premises assets, or the interactions between multiple cloud vendors. These solutions are unaware of the full path of attack risks that cross between different environments—a common risk in the real world.

It is our opinion that a CTEM program-based approach offers the advantages of:

• Covering all assets—cloud, on-premises, and remote—and knowing which ones are most critical.
• Continuously discovering all types of exposures—traditional CVEs, identities, and misconfigurations.
• Presenting real-world insights into the attacker view
• Prioritizing remediation efforts to eliminate those paths with the fewest fixes
• Providing remediation advice for reliable, repeated improvements

The Value of CTEM

We feel that the CTEM approach has substantial advantages over alternatives, some of which have been in use for decades. Fundamentally, organizations have spent years identifying exposures, adding them to never-ending “to do” lists, expending countless time plugging away at those lists, and yet not getting a clear benefit. With CTEM, a more thoughtful approach to discovery and prioritization adds value by:

• Quickly reducing overall risk
• Increasing the value of each remediation, and potentially freeing up resources
• Improving the alignment between security and IT teams
• Providing a common view into the entire process, encouraging a positive feedback loop that drives continuous improvement

Getting Started with CTEM

Since CTEM is a process rather than a specific service or software solution, getting started is a holistic endeavor. Organizational buy-in is a critical first step. Other considerations include:

• Supporting processes and data collection with the right software components
• Defining critical assets and updating remediation workflows
• Executing upon the right system integrations
• Determining proper executive reporting and an approach to security posture improvements

In our view, with a CTEM program, organizations can foster a common language of risk for Security and IT; and ensure that the level of risk for each exposure becomes clear. This enables the handful of exposures that actually pose risk, among the many thousands that exist, to be addressed in a meaningful and measurable way.

For more information on how to get started with your CTEM program, check out XM Cyber’s whitepaper, XM Cyber on Operationalizing The Continuous Threat Exposure Management (CTEM) Framework by Gartner®.

Mar 08, 2024The Hacker NewsSecrets Management / Access Control

In the realm of cybersecurity, the stakes are sky-high, and at its core lies secrets management — the foundational pillar upon which your security infrastructure rests. We’re all familiar with the routine: safeguarding those API keys, connection strings, and certificates is non-negotiable. However, let’s dispense with the pleasantries; this isn’t a simple ‘set it and forget it’ scenario. It’s about guarding your secrets in an age where threats morph as swiftly as technology itself.

Lets shed some light on common practices that could spell disaster as well as the tools and strategies to confidently navigate and overcome these challenges. In simple words this is a first step guide for mastering secrets management across diverse terrains.

Top 5 common secrets management mistakes

Alright, let’s dive into some common secrets management mistakes that can trip up even the savviest of teams:

1. Hard coding secrets in code repositories: A classic mistake, hard coding secrets like API keys or passwords directly in code repositories is like leaving your house keys under the mat. It is convenient, and it is highly risky. Agile development environments are prone to this devastating mistake, as developers under time constraints might opt for convenience over security.
2. Inadequate key rotation and revocation processes: Static credentials face a growing risk of compromise as time progresses. Take, for example, a company employing unchanged encryption keys for prolonged periods without rotation; this can serve as a vulnerable gateway for attackers, particularly if these keys have been previously exposed in security incidents.
3. On the flip side, rotating keys too frequently also cause operational issues. If a key is rotated every time it is accessed, it becomes difficult for multiple applications to access the key at the same time. Only the first application would get access, and the next ones would fail. This is counterproductive. You need to find the right interval for secrets rotation.
4. Storing secrets in public places or insecure locations: Storing sensitive information like database passwords in configuration files that are publicly accessible, perhaps in a Docker image or a public code repository, invites trouble.
5. Over-provisioning privileges for secrets: Granting excessive privileges for secrets is similar to giving every employee a master key to the entire office. Employees with more access than needed could unintentionally or maliciously expose sensitive information, leading to data breaches or other security incidents.

3 Lesser-known pitfalls in secrets storage and management

Unfortunately, there are more…

1. Improper secrets lifecycle management: Often overlooked, the lifecycle management of secrets is one of the major pitfalls to avoid. It involves creating and using secrets and regularly updating and eventually retiring them. Poor lifecycle management can leave outdated or unused secrets lingering in the system, becoming easy targets for attackers. For example, if not properly retired, a long-forgotten API key from a decommissioned project can provide an unintentional backdoor into the company’s system.
2. Ignoring audit trails for secrets access: Yet another nuanced yet consequential pitfall is the failure to recognize the significance of audit trails concerning secret access. Without a robust auditing mechanism in place, monitoring who accessed which secret and when becomes a daunting task. This oversight can impede the detection of unauthorized access to secrets. For example, the absence of audit trails might fail to alert us to unusual access patterns to sensitive secrets or to someone bulk downloading all secrets from the vault.
3. Failure to encrypt Kubernetes secrets: Let’s understand why the lack of encryption is a matter of concern by seeing how secrets are created in the Kubernetes ecosystem. These secrets are often only base64 encoded by default, which is just a hash that can be simply reverted, a thin veil of security, far from robust encryption. This vulnerability opens the door to potential breaches if these secrets are accessed.

Encrypting secrets at rest enhances security, and Kubernetes allows for this through configurations like the EncryptionConfiguration object, which specifies key materials for encryption operations on a per-node basis.

Remediations for Secrets Management Mistakes

A proactive and strategic approach is no longer optional in addressing secrets management mistakes. Here are some of the key strategies to effectively remedy the pitfalls discussed above and be a guardian of your secrets:

• Secrets Inventory: It is imperative that you know the exact number of secrets within your systems, and where they exist. Most CISOs are unaware of this vital information and are therefore unprepared for a secrets attack.
• Secrets classification and enrichment: Not all secrets are created equal. While some safeguard highly confidential data, others protect more routine operational information. Security approaches must acknowledge this distinction when addressing attacks on secrets. Achieving this necessitates the creation of comprehensive metadata for each secret, detailing the resources it safeguards, its priority level, authorized access, and other pertinent details.
• Implement robust encryption: Strengthen your encryption practices—Encrypt sensitive data using strong cryptographic methods, especially secrets at rest and in transit.
• Refine access control: Apply the principle of least privilege rigorously. Ensure that access to secrets is tightly controlled and regularly audited. In Kubernetes, managing data access effectively is achieved through RBAC, which assigns access based on user roles.
• Continuous monitoring and auditing: Establish a robust monitoring system to track access and usage of secrets. Implement audit trails to record who accessed what data and when aiding in quick detection and response to any irregularities.
• Leverage Automated secrets tools: Utilize automated tools for managing secrets, which can encompass automated rotation of secrets and integration with identity management systems to streamline access control. Additionally, implement secret rotation to enhance your management practices even further.
• Review policies frequently: Stay informed about new threats and adjust your strategies to maintain a strong defense against evolving cybersecurity challenges.

Putting a stop to false positives

Minimizing false positives in secrets management is crucial for sustaining operational efficiency and enabling security teams to concentrate on authentic threats. Here are several practical measures to assist you in achieving this goal:

• Advanced detection algorithms: Utilizing machine learning and secrets context analysis can differentiate genuine secrets from false alarms, increasing the accuracy of detection systems.
• Advanced scanning tools: Implementing solutions that amalgamate diverse detection techniques, including regular expressions, entropy analysis, and keyword matching, can significantly mitigate false positives.
• Regular updates and feedback loops: Keeping scanning tools updated with the latest patterns and incorporating feedback from false positives helps refine the detection process.
• Monitoring secrets usage: Tools like Entro, which monitor secret usage across the supply chain and production, can identify suspicious behavior. This helps in understanding the risk context around each secret, further eliminating false positives. Such monitoring is crucial in discerning actual threats from benign activities, ensuring security teams focus on real issues.

What a proper secrets management approach looks like

A comprehensive approach to secrets management transcends mere protective measures, embedding itself into an organization’s IT infrastructure. It begins with a foundational understanding of what constitutes a ‘secret’ and extends to how these are generated, stored, and accessed.

The proper approach involves integrating secrets management into the development lifecycle, ensuring that secrets are not an afterthought but a fundamental part of the system architecture. This includes employing dynamic environments where secrets are not hard-coded but injected at runtime and where access is rigorously controlled and monitored.

As mentioned earlier, it is essential to take inventory of every single secret within your organization and enrich each of them with context about what resources they protect and who has access to them.

Vaults can be misconfigured to give users or identities more access than they need or to allow them to perform risky activities like exporting secrets from the vault. You need to monitor all secrets for these risks for an air-tight defense.

Following secrets management best practices is about creating a culture of security mindfulness, where every stakeholder is aware of the value and vulnerability of secrets. By adopting a holistic and integrated approach, organizations can ensure that their secrets management is robust, resilient, and adaptable to the evolving cybersecurity landscape.

Parting thoughts

In navigating the intricate realm of secrets management, tackling challenges from encrypting Kubernetes secrets to refining access controls is no easy task. Luckily, Entro steps in as a full-context platform adept at addressing these complexities, managing secret sprawl, and executing intricate secret rotation processes while providing invaluable insights for informed decision-making.

Concerned about false positives inundating your team? Entro’s advanced monitoring capabilities focus on genuine threats, cutting through the clutter of false alarms. Seamlessly incorporating proactive strategies, Entro offers a unified interface for comprehensive secret discovery, prioritization, and risk mitigation.

Ready to revolutionize your secrets management approach and bid farewell to worries? Book a demo to explore the transformative impact of Entro on your organization’s practices.

Mar 05, 2024NewsroomAttack Surface / Exposure Management

Startups and scales-ups are often cloud-first organizations and rarely have sprawling legacy on-prem environments. Likewise, knowing the agility and flexibility that cloud environments provide, the mid-market is predominantly running in a hybrid state, partly in the cloud but with some on-prem assets.

While there has been a bit of a backswing against the pricing and lock-in presented when using cloud infrastructure, cloud is still the preferred provider for the majority of SMBs.

As a result, external attack surfaces are increasingly complex and distributed and, therefore, harder to monitor and secure. This expanded attack surface gives hackers plenty of blind spots and gaps to exploit. Security teams are on the back, reacting, often too slowly, to changes in their own attack surface as engineering teams continuously spin up and expose new systems, services, and data to the internet.

This is compounded by the fact that the threat landscape is always changing. Thousands of new vulnerabilities are discovered every month, including vulnerabilities that allow an attacker to gain total control over systems that have to be internet-facing and are meant to support security teams or facilitate secure connections (take the spate of Citrix and Ivanti vulnerabilities that have recently emerged). How can you react to a new critical vulnerability that’s being exploited by ransomware gangs if you don’t even know if your organization is using that technology and exposing it to the internet?

One of the reasons that security teams struggle is because processes are reactive and knowledge about the organization’s attack surface is siloed in the heads of those people who are spinning up those cloud systems. Security teams rely on a sprawl of solutions that generate loads of fragmented data that’s difficult to understand, prioritize, and take action. This is where exposure management fits in as an extension of external attack surface management.

What is exposure management in cybersecurity?

As environments evolve and become more complex, so do the tools and techniques needed to secure and protect them. Exposure management aims to reduce that complexity by giving you visibility of all points within your attack surface that an attacker could use to breach your organization and ultimately pose a risk to the business.

Exposure management aims to provide a prioritized list of exposures, with context for each so that you can make an informed decision on what to tackle first and how to tackle it to reduce your business risk.

“Organizations who implement a continuous exposure management program will be three times less likely to be breached by 2026” (Gartner)

Exposure management can also help increase visibility of your entire attack surface, including data assets such as code repositories like GitHub and GitLab, so you can more accurately find opportunities for an attacker and shut them down before they pose too great of a risk to your business.

This means you can better understand the risks you face, and prioritize the attacks that are not just more likely, but more serious. At a time when security teams are overwhelmed with data – over 25,000 vulnerabilities were published in 2022, and we saw that increase to over 26,500 in 2023 – having a clear picture of where to focus your time and effort is becoming essential.

Exposure management vs attack surface management

While both have the same goal, there are important differences between the two. External Attack Surface Management (ASM) is the ongoing process of discovering and identifying assets which can be seen by an attacker on the internet, showing where security gaps exist, where they can be used to perform an attack, and where defenses are strong enough to repel an attack. If you can scan for it using vulnerability scanning then it generally falls within attack surface management.

Exposure management takes this a step further to include data assets, user identities, and cloud account configuration, which helps you understand your exposure and reduce it where necessary.

Here the attack surface includes any of the SaaS products you use. If one of these gets compromised or one of your accounts in your SaaS provider gets compromised, they have information that can be used to facilitate other attacks. So it shouldn’t be forgotten when assessing risk to the business.

Visualize and minimize your exposure with Intruder

Remember what was said about a large attack surface being harder to defend? You can reduce yours by continuously monitoring for changes with an automated vulnerability management tool like Intruder. Get complete control of your vulnerability management to:

• Discover assets: when new cloud services are spun up and exposed to the internet, Intruder will kick off a scan to find any vulnerabilities so you can fix them faster
• Know what’s exposed: get complete visibility of your network perimeter, track active and unresponsive targets, identify changes, monitor expiring certificates, and see any ports, services or protocols that shouldn’t be exposed to the internet
• Detect more: Intruder uses multiple scanners to identify vulnerabilities and exposures across your attack surface giving you the greatest visibility
• Focus on the big issues: get results prioritized based on context, so you can focus on the most pressing problems without wasting time sifting through the noise

‍Intruder continuously monitors and automatically scans your environments as new vulnerabilities emerge

Premium and Vanguard customers can also boost their exposure management with bug hunting, where Intruder’s testers look for the weaknesses and exposures that automated scanners can miss. Get started with a 14-day free trial today.

‍

Feb 28, 2024The Hacker NewsZero Trust / Cyber Threat

Traditional perimeter-based security has become costly and ineffective. As a result, communications security between people, systems, and networks is more important than blocking access with firewalls. On top of that, most cybersecurity risks are caused by just a few superusers – typically one out of 200 users. There’s a company aiming to fix the gap between traditional PAM and IdM solutions and secure your one out of 200 users – SSH Communications Security.

Your Privileged Access Management (PAM) and Identity Management (IdM) should work hand in hand to secure your users’ access and identities – regular users and privileged users alike. But traditional solutions struggle to achieve that.

Microsoft Entra manages all identities and basic-level access. With increasing criticality of targets and data, the session duration decreases, and additional protection is necessary. That’s where SSH Communications Security helps

Let’s look at what organizations need to understand about PAM and IdM and how you can bridge and future-proof your PAM and IdM.

PIM, PAM, IAM – you need all three of them

Privileged Identity Management (PIM), Privileged Access Management (PAM), and Identity and Access Management (IAM) – all three are closely connected, and you need all three of them to effectively manage and secure your digital identities, users and access.

Let’s quickly review what PIM, PAM, and IAM focus on:

Not all digital identities are created equal – superusers need super protection

Think about this: Your typical user probably needs access to regular office tools, like your CRM or M365. They don’t need access to any of your critical assets.

The identity verification process should correspond to this. A regular user needs to be verified with strong authentication methods, e.g. Microsoft Entra ID, but there’s usually no need to go beyond that.

These typical users form the majority of your users, up to 99,5% of them.

On the other hand, you have your privileged high-impact users – there’s only a small number of them (typically around one in 200 users), but the power and risks they carry are huge because they can access your critical data, databases, infrastructures, and networks.

Similarly, appropriate identity verification procedures should apply. In the case of your high-impact users, you need access controls that go beyond strong identity-based authentication.

Enter the Zero Trust – Borderless, Passwordless, Keyless and Biometric Future

Traditional solutions are not enough to bridge your PAM and IdM. They just can’t handle the security that you need to protect your critical assets. Nor can they offer effective and future-proof security controls for access and identities of your typical users as well as high-impact users.

The future of cybersecurity is borderless, passwordless, keyless, biometric, and Zero Trust.

This means that you need a future-proof cybersecurity model with no implicitly trusted users, connections, applications, servers, or devices. On top of that, you need an additional layer of security with passwordless, keyless, and biometric authentication.

Learn the importance of implementing the passwordless and keyless approach into your cybersecurity from the whitepaper provided by SSH Communications Security. Download the whitepaper here ➜

Feb 05, 2024The Hacker NewsData Protection / Threat Intelligence

A significant challenge within cyber security at present is that there are a lot of risk management platforms available in the market, but only some deal with cyber risks in a very good way. The majority will shout alerts at the customer as and when they become apparent and cause great stress in the process. The issue being that by using a reactive, rather than proactive approach, many risks just sit there, dormant, until an emergency happens.

‘Dealing with SOC Operations for more than a decade, I have seen nearly 60 percent of SOC Incidents are repeat findings that keep re-surfacing due to underlying unmitigated Risks. Here the actors may be different, however the risk is mostly the same. This is causing significant alert fatigue.’ – Deodatta Wandhekar, Head of Global SOC, SecurityHQ.

Combining Frameworks and Best Practices

These risks can be prevented. A platform that combines the best practices of multiple frameworks is the solution to tackle this issue.

What is NIST?

The National Institute of Standards and Technology (NIST) plays a central role in presenting companies with an opportunity to develop a comprehensive cybersecurity posture to prevent or lessen the impact of cyberattacks. NIST provides a comprehensive and structured approach to assess, manage, and mitigate cybersecurity risks effectively.

Read ‘Building a Resilient Digital Future: NIST’s Impact on Cybersecurity‘ for more details on NIST structures.

What is MITRE?

The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a knowledge base of adversary tactics, techniques, and procedures (TTPs). These TTP’s are based on real-world observations, used by numerous threat actors, that have been made globally accessible to be used as the foundation for threat models and methodologies. MITRE has a ‘mission to solve problems for a safer world, by bringing communities together to develop more effective security.’

Read ‘How the MITRE ATT&CK Framework Has Revolutionized Cyber Security‘ for more information on MITRE practices.

What is NCSC?

The National Cyber Security Center (NCSC) combines expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure (National Protective Security Authority, NPSA). It is a London-based organization with the aim of making the UK a safer online place. They work collaboratively with other law enforcement, defense, intelligence, and security agencies and international partners to ensure their data is as accurate and actionable as possible.

Risk Intelligence Combined with SHQ Response Platform

The SHQ Response Platform from SecurityHQ started as a sophisticated cyber incident response solution designed for swift detection, analysis, and mitigation of security threats. It has now significantly evolved so that, according to a recent press release, ‘SecurityHQ has combined its intellectual property and knowledge on risk mitigation and cybersecurity, and merged this with several recognized sources in the industry, including NIST, NCSC, and MITRE to provide actions on how to identify, map, and raise risks.’

‘SHQ Response Platform will help reduce this alert fatigue by focusing on mitigating the common risk. Not just that, it will be quintessential to translate a mere one liner Risk Statement into an actionable mitigation plan. SHQ Response platform makes Risk Creation a very simple process by providing the user with a library of intricately linked Threat Events, Impacts and Controls by leveraging industry standard knowledge base of NIST, MITRE and NVD.’ – Deodatta Wandhekar, Head of Global SOC, security

1. Calculate the impact of security threats on business.
2. Calculate the likelihood of risks happening.
3. Identify different tactics and techniques.
4. Know how to mitigate risks.
5. Access everything from a single platform point.

What to Do Next

Orchestrate and enable collaboration, prioritize incidents, visualize risks, and empower integration with Incident Response.

Calculate the impact of security threats and the likelihood of risks happening, and highlight how best to mitigate these risks with Risk Management.

No matter how great a tool’s capability is, remember that a tool is only as good as the experts running/controlling it. To get the full benefits of SHQ Response, you need a team of experts capable of analyzing and acting on data and mitigating the risks. To learn more about Risk Management, contact the team here.

Note: This article was expertly written by Eleanor Barlow, Content Manager at SecurityHQ.

How’s your vulnerability management program doing? Is it effective? A success? Let’s be honest, without the right metrics or analytics, how can you tell how well you’re doing, progressing, or if you’re getting ROI? If you’re not measuring, how do you know it’s working?

And even if you are measuring, faulty reporting or focusing on the wrong metrics can create blind spots and make it harder to communicate any risks to the rest of the business.

So how do you know what to focus on? Cyber hygiene, scan coverage, average time to fix, vulnerability severity, remediation rates, vulnerability exposure… the list is endless. Every tool on the market offers different metrics, so it can be hard to know what is important.

This article will help you identify and define the key metrics that you need to track the state of your vulnerability management program, the progress you’ve made, so you can create audit-ready reports that:

• Prove your security posture
• Meet vulnerability remediation SLAs and benchmarks
• Help pass audits and compliance
• Demonstrate ROI on security tools
• Simplify risk analysis
• Prioritize resource allocation

Why you need to measure vulnerability management

Metrics play a critical role in gauging the effectiveness of your vulnerability and attack surface management. Measuring how quickly you find, prioritize and fix flaws means you can continuously monitor and optimize your security.

With the right analytics, you can see which issues are more critical, prioritize what to fix first, and measure the progress of your efforts. Ultimately, the right metrics allow you to make properly informed decisions, so you’re allocating the resources to the right places.

The number of vulnerabilities found is always a good starting point, but it doesn’t tell you much in isolation – without prioritization, advisories and progress, where do you start? Finding, prioritizing and fixing your most critical vulnerabilities is far more important to your business operations and data security than simply finding every vulnerability.

Intelligent prioritization and filtering out the noise are important because overlooking genuine security threats is all too easy when you’re being overwhelmed by non-essential information. Intelligent results make your job easier by prioritizing issues that have real impact on your security, without burdening you with irrelevant weaknesses.

For example, your internet-facing systems are the easiest targets for hackers. Prioritizing issues that leave this exposed makes it easier to minimize your attack surface. Tools like Intruder make vulnerability management easy even for non-experts, by explaining the real risks and providing remediation advice in easy-to-understand language. But beyond prioritization, what else should or could you be measuring?

An example of Intruder’s vulnerability management report page

5 top metrics for every vulnerability management program

Scan coverage

What are you tracking and scanning? Scan coverage includes all the assets you’re covering and analytics of all business-critical assets and applications, and the type of authentication offered (e.g., username- and password-based, or unauthenticated).

As your attack surface evolves, changes and grows over time, it’s important to monitor any changes to what’s covered and your IT environment, such as recently opened ports and services. A modern scanner will detect deployments you may not have been aware of and prevent your sensitive data from becoming inadvertently exposed. It should also monitor your cloud systems for changes, discover new assets, and automatically synchronize your IPs or hostnames with cloud integrations.

Average time to fix

The time it takes your team to fix your critical vulnerabilities reveals how responsive your team is when reacting to the results of any reported vulnerabilities. This should be consistently low since the security team is accountable for resolving issues and delivering the message and action plans for remediation to management. It should also be based on your pre-defined SLA. The severity of the vulnerability should have a corresponding relative or an absolute period of time for planning and remediation.

Risk score

The severity of each issue is automatically calculated by your scanner, usually Critical, High or Medium. If you decide not to patch a specific or group of vulnerabilities within a specified time period, this is an acceptance of risk. With Intruder you can snooze an issue if you’re willing to accept the risk and there are mitigating factors.

For example, when you’re preparing for a SOC2 or ISO audit and you can see a critical risk, you may be willing to accept it because the resource required to fix it isn’t justified by the actual level of risk or potential impact on the business. Of course, when it comes to reporting, your CTO may want to know how many issues are being snoozed and why!

Issues

This is the point from a vulnerability going public, to having scanned all targets and detecting any issues. Essentially, how quickly are vulnerabilities being detected across your attack surface, so you can fix them and reduce the window of opportunity for an attacker.

What does this mean in practice? If your attack surface is increasing, you may find that it takes you longer to scan everything comprehensively, and your mean time to detect may increase as well. Conversely, if your mean time to detect stays flat or goes down, you’re using your resources effectively. If you start to see the opposite, you should ask yourself why it’s taking longer to detect things? And if the answer is the attack surface has ballooned, maybe you need to invest more in your tooling and security team.

Measuring progress

Prioritization – or intelligent results – is important to help you decide what to fix first, because of its potential impact on your business. Intruder filters out the noise and helps reduce false positives, which is a key metric to track because once you reduce the amount of noise you can circle back and focus on the most important metric – the average time to fix.

Why is this important? Because when you do find an issue, you want to be able to fix it as quickly as possible. Tools like Intruder use multiple scanning engines to interprets the output and prioritize the results according to context, so you can save time and focus on what really matters.

When a new vulnerability that could critically affect your systems is identified, Intruder will automatically kick-off a scan

Attack surface monitoring

This helps you see the percentage of assets that are protected across your attack surface, discovered or undiscovered. As you team spins up new apps, vulnerability scanner should check when a new service is exposed, so you can prevent data from becoming inadvertently exposed. Modern scanners monitor your cloud systems for changes, finding new assets, and synchronizing your IPs or hostnames with your integrations.

Why is this important? Your attack surface will inevitably evolve over time, from open ports to spinning up new cloud instances, you need to monitor these changes to minimize your exposure. That’s where our attack surface discovery comes in. The number of new services discovered during the time period specified helps you understand if your attack surface is growing (whether intentionally or not).

Why these metrics matter

Modern attack surface management tools like Intruder measure what matters most. They help provide reports for stakeholders and compliance with vulnerabilities prioritized and integrations with your issue tracking tools. You can see what’s vulnerable and get the exact priorities, remedies, insights, and automation you need to manage your cyber risk. If you want to see Intruder in action you can request a demo or try it for free for 14 days.