A CISO’s Perspective on Attack Surface Reduction: Security Trails Fireside Chat with Terence Runge

2021 was a tumultuous period for cybersecurity: it was a record year for the number of reported data breaches. And who can forget Log for j vulnerability, Colonial Pipeline and Kaseya ransomware? Combine that with the continuous growth of cloudification and remote worker sprawl as well as constant supplier diversification and mergers and acquisitions, and you get dynamic attack surfaces in organizations that can be highly challenging to manage. With the ever-changing IT environment organizations must now handle, CISOs and business leaders are turning to new strategies and solutions to help them manage and reduce their organizations' attack surface. To learn how modern CISOs are tackling these new challenges, we were joined by Terence Runge, a seasoned CISO and CISSP with over 20 years of experience working with various cybersecurity companies, and one of the early adopters of our Attack Surface Reduction platform. "I discovered some private IP addresses being published to public DNS and wanted to know how prevalent it was in the company. I have done some work in this area with open source tools, and had an idea that there were around 1,200 or so exposed systems. Lo and behold, Security trails got involved and discovered that there were several thousands and that the attack surface is very dynamic, growing each day." In the January edition of Security trails Fireside Chat, our VP of Sales Scott Donnelly sat down with Terence Runge for a session on the CISO's perspective on attack surface reduction. Key topics included: What the attack surface looks like in this ever-changing world. How supplier risk assessments can drive attack surface understanding. Enforcing policies for remote workers in large organizations. Why asset inventory is a must for efficient attack surface reduction. How a CISO handles the continuously changing attack surface Defining an attack surface from the CISO's perspective starts with considering all systems and services that adversarial attackers can discover from their vantage point, then use to infiltrate your network. But going beyond systems and services, Terence also covers other assets associated with the organization: "An attack surface can be made up of any properties associated with the company, and with past acquisitions, as well as any code, public open repositories, keys, passphrases, secrets, both belonging to the company but also to their customers." Third-party risk All of the properties that make up the attack surface are changing every day. Furthermore, many events in an organization can change their attack surface, such as M&As, where findings from a security assessment led by analysis of the target organization's attack surface can make or break the deal. Suppliers are also an important third party in an attack surface. Regarding supplier security, Terence puts location, where they're hosting data and cyber hygiene, at the top of the checklist. "When assessing a new supplier, we go further than a regular check and look at their attack surface. We do this for several reasons: one is that we will potentially be entrusting them with either access to our systems or our data so we need to know if they have exposures." Securing the remote workforce Another important aspect of modern, dynamic attack surfaces are remote workers and the implementation of policies as a CISO in a remote world. Terence highlights strong authentication as the main story for a remote workforce. Utilizing multi-factor authentication, single sign-on, VPNs and similar processes for authenticating users is key for Terence, but other basics for device authentication should not be forgotten: "Device encryption, policies applied. all of this creates what we call a 'Reltio Authorized Device', a RAD device." Scanning cloud assets For any modern IT environment, cloud assets are an expected part of the attack surface. And scanning and enumerating these cloud assets has its own set of challenges, depending on both the size of t...