The concept of continuous security has been steadily gaining speed since the early 2000s, when compliance requirements began to mandate that government agencies and businesses keep an up-to-date inventory of information systems and categorize them based on risk. Keeping an accurate, real-time inventory of assets and systems is no small task – in fact, in order to achieve it, you need to continually discover and map all of the infrastructure components comprising an attack surface. Two decades later, with the introduction of cloud applications, attack surfaces are growing and evolving constantly, making this inventory challenge even more complex.
But securing your organization isn’t as simple as having an updated inventory and visibility into everything on your attack surface – you need to understand what risks each asset presents and understand how attackers are most likely to break in, where they’re most likely to target, and detect what seeds they may be planting now for a future attack (days, weeks, months, even years from now).
Continuous Security Requires
Automation AND Human Expertise
As you might expect, there are significant challenges on the path to achieving continuous testing. Over the years, many tools and solutions have emerged as a way to chip away at those problems but none of the solutions have really looked at the problem holistically or from an organization’s perspective.
Notable gaps include:
- IT Asset Management oftentimes still involves manually tracking known infrastructure and assets, and then storing that information in Excel sheets or updating a CMDB by hand. This approach is not only error prone and requires inordinate resources (both in terms of time and people), it’s never accurate. In today’s dynamic, multi-cloud environments, manual solutions simply can’t keep up and a significant percentage of the environment goes undiscovered.
- Risk-based vulnerability management tools ingest vulnerability scan data and then attempt to categorize risks by cross-referencing that data with your known assets. These tools are limited to only the known infrastructure, leaving changing cloud assets largely unchecked and vulnerable. The other problem with these tools is that they’re only as good as the data they ingest, which leads us to…
- Vulnerability scanners, which automatically scan your inventory list for known issues. The problem is that they only search the assets you know about and that are fed into them -- and they only search for known vulnerabilities, often missing emerging threats and zero days in the process.
Unknown assets are a huge blind spot and leave organizations at risk. To defend against today’s attackers, you need a real-time, up-to-date view of your infrastructure and the comprehensive attack surface combined with the ability to assess vulnerabilities in near real time. While automation can help, it’s not enough.
To be successful, automation requires human experts to make sense of an immense amount of data. With the current shortage of security talent, companies struggle to hire enough in-house experts to keep up. Without those resources, organizations can’t separate the signal from the noise, accurately assess risks, and then determine how to prioritize and remediate issues to have the greatest impact.
To overcome these challenges, we built a continuous attack surface testing (we call it “Cosmos," formerly CAST) solution, which combines automated attack surface discovery, mapping, and vulnerability testing with a team of human experts who analyze, track, and assess risks within your attack surface, bringing the human innovation, expertise, and intuition that machines can’t replicate at a scale you can’t hire for internally.
Your systems work together and when one breaks, it can have a domino effect that negatively impacts your business. If an attacker gains access to one area, they can often use information gained there to pivot to your higher risk, sensitive data areas.
No automated tool can interpret these complex relationships like humans can, or replace the creative thinking and problem solving an attacker will employ. To bring human expertise back into the mix, most organizations leverage external pen testers to act as attackers and try to break in. These point-in-time tests are incredibly important and provide necessary context for security teams, but they’re limited in scope. You need that high-quality testing performed continuously over time, to track threats across a morphing attack surface, retest mitigations, and detect new issues as they arise.
"We have systems and processes for collecting large quantities of target data from, around, and about a customer,” said Barrett Darnell, Managing Senior Operator on Bishop Fox’s Cosmos team. “The process of data analysis produces rich intelligence about our customers. This task is best done by humans but aided by technology. Tech solutions do a great job of enriching and organizing data, but deriving meaning is where the human mind shines.”
Making sense of data outputs from security tools has become one of the primary hurdles most security teams contend with these days but combining human ingenuity with automated technology brings together the best of both worlds.
Overcoming Data Overload
Most organizations invest a large amount of money in having automated security tools in their arsenal and are left with a massive amount of data and information, but little idea of what steps to take to improve security. In fact, often the guidance and recommendations by the tools in the security stack contradict each other.
“We’ve found that in order to bring real value, we need to filter through data feeds and aggregate data sources to determine what is really attributed to a client’s attack surface,” said Tim Deeb-Swihart, Senior Backend Engineer, Cosmos. “Our technology actively interacts with each facet of the attack surface to make sure it’s active. From there, we know we can begin the pen testing part of the process and start analyzing things for our clients.”
More data isn’t always better. As any security team knows, it’s the quality and accuracy of the data that matters. That meaningful data informs where to apply mitigations and how to prioritize remediations so the important issues aren’t missed.
Security Experts Must Become an
Extension of Your Team
As security teams have added more tools to automatically detect known vulnerabilities, they’ve found themselves overwhelmed by a sea of alarms and data points. Typically, they are overburdened, trying to patch systems to prevent the highest risks, but never having time to think about how those issues left behind impact other areas of the attack surface. Crowdsourcing and bug bounties can identify risks missed by automated tools but can also add to the noise for already under-resourced teams. What they really need are expert allies and partners to work alongside them to augment their forces and expertise.
Rather than serving as just another source of data (or perhaps even a distraction to your team), we believe succeeding means having expert testers partner in real-time with internal security teams to deliver additional expertise and actionable intel instead of more noise. And by combining forces, organizations can overcome the skills shortage gap.
How we’ve approached this is to have our Cosmos team working on your attack surface with full communication and transparency with your security team via instant messaging channels. While other partners and solutions work in silos and behind black boxes, the Bishop Fox team discusses findings with your team as they’re found and offers demonstrations of proof-of-concept attacks and exploits that validate those findings and their severity rankings.
The time has come for continuous security. In fact, as attack surfaces continue to evolve at a faster rate and as attackers, exploits, and vulnerabilities emerge daily, continuous testing will likely become a requirement for most organizations in the near future. As an industry, we must ensure that we’re not just adding to the noise for organizations and security teams who are already struggling to keep up. Instead, we need to find a way to continuously test, augment those security teams, and validate issues for them. In doing so, we can enable businesses to improve security with actionable insights and help them overcome the talent shortage. Continuous security is here, and we look forward to working alongside Cosmos clients to solve new problems as they face them.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.