In this episode of The Security Strategist podcast, host Richard Stiennon, industry analyst and author, speaks to Craig Roberts, Principal Software Engineer at Rapid7, about digital exposure and the increasing challenges of Attack Surface Management (ASM).The conversation peels back the layers of hidden vulnerabilities and misconfigurations that plague today’s digital world. The speakers offer expert advice into how businesses can better understand, prioritise, and manage their expanding attack surfaces."It's all about the kind of different steps an attacker takes. The attack surface simply means when an attacker can exploit to get to my goal and align to my mission," says Craig Roberts, Principal Software Engineer at Rapid7.Attack Surface Goes Beyond External ScansAlso the Co-founder of Noetic (acquired by Rapid7), Roberts’ journey into attack surface management began from a practical observation. He found that many cybersecurity incidents came from overlooked assets. Such incidents could be unmonitored servers or lack of Endpoint Detection and Response (EDR). "We set out to raise that hygiene bar through preventative controls," he explains. The typical view of an attack surface is often limited to external website scans. "That's only a small piece of it these days. It's often where an attacker will start. It’s an initial foothold. Everything past that point is also still an attack surface." Emphasising the diverse nature of attack vectors, Roberts adds, "We don't have a homogenous way. Attackers both initially gain access and then start moving towards their target." This means that a single misstep or vulnerability across any of these areas can allow an attacker to achieve their objective.Holistic Exposure Management Looking ahead, Roberts recommends CISOs to focus on having all enterprise data and understanding their environment across all assets. These assets are – cloud, users, and traditional infrastructure. Then, layer on an understanding of "exposures" rather than just Common Vulnerabilities and Exposures (CVEs). This includes cloud misconfigurations, identity-related issues like MFA misconfigurations, and, zero-days."Treat those in a similar way because at the end of the day, we need to prioritise those exposures because the attacker isn't going to care about the weapon they use," Roberts concludes. This holistic approach, built on foundational trust in shared data across various security vendors and tools. Such a strategy is crucial for gaining a central view of risk and efficiently mitigating the diverse threats facing modern enterprises.A key takeaway from the discussion is the importance of understanding an organisations’ assets and how critical each is. Roberts argues that, while organisations may spend significant effort on re-scoring and building "vulnerability intelligence pipelines," it’s not often known which critical assets those vulnerabilities reside on."The asset is a really important thing. How important that is to your business, and what data and mitigations it has in it hugely affects the risk of that vulnerability," he stresses.TakeawaysUnderstanding the attack surface is crucial for effective cybersecurity.Attackers exploit various vulnerabilities to achieve their goals.Prioritization of vulnerabilities is essential due to the overwhelming number of CVEs.Zero-day vulnerabilities pose significant risks that require

Ver todos los episodios