Episode 30
The State of Attack Surface Management
With increasing digitization and the use of cloud-hosted assets, managing attack surfaces continues to be a major challenge. A recent survey report on the state of attack surface management (ASM) finds security teams drowning in a flood of legacy and ineffective tools with limited discovery capabilities. The need for ASM platforms with advanced digital asset detection capabilities is revealed in the survey findings. David Monnier, Team Cymru Fellow, sheds light on the latest ASM platform capabilities and discusses the implementation challenges and success factors.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-30-the-state-of-attack-surface-management/
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Introducer:the book Cybersecurity Readiness: A Holistic and
Introducer:High-Performance Approach, a SAGE publication. He has been
Introducer:studying cybersecurity for over a decade, authored and edited
Introducer:scholarly papers, delivered talks, conducted webinars and
Introducer:workshops, consulted with companies and served on a
Introducer:cybersecurity SWAT team with Chief Information Security
Introducer:officers. Dr. Chatterjee is Associate Professor of
Introducer:Management Information System at the Terry College of Business,
Introducer:the University of Georgia. As a Duke University Visiting
Introducer:Scholar, Dr. Chatterjee has taught in the Master of
Introducer:Engineering in Cybersecurity program at the Pratt School of
Introducer:Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast series. Our discussion today will revolve around the
Dr. Dave Chatterjee:state of attack surface management. David Monnier, Team
Dr. Dave Chatterjee:Cymru Fellow will share his thoughts and perspectives on
Dr. Dave Chatterjee:this very important subject. Another highlight of our
Dr. Dave Chatterjee:discussion today will be the findings from a very interesting
Dr. Dave Chatterjee:research study that focused on the state of attack surface
Dr. Dave Chatterjee:management. But before we get into all those details, I'd like
Dr. Dave Chatterjee:to take this opportunity to welcome David and have him share
Dr. Dave Chatterjee:with all of us some highlights of his professional journey.
Dr. Dave Chatterjee:David, thanks for being on the podcast.
David Monnier:Thank you, David, thank you very much for inviting
David Monnier:us on to talk about our study. So it's always a pleasure to
David Monnier:come on. Some background about myself. So I'm, I'm from the
David Monnier:United States. In the Midwest, I had started my career.
David Monnier:Originally I was in the US Marine Corps worked as a
David Monnier:noncommissioned officer there. But when I got out of the Marine
David Monnier:Corps, I got into working with technology, just out of
David Monnier:coincidence of funnily enough, a computer breaking that I ended
David Monnier:up fixing, and discovering I had some natural talents, I ended up
David Monnier:going to work for Indiana University, working in high
David Monnier:performance computing. And from there moving on to their
David Monnier:security office working as a security engineer for them,
David Monnier:basically looking after all the campuses around the state. And
David Monnier:then shortly after that, I was invited to help come start the
David Monnier:research and education, networking, ISAC, which is an
David Monnier:executive ordered set of organizations largely geared
David Monnier:around kind of specific industrial sectors. In my case,
David Monnier:it was research and education, networking, there are also like,
David Monnier:financial sector there are itI sec, and so on. But ISAC is an
David Monnier:Information Sharing and Analysis Center. So you could think of it
David Monnier:as groups of people working together to share threat
David Monnier:intelligence. And then after that, I was invited to join Team
David Monnier:Cymru where I've been here for about 15 years. Presently,
David Monnier:working as a Fellow, but periodically helping to spin up
David Monnier:new teams for us and identify new product needs and things
David Monnier:like that. But I've been practicing for, I think it's 27
David Monnier:years now, something like that.
Dr. Dave Chatterjee:Well, we're delighted to have you on the
Dr. Dave Chatterjee:show. And thanks again for your service. So David, before we
Dr. Dave Chatterjee:launch into talking about the various findings, and I find
Dr. Dave Chatterjee:them very interesting. To set the motivation, the context for
Dr. Dave Chatterjee:the research study, it's a fact that the attack surfaces are
Dr. Dave Chatterjee:evolving, the more digitized we get, the more we go to the
Dr. Dave Chatterjee:cloud. And the hackers are not sitting idle. They're constantly
Dr. Dave Chatterjee:getting more innovative with their techniques, tools,
Dr. Dave Chatterjee:approaches. So it's a moving target for organizations to stay
Dr. Dave Chatterjee:on top of things, I find it almost hard to believe that
Dr. Dave Chatterjee:organizations can be ahead, but if they can, more power to them.
Dr. Dave Chatterjee:So what was the motivation? What led to this very important study
Dr. Dave Chatterjee:that y'all conducted?
David Monnier:Well, very much like you said, so we've been
David Monnier:working, Team Cymru, we've been threat intelligence supplier to
David Monnier:the industry since our inception. It's how we began our
David Monnier:business, we used to kind of boast that we were the best
David Monnier:security company no one had ever heard of, because our research
David Monnier:and efforts went into other people's products. So if you're
David Monnier:familiar with a company BASF we don't make antivirus. We make
David Monnier:antivirus better, we don't make firewalls, we make firewalls
David Monnier:better. You know, this type of slogan, if you remember their
David Monnier:advertising back in the day. And that was really the core of our
David Monnier:business and we observe miscreant activities every day.
David Monnier:It's a byproduct of our analysis efforts. It's a byproduct of our
David Monnier:interest in understanding how the internet is used by society.
David Monnier:We happen to feel that the internet is probably one of the
David Monnier:greatest creations mankind has ever developed and we were
David Monnier:looking at kind of how the security world was moving
David Monnier:towards this notion of attack surface management, where they
David Monnier:were kind of blending a few types of technologies together,
David Monnier:which you could think of as your vulnerability scanning, your
David Monnier:asset discovery. And those things were coming together. And
David Monnier:we felt there was an obvious and useful connection for us to be
David Monnier:able to add threat intelligence to it. And threat intelligence,
David Monnier:you know, when you think of it in terms of, of defense, a lot
David Monnier:of people often just think it's, you know, lists of bad IPs or
David Monnier:things like that. But in reality, it also is, if you turn
David Monnier:it around, it's also lists of IPs of yours, that might be bad.
David Monnier:So when you think of like reputational data, and things
David Monnier:like that, so what became obvious to us is, you know, if
David Monnier:you're doing attack surface management, wouldn't it be great
David Monnier:to know what attacks you may have already been subjected to?
David Monnier:And, and to that end, what devices that you already own,
David Monnier:that may already be compromised? So kind of taking, you know,
David Monnier:that idea of knowing how bad things already are to decide,
David Monnier:you know, is this a system that I should patch? Or is this a
David Monnier:system that I need to completely rebuild, because it's already
David Monnier:been compromised. And we saw that obvious need from an
David Monnier:intelligence perspective. But then as we started to look at
David Monnier:ways that we could apply it to kind of the existing
David Monnier:marketplace, we realized that kind of none of the other
David Monnier:products that were out there, were approaching ASM the same
David Monnier:way we were, they were very much looking at things, most people's
David Monnier:tools seemed very much geared towards, here's your IP, here's
David Monnier:a problem it has, here's something you should do about
David Monnier:it. But without really giving the people the ability to
David Monnier:highlight which IP or what device let's let's use the term
David Monnier:device, actually, because the devices just happen to use an IP
David Monnier:address. But But what devices on the network are most critical to
David Monnier:your operation, you know that these tools in the marketplace,
David Monnier:they didn't really have a way to highlight which ones were most
David Monnier:important. And the devices themselves couldn't really tell
David Monnier:you, which was important. So we also sat down and said, Okay, if
David Monnier:you were going to look at ASM, what's the key value piece
David Monnier:there, and what we concluded was that risk understanding the risk
David Monnier:to your business needed to be a piece that was part of it. So
David Monnier:what we've approached ASM as, is the traditional sense. But what
David Monnier:what we have attempted to bring to the market as a new offering,
David Monnier:is the application of intelligence on top of that,
David Monnier:with kind of user definable values for the assets as they're
David Monnier:discovered.
Dr. Dave Chatterjee:Okay, thanks for sharing. So just to
Dr. Dave Chatterjee:let listeners know, that, as far as the methodology and and
Dr. Dave Chatterjee:participant demographics go, the study was commissioned on March
Dr. Dave Chatterjee:14 2022. 440 security practitioners were surveyed in
Dr. Dave Chatterjee:the US and Europe, the survey was conducted online via
Dr. Dave Chatterjee:Pollfish using organic sampling. All respondents work on their
Dr. Dave Chatterjee:company's security team. And all these organizations are using an
Dr. Dave Chatterjee:attacks surface management platform. Their industry
Dr. Dave Chatterjee:representation is also pretty broad, ranging from finance to
Dr. Dave Chatterjee:IT to military and defense, among others. The team size
Dr. Dave Chatterjee:varied relatively little from less than 10 to over 30. So
Dr. Dave Chatterjee:David, would you like to add anything to that from a
Dr. Dave Chatterjee:methodology and participant demographic standpoint?
David Monnier:Well, we had originally considered making it
David Monnier:split into, you know, additional slices. So to differentiate, for
David Monnier:example, between practitioner and executive, not that
David Monnier:executive practitioning isn't practitioning of a sort, but we
David Monnier:thought it might be useful to split those out. But in the end,
David Monnier:what we found actually was that kind of the bulk of the world
David Monnier:really isn't divided up that way, it's only kind of the
David Monnier:biggest companies that have those kinds of separations. So
David Monnier:when you think of the folks that took the time to fill out the
David Monnier:review for us, many of which are most of which I should say,
David Monnier:really knew what they were talking about. So to kind of
David Monnier:give you that, you know, value of of what their answers mean,
David Monnier:these are the people who roll up their sleeves every day, and
David Monnier:actually have to reach into the problem and do something about
David Monnier:what they find, you know, not just run the tools, but
David Monnier:oftentimes, these were the folks in particular, those smaller
David Monnier:teams, those less than 10 people teams, they were often the same
David Monnier:person who, who helped manage, you know, the patching program
David Monnier:or, or who helped manage their inventory systems and things
David Monnier:like that. So value wise, these people's opinions are not
David Monnier:speculative that they are the practitioners who were largely
David Monnier:responsible for making things happen based on the findings.
Dr. Dave Chatterjee:Okay, good to know. Good to know. So let's
Dr. Dave Chatterjee:discuss some of the finding. There are several interesting
Dr. Dave Chatterjee:findings, not sure how much time we'll have to go over all of
Dr. Dave Chatterjee:them. But we can definitely cover some. The first one that
Dr. Dave Chatterjee:I'd like to talk about is the biggest reason organizations
Dr. Dave Chatterjee:implemented ASM is to increase the visibility of Shadow IT in
Dr. Dave Chatterjee:the enterprise, I think this is very significant, if you would
Dr. Dave Chatterjee:expand on this and also describe what Shadow IT means to the
Dr. Dave Chatterjee:listeners.
David Monnier:Sure, absolutely. So, you know, Shadow IT is a
David Monnier:side effect, more or less of what you could think of as
David Monnier:necessary growth. So organizations oftentimes have
David Monnier:disparate teams that are spread out in function, but you know,
David Monnier:typically working towards the same goal, you know, keep the
David Monnier:company open, keep the company in business and so on. But what
David Monnier:ends up happening is, as needs change, in particular needs in
David Monnier:the scope of being able to spin up new infrastructure very
David Monnier:quickly, and things like that. A lot of companies don't, don't, I
David Monnier:don't know what the right word is, I don't want to say don't
David Monnier:like to, because obviously, they would, they would prefer to do
David Monnier:it the right way. Um, but a lot of companies find that like
David Monnier:policy around asset controls, hinder or stifle innovation. And
David Monnier:then whether it's real or not, whether that's true or not, you
David Monnier:know, we can't really speak to that I'm sure that some kind of
David Monnier:psychology of the human work experience, but in actual
David Monnier:practice, though, with with certainty, organizations are
David Monnier:hesitant to, you know, have to talk to the IT team, let's and
David Monnier:let me use a practical example. So you have a software
David Monnier:development team who has the need to work with some temporary
David Monnier:data, they don't want to work with data from some live
David Monnier:production database. So they need to set up, you know, a
David Monnier:secondary, you know, temporary database. And these folks, you
David Monnier:know, oftentimes will spin up an instance in a cloud, or, you
David Monnier:know, maybe some new VM even within their infrastructure, but
David Monnier:they'll spin it up, they'll put data for use in that, and then
David Monnier:they'll make use of the project, right? Well, if your main IT
David Monnier:team is unaware that someone on the development team has done
David Monnier:this, you now have an asset that is not under centralized control
David Monnier:isn't, but the organization itself isn't aware of it. And
David Monnier:it's full of, of data, you know, and presumably, if you're
David Monnier:spending the time to develop software to interact with that
David Monnier:data, that data must be important. And we read about
David Monnier:this all the time you read about so for example, Amazon S3
David Monnier:buckets, right? There are these virtual storage instances that
David Monnier:people can spin up very quickly and put information and for
David Monnier:various purposes, right. But it's think of it as file
David Monnier:storage. And there are tools that you can, you know, you
David Monnier:could pull up your favorite search engine and put in and
David Monnier:look for, you know, Amazon S3, open bucket finder, or
David Monnier:something. And you'll see almost every day that there are people
David Monnier:who have left these instances open, so meaning no
David Monnier:authentication, and anybody in the world could identify it,
David Monnier:download the data and do something with that. So this is
David Monnier:kind of the traditional understanding of Shadow IT
David Monnier:right, it's these things that get stood up that people may not
David Monnier:necessarily wholly know about. The organization itself may not
David Monnier:be completely aware of. And the reason why it's such a big issue
David Monnier:to folks is precisely the example I gave data ends up
David Monnier:getting exposed this way. And not just, you know, random data,
David Monnier:who we're talking often legally regulated data, you know,
David Monnier:whether it be personally identifying information, whether
David Monnier:it be health records, whether it be financial information, I
David Monnier:mean, all kinds of stuff gets leaked out this way. So our
David Monnier:intention for this with asking folks that was to see if our
David Monnier:capability, how much effort we should really apply to doing
David Monnier:this Shadow IT identification, because it's not easy, right?
David Monnier:How do you how do you help somebody find something they
David Monnier:didn't know they had? It's not an easy problem. So that was the
David Monnier:reason for us to ask. We saw how many data exposure notifications
David Monnier:go out. If you ever noticed, by the way, those are never
David Monnier:discussed, described as breaches, which if you think
David Monnier:about it, it's it's kind of interesting, the choice of words
David Monnier:that people use around those, but those, quote unquote,
David Monnier:exposures do add up to a great deal of loss, both in terms of
David Monnier:productivity, but you know, every time PII personally
David Monnier:identifying information is exposed, there's a lot of times
David Monnier:where there's government regulatory components on there
David Monnier:where you have to go notify people, or perhaps even a
David Monnier:company has to now provide credit monitoring or identity
David Monnier:monitoring, you know, based on what type of data was that was
David Monnier:exposed. So those kinds of costs were very, very real. And so
David Monnier:that we weren't surprised to hear that so many people
David Monnier:considered Shadow IT to be such a big problem.
Dr. Dave Chatterjee:Yeah, I mean, doesn't surprise me either
Dr. Dave Chatterjee:because as as you discussed, Shadow IT gets formed, gets
Dr. Dave Chatterjee:created because certain divisions, certain parts of the
Dr. Dave Chatterjee:organization wants to get certain things done. And for
Dr. Dave Chatterjee:whatever reason Central IT is not able to respond in time or
Dr. Dave Chatterjee:as per their expectation so, and for other reasons as well. But
Dr. Dave Chatterjee:that creates a problem in terms of data exposure, and you really
Dr. Dave Chatterjee:cannot defend effectively if you don't know where all your
Dr. Dave Chatterjee:vulnerabilities are, where or where your data is residing,
Dr. Dave Chatterjee:where your applications are residing. So it's great to know
Dr. Dave Chatterjee:that there is a high level of sensitivity towards towards this
Dr. Dave Chatterjee:challenge. And one of the capabilities of ASM should be to
Dr. Dave Chatterjee:increase the visibility of, of Shadow IT. So that's, that's a
Dr. Dave Chatterjee:very significant finding. Moving along, another finding that got
Dr. Dave Chatterjee:my attention, which is not surprising, but it it validates
Dr. Dave Chatterjee:the fact that more and more applications and infrastructure
Dr. Dave Chatterjee:are in the cloud, and which is what 75% of your respondents
Dr. Dave Chatterjee:said, but what is interesting to me is the statement here in the
Dr. Dave Chatterjee:report, which says "ASM, which stands for attack, surface
Dr. Dave Chatterjee:management, is critical for all organizations, regardless of
Dr. Dave Chatterjee:their cloud adoption, but should be an even higher priority for
Dr. Dave Chatterjee:tracking and managing the attack surface for cloud hosted assets.
Dr. Dave Chatterjee:So I guess my question for you, David, is, and you obviously
Dr. Dave Chatterjee:have a better understanding of the evolution of the ASM
Dr. Dave Chatterjee:platform, over the years have they have they enhanced their
Dr. Dave Chatterjee:capabilities to better monitor cloud hosted assets? Is that
Dr. Dave Chatterjee:what's been the trend?
David Monnier:Well, you know, unfortunately, not really. A big
David Monnier:component to this is kind of the discovery problem. And how most
David Monnier:vendors choose to remedy this is either by IP space, so IP
David Monnier:addresses, Internet Protocol address that people use to be on
David Monnier:the internet, they are defined and issued out typically, as
David Monnier:network address space, you'll get a range of IP addresses, or
David Monnier:they will tend to classify their assets based on namespace, which
David Monnier:typically is in internet terms would be something like DNS,
David Monnier:where DNS, you put in your domain name, let's use an
David Monnier:example, you know, foo.com. And as you add things in the form of
David Monnier:subdomains, or host names to that, in theory, they start to
David Monnier:become discoverable. Where the problem with cloud computing
David Monnier:comes in is, you know, when you license your ASM product, you're
David Monnier:not going to go out and license a product for and I'm not trying
David Monnier:to pick on AWS here. But Amazon's AWS services, one of
David Monnier:the world's largest and most popular cloud hosting services
David Monnier:in the world, but you're not going to go license an ASM
David Monnier:product to scan the entirety of their IP space, is just not
David Monnier:realistic. So you have to know your IPs. And again, it goes
David Monnier:back to this problem of you know, how will you know, which
David Monnier:are yours. In our case, we also well, we work with IP addresses,
David Monnier:obviously. But in our case, we because we are an intelligence
David Monnier:provider, we see a great deal of information already, in
David Monnier:particular IP, IP space, as well as namespace. But we also see
David Monnier:things like certificates and keys and all this kind of
David Monnier:additional metadata that the internet kind of operates on. So
David Monnier:we saw it as kind of an an easy evolution to help do these
David Monnier:discoveries that nobody else really had. Because the other
David Monnier:products are requiring the user to know in advance all of their
David Monnier:things. Shadow IT by definition means you don't know that you
David Monnier:have some of this. So you know, it's an approach, frankly, that
David Monnier:starts off already hindered. So what we how we change this as we
David Monnier:look for, you know, other instances, and other examples
David Monnier:that we've identified through our other threat, exploring and
David Monnier:threat hunting efforts that appear to be related to other
David Monnier:people's organizations, and we try to highlight those kinds of
David Monnier:datasets to better inform the discovery model.
Dr. Dave Chatterjee:Okay. Thanks for sharing. Moving along
Dr. Dave Chatterjee:to another interesting finding, which states that 23% of the
Dr. Dave Chatterjee:respondents said that identification of rogue or
Dr. Dave Chatterjee:unclassified assets is the most valuable capability that ASM has
Dr. Dave Chatterjee:provided their organization. I guess my question here is, you
Dr. Dave Chatterjee:know, shouldn't this be obvious? Shouldn't that be what an ASM is
Dr. Dave Chatterjee:supposed to be doing?
David Monnier:Yes, it certainly is exactly what ASM should be
David Monnier:doing. And and I think this highlights the shortcoming that
David Monnier:I just described, right. So the reason why only 23% of them said
David Monnier:that their application of of ASM in their workplace was that
David Monnier:effective at discovering those things is because the rest of
David Monnier:the respondents, you know, the remaining 77%, they are clearly
David Monnier:limited, because the only thing that ASM knows about are the
David Monnier:things they already know about. So if you already know about it,
David Monnier:it's unlikely for something to be rogue or unclassified. Right?
David Monnier:So this kind of static discovery approach, this is the fruit that
David Monnier:comes off that tree, when you take a non dynamic approach to
David Monnier:understanding assets in a very dynamic environment. That is
David Monnier:what I would call modern, you know, computing, you're going to
David Monnier:end up with low numbers like that, because the rest of them,
David Monnier:their tools probably just don't identify rogue devices. And
David Monnier:that's an unfortunate side effect. Again, this was one of
David Monnier:the motivations that led us to to create a product for the
David Monnier:space.
Dr. Dave Chatterjee:Okay. Now, you know, some of the findings
Dr. Dave Chatterjee:speak to the challenges of deploying and implementing ASM
Dr. Dave Chatterjee:platforms. And these challenges range range from lack of
Dr. Dave Chatterjee:integration with existing platforms, the amount of
Dr. Dave Chatterjee:training that's required. And also I found it interesting,
Dr. Dave Chatterjee:where organizations where the respondents said that they feel
Dr. Dave Chatterjee:that the current platform has become more of a legacy. So my
Dr. Dave Chatterjee:question to you is as follows When an organization is
Dr. Dave Chatterjee:investing in an ASM platform, they know fully well that at
Dr. Dave Chatterjee:some point, it will move towards becoming obsolete. I don't know
Dr. Dave Chatterjee:if obsolete is the right word, but what steps should an
Dr. Dave Chatterjee:organization take, should the security analysts, the security
Dr. Dave Chatterjee:professionals take, to ensure that their ASM platform is
Dr. Dave Chatterjee:performing at a satisfactory level?
David Monnier:Well, I think the initial steps are are
David Monnier:introvertish. Introvertal steps right? So you have to ask
David Monnier:yourself, Do I know everything about my network? Do I know all
David Monnier:of the devices I have? And if that answer isn't an absolute
David Monnier:certain, yes. Which a hint to the listeners, It isn't. Then
David Monnier:you have to approach the tool sets as am I going to have a
David Monnier:tool that's going to show me things I didn't know to know.
David Monnier:And that, in my opinion, is the killer feature, way more
David Monnier:important, in my opinion, is discovery, then even say, the
David Monnier:vulnerability management and discovery component, right?
David Monnier:Like, if you don't know, to know, then you won't, won't get
David Monnier:any benefit from it. But if you do discover something that's on
David Monnier:your infrastructure that you didn't realize was there, or
David Monnier:that is your system is reliant on, because there are a bunch of
David Monnier:non system concerns as well. Like, for example, you know,
David Monnier:every is every person's network, they get onto the Internet by
David Monnier:way of a set of internet service providers. And what about the
David Monnier:safety and reputation of those folks? You know, if your tool
David Monnier:can't tell you that your DNS hosting provider has a poor
David Monnier:reputation, or that your internet service provider, you
David Monnier:know that the IPs around your IP services are bad. If it's not
David Monnier:able to show you these kinds of things, then it suggests that
David Monnier:you are probably working with something that is, frankly, like
David Monnier:I said, antiquated of some sort. But frankly, let's use the word
David Monnier:static. And if it is static, I think in the information age,
David Monnier:that should be a huge red flag to you. That if this tool
David Monnier:doesn't teach itself to some degree, and I'm the operator is
David Monnier:responsible for informing this, that I probably have a tool that
David Monnier:is not future proofed? Not that our any tool is completely
David Monnier:future proofed, right. But there are certain methodologies that
David Monnier:can help assure a future proofed capability. And this kind of
David Monnier:dynamic discovery is absolutely one of those capabilities. But
David Monnier:in the end, I think practitioner, or decision makers
David Monnier:need to ask themselves, how much is this tool teaching me that I
David Monnier:didn't already know. And I'm not talking about you know, that you
David Monnier:have a vulnerability on some device you already knew you had.
David Monnier:I mean, how much infrastructure is it really exposing to me that
David Monnier:I didn't know before? And even inadvertently, you know, if,
David Monnier:like I said, maybe someone plugged in some new device on
David Monnier:your network. If it's not at least catching those types of
David Monnier:things for you, then I would say you have an older tool,
Dr. Dave Chatterjee:Right, makes sense. And I'm glad you
Dr. Dave Chatterjee:mentioned about the self learning capability. So to what
Dr. Dave Chatterjee:extent is AI being used to enhance the functionality, the
Dr. Dave Chatterjee:capabilities, of these ASM platforms?
David Monnier:So in our case, we're not really using AI. Not
David Monnier:that we're against AI per se, but we didn't really see a great
David Monnier:need for it per se, relative to machine learning and machine
David Monnier:learning sense, you know, where there's a human who is, I guess
David Monnier:suggesting, to the system, what it should be doing, as it's
David Monnier:doing it, as opposed to AI where they become somewhat autonomous,
David Monnier:you know. So, in our case, though, is a great deal of what
David Monnier:I would call machine learning, where as assets are discovered,
David Monnier:we look at kind of the nuance of that asset, both from a service
David Monnier:level from an IP level, and then from like, what the operating
David Monnier:system looks like, think of it as a very signal focused view,
David Monnier:internet signal that is, and we use what's discovered to kind of
David Monnier:inform the next level of discovery. So for example, if we
David Monnier:discovered a new, you know, domain within your namespace,
David Monnier:say, you know, again, using this foo.com example, but let's say,
David Monnier:yesterday, you didn't have www.dev.foo.com. And today,
David Monnier:we're seeing that name being looked up in passive DNS data,
David Monnier:we know that you have some new asset out there somewhere, and
David Monnier:can then start to go looking for it. And that type of informed
David Monnier:learning is precisely how we approach this, but it's a
David Monnier:continuous thing, you know, what happens 24 hours a day, we
David Monnier:continuously learn about the surface of the internet as a
David Monnier:whole, for that matter. But in particular, you know, of the
David Monnier:asset tools for folks. And then those assets, as we kind of
David Monnier:learned from them, we go to look for similarities. And we say,
David Monnier:Okay, what's just like this, but maybe, you know, isn't
David Monnier:previously known. And we show you, hey, here's these potential
David Monnier:things that we think might be related to you. And we let the
David Monnier:the individual decide like, Oh, this is related to me, or Oh,
David Monnier:no, this isn't me, but sure looks a lot like me. Maybe this
David Monnier:is a phishing site or something, you know, there are other
David Monnier:approaches and other outcomes aside from your own attack
David Monnier:surface, you know, that you can discover using the kind of
David Monnier:machine learning metal method that we use. But I don't know
David Monnier:that AI will ever totally get there for what it's worth.
David Monnier:Because I, I still think that when it comes to ASM, the human
David Monnier:component is required, like aI won't know the difference,
David Monnier:unless you share with it all of your client configurations, AI
David Monnier:won't know the difference, for example, between your primary
David Monnier:active directories host and some dev Active Directory host. So,
David Monnier:they will both appear to be running the same services. But
David Monnier:you as the human know that one of them has your actual users,
David Monnier:and maybe another one has dummy data. So you can prioritize and
David Monnier:say, Ah, this IP, this host, this asset, is my actual Active
David Monnier:Directory directory server, whereas this other one is not.
David Monnier:So don't show this as a high risk show this other one as the
David Monnier:high priority asset. And for that reason, I don't know that
David Monnier:AI will ever really fill in in this role. But we'll see.
Dr. Dave Chatterjee:Okay, good to know. So talking about the
Dr. Dave Chatterjee:human component, and in this discussion, we have been talking
Dr. Dave Chatterjee:about attack surfaces, more from a physical standpoint, devices,
Dr. Dave Chatterjee:and so on, so forth. How about humans as attack surfaces as
Dr. Dave Chatterjee:very vulnerable attack surface? What are your thoughts about,
Dr. Dave Chatterjee:you know, you know, are we doing better in terms of securing that
Dr. Dave Chatterjee:very vulnerable attack surface? Can tools help us secure that
Dr. Dave Chatterjee:attack surface? What are your thoughts?
David Monnier:Well, I hate to be a naysayer. But things aren't
David Monnier:getting any better there, it seems. If you look at the SANS
David Monnier:survey comes out every year, if you look at the US government's
David Monnier:breach report, or Verizon, they they publish a report any of
David Monnier:these reports, if you go look at them continuously, for the last,
David Monnier:you know, I mean, since forever since these reports have been
David Monnier:produced, the number one compromised source is still
David Monnier:stolen credentials. And the number one method for that is
David Monnier:still some type of phishing, or some type of social engineering
David Monnier:still, so nothing seems to really be changing there. The
David Monnier:tools and the tactic techniques being employed to gain access to
David Monnier:this type of information, haven't really needed to change
David Monnier:much, because the human element is still you know, largely the
David Monnier:same. And I say this all the time, until listeners who may
David Monnier:have heard me on any other podcast or may tune in who or
David Monnier:who happened to listen to ours, probably have heard me say many
David Monnier:times, but we still work and live in a world where everything
David Monnier:is kind of magic. And the majority of people who are
David Monnier:relying on technology, still have absolutely no idea how it
David Monnier:works, and therefore can't really spot things when they
David Monnier:aren't correct, right. And for the longest time, vendors tried
David Monnier:to implement methodologies like if you recall, you know, It was
David Monnier:always look for the lock icon in your browser window and make
David Monnier:sure that that's always there. And so miscreants just started
David Monnier:to put a block of the locked lock icon right on in the
David Monnier:content of a phishing effort. And people would say, Well, I
David Monnier:saw the lock, so I figured it was safe. And here we are. And
David Monnier:I'm not talking about fools here. I'm talking about, you
David Monnier:know, Board members and C-level operators and decision makers,
David Monnier:you know, around the world, in the largest companies in the
David Monnier:world, the most capable, most successful people in the world
David Monnier:still fall victim to this stuff. So unfortunately, I just don't
David Monnier:know that any of that can be changed, either, you know, where
David Monnier:we move to these concepts like zero trust, or you look for the
David Monnier:behaviors of of specific devices and try to key on that. But
David Monnier:realistically, by the time you're keying in on a behavior,
David Monnier:it may already be too late, right? So the stolen credential,
David Monnier:the credential reuse, so you know, what, however you want to
David Monnier:call them, there's variations of, of the methodology, the
David Monnier:attack, but they all come down to an imposter, if you will.
David Monnier:That still turns out to be, you know, if not, number one, top
David Monnier:three, year after year, way, way back, I remember when it was a
David Monnier:tax where like buffer overflows were the primary method, and
David Monnier:people were, you know, looking for at the software stack, for
David Monnier:what waves to gain entry. And then along the way, somebody
David Monnier:figured out that we don't even need to talk to machines, talk
David Monnier:to the people, and that people will just give you access to the
David Monnier:machines. And that hasn't changed. And unfortunately, I
David Monnier:don't know that it will change. We look to incorporate that type
David Monnier:of intelligence, though, into our ASM to let folks know, you
David Monnier:know, when they have account level risks that are there,
David Monnier:we're looking to add that capability as well.
Dr. Dave Chatterjee:Awesome. That's awesome. Yeah, I think
Dr. Dave Chatterjee:that's a very difficult challenge when you're trying to
Dr. Dave Chatterjee:secure every individual that works for an organization,
Dr. Dave Chatterjee:whether it's through training, or whether it's through some
Dr. Dave Chatterjee:some some sort of technology. So that's, that's a very big hurdle
Dr. Dave Chatterjee:to overcome. But anyhow, moving along, so we've had the chance
Dr. Dave Chatterjee:to discuss some findings that I found significant or
Dr. Dave Chatterjee:interesting. Are there any others? Or is there anything
Dr. Dave Chatterjee:that you'd like to address that you found interesting, or
Dr. Dave Chatterjee:something that surprised you all?
David Monnier:Well, one of the things that surprised us, I
David Monnier:think, was something that I touched on at the beginning of
David Monnier:our conversation here, we were kind of surprised that we that
David Monnier:we weren't able to just apply intelligence to kind of the
David Monnier:tools that were already out there, we thought we thought it
David Monnier:would be it would be possible for us to like find someone we
David Monnier:could kind of go with our typical business model, which
David Monnier:was being intelligent supplier, we were kind of surprised to see
David Monnier:that none of the offerings out there really met what we felt
David Monnier:were what you would want in the marketplace as the, you know, as
David Monnier:the consumer. And we were surprised that by that because
David Monnier:we weren't in the space. You know, there were already lots of
David Monnier:expertise in the space. There's a lot of people out there who
David Monnier:already have these types of tools, but they weren't seeing
David Monnier:the problem the same way we were. And we're not totally sure
David Monnier:why that is. I'm not, you know, proposing were geniuses or
David Monnier:anything like that. In fact, I can assure you we're not. But it
David Monnier:was interesting to us as intelligence practitioners, how
David Monnier:we saw the world as opposed to say, security practitioners. And
David Monnier:when you think about ASM, you think attack service management,
David Monnier:you automatically think in terms of security, but really what if
David Monnier:you really think about it, ASM is an intelligence tool. ASM is
David Monnier:is being self aware is some type of self aware intelligence
David Monnier:capability that you then key on to other capabilities to the
David Monnier:backup. So as you learn something new, aka as your
Dr. Dave Chatterjee:Another question that comes to mind
Dr. Dave Chatterjee:intelligence increases, you then have some action to do. So
Dr. Dave Chatterjee:perhaps it's vulnerability scan this device, perhaps it's
Dr. Dave Chatterjee:updated inventory management component, perhaps it's disable
Dr. Dave Chatterjee:the switch port that the device is plugged into, if you can,
Dr. Dave Chatterjee:because it wasn't plugged in there yesterday. And it's, you
Dr. Dave Chatterjee:know, not an authorized device. But any way you look at it, and
Dr. Dave Chatterjee:regardless of the outcome, that initial step really is an
Dr. Dave Chatterjee:intelligence step. And that was kind of surprising to us. And I
Dr. Dave Chatterjee:think it's a side effect of like I said, our approach has been
Dr. Dave Chatterjee:for lack of a better term intelligence applied to
Dr. Dave Chatterjee:security, as opposed to security applied to asset management. And
Dr. Dave Chatterjee:so because we kind of approached it from that step back, I think
Dr. Dave Chatterjee:we came up with different what I would call killer features, you
Dr. Dave Chatterjee:know, for something if we were going to make it and then the
Dr. Dave Chatterjee:end result when we went out looked to see, you know, to make
Dr. Dave Chatterjee:sure there was really nothing out there like it and discovered
Dr. Dave Chatterjee:there wasn't. We were kind of surprised by that. Because like
Dr. Dave Chatterjee:I said, we were you know, I wouldn't say we're late to the
Dr. Dave Chatterjee:party, but we definitely weren't first people in the ASM space.
Dr. Dave Chatterjee:based on attack reports that are published in the media, where
Dr. Dave Chatterjee:So that was kind of a surprise to us.
Dr. Dave Chatterjee:often times organizations are accused of not promptly reacting
Dr. Dave Chatterjee:or responding to alerts that they receive from various types
Dr. Dave Chatterjee:of monitoring tools, technologies, service providers,
Dr. Dave Chatterjee:various types of intelligence sources. So, going back to this
Dr. Dave Chatterjee:platform, the ASM platform, which obviously is there to help
Dr. Dave Chatterjee:organizations have a better understanding of their attack
Dr. Dave Chatterjee:surfaces provide advanced warning. Now, have you all
Dr. Dave Chatterjee:thought of a feature whereby, you know, there is some kind of
Dr. Dave Chatterjee:a logging that certain alerts certain notifications went
Dr. Dave Chatterjee:unheeded, or went unresponded? Or there is a, there's a way of
Dr. Dave Chatterjee:notifying multiple personnel just to make sure that this, the
Dr. Dave Chatterjee:signal doesn't get go unheard? Or do you see my question from
Dr. Dave Chatterjee:where I'm coming?
David Monnier:Yes, absolutely. And we have, so we're not trying
David Monnier:to reinvent the wheel at every turn. So an AR capability, we
David Monnier:have, obviously, incorporate the idea of external API's so that
David Monnier:you can trigger to, you know, specific systems, or if nothing
David Monnier:else, at least, have the notion of roles or groups within the
David Monnier:tool so that if a specific category of event happens,
David Monnier:notify a specific group of people. Exactly. Yeah, of
David Monnier:course, those capabilities are there. But what we really think
David Monnier:is one of the key differentiators, at least for
David Monnier:our approach is this ability for individuals to prioritize assets
David Monnier:themselves, so that you're not, so that you're not required to
David Monnier:react to every "high or critical event," because you know, not
David Monnier:every device is created equal, not every service is equal. And
David Monnier:frankly, there's only so much time in the day. And if you have
David Monnier:to pick between defend the mothership or defend a rowboat
David Monnier:out in the dock, you know, you're going to defend the
David Monnier:mothership, hopefully. So your tool, if it's not aware that is
David Monnier:going to be that's going to be a problem. So we've approached
David Monnier:them in the terms of both communication level, tuning,
David Monnier:group and role tuning. And then also asset prioritization tuning
David Monnier:as well.
Dr. Dave Chatterjee:Fantastic, because that's been one of my
Dr. Dave Chatterjee:concerns, one of my pet peeves, that if you have access to all
Dr. Dave Chatterjee:this intelligence, access to all these tools, you must have a
Dr. Dave Chatterjee:good governance system in place where you're paying heed to the
Dr. Dave Chatterjee:alarms that are being raised. Talking about governance, this
Dr. Dave Chatterjee:is my final two part question to you. Okay. So let's say an
Dr. Dave Chatterjee:organization decides to buy or invest in a new ASM platform, as
Dr. Dave Chatterjee:we all recognize that just investing in a tool is not good
Dr. Dave Chatterjee:enough to extract the maximum value from it. There is a people
Dr. Dave Chatterjee:aspect to the implementation, there's a process aspect to the
Dr. Dave Chatterjee:implementation. So if you had to make recommendations to
Dr. Dave Chatterjee:potential buyers, or investors of this platform, what does it
Dr. Dave Chatterjee:take to prepare the organization, so they can
Dr. Dave Chatterjee:effectively use such a platform, what would you say?
David Monnier:I have a very simple answer to your at least
David Monnier:the first part there, and that is the will to do something
David Monnier:about it. You mentioned compliance, regulatory typically
David Monnier:is that you know, these kinds of policy concerns are usually what
David Monnier:drive people implementing ASM solutions. And those external
David Monnier:drivers are rarely effective motivators, in fact, there are
David Monnier:whole own entities and organizations that carry
David Monnier:adequate insurance to pay the fines for non compliance,
David Monnier:because they wholly expect to be out of compliance because they
David Monnier:consider the compliance component, a burden. So the
David Monnier:first thing that I propose is that be willing to do something
David Monnier:with the findings, you know, don't approach ASM as a
David Monnier:something that you have to do because someone else said so.
David Monnier:But recognize that someone else said so because what you do is
David Monnier:important to the world, to society, to people, you know,
David Monnier:perhaps even you know, to relatives and things like that.
David Monnier:I mean, and think of the impact of what happens if you turn this
David Monnier:thing on and discover that you have something bad going on? A
David Monnier:lot of people are hesitant to turn on a tool like ASM because
David Monnier:they know what's going to come out the other side is going to
David Monnier:be something they're gonna have to do something about. And I'm
David Monnier:not saying that people are lazy, but I will tell you that only
David Monnier:bodies in motion tend to stay in motion, I think is the is the
David Monnier:adage, right? So if bodies aren't in motion to begin with
David Monnier:going and getting an ASM tool isn't going to set them in
David Monnier:motion at all. So my number one advice to anybody considering to
David Monnier:go down the path of implementation of ASM is one be
David Monnier:willing to do something that you find but number two, be willing
David Monnier:to actually use it because it's going to make your job easier,
David Monnier:it's going to make your life easier. And kind of taking the
David Monnier:ostrich, you know, head in the sand approach that doesn't help
David Monnier:anyone. And like I said, think of the people using the service.
David Monnier:Think of why it is that you're running the service to begin
David Monnier:with. Think of those people think of that money, think of
David Monnier:you know, whatever is the driver, but think of that stuff
David Monnier:and ask yourself, how important is this to everybody? And how
David Monnier:willing am I to keep it working and keep it going, and ensure
David Monnier:that willingness is present and communicated to all of your
David Monnier:staff, you know, if you have people, maybe as this tool turns
David Monnier:out work to do, if you have a bunch of other people there that
David Monnier:are going to have to be doing the actual work, make sure that
David Monnier:they understand make sure they are all bought in. But I know
David Monnier:that's a silly answer to a technical question, because it's
David Monnier:not technical at all, if you will, the answer is not
David Monnier:technical at all. It's it's human will. So sorry, that was a
David Monnier:very verbose thing to what I had warned was going to be a simple
David Monnier:answer, but simply have the will to do something about it.
Dr. Dave Chatterjee:Well, I think that's a very sound
Dr. Dave Chatterjee:advice. It's a very wise answer. And that's what most
Dr. Dave Chatterjee:organizations struggle with. It's the softer side of things
Dr. Dave Chatterjee:that organizations struggle with more than the harder side of
Dr. Dave Chatterjee:things, not trying to suggest that implementing technology
Dr. Dave Chatterjee:effectively is any easier, but providing the appropriate
Dr. Dave Chatterjee:governance, around technology implementation around leveraging
Dr. Dave Chatterjee:these tools can be equally if not more challenging. And I want
Dr. Dave Chatterjee:to reiterate what you said about having the will having the
Dr. Dave Chatterjee:commitment. In my book on Cybersecurity Readiness: A
Dr. Dave Chatterjee:Holistic and High- Performance Approach, one of the top
Dr. Dave Chatterjee:cybersecurity success factors, which I share in the context of
Dr. Dave Chatterjee:the framework that I propose is the top management commitment.
Dr. Dave Chatterjee:Another related factor is creating and sustaining a
Dr. Dave Chatterjee:We-Are-In-Together culture where everybody gets involved. This is
Dr. Dave Chatterjee:just not the SOC team that can make miracles happen. Everyone
Dr. Dave Chatterjee:has to play their role. So taking this example of the
Dr. Dave Chatterjee:attack surface management platform, obviously, specialists
Dr. Dave Chatterjee:will be running this platform, and they have to be adequately
Dr. Dave Chatterjee:trained. Because if you don't have good training, you can't
Dr. Dave Chatterjee:get most out of these platforms. But then, as you mentioned, when
Dr. Dave Chatterjee:you get those that feedback, and I love what you said,
Dr. Dave Chatterjee:oftentimes, we don't want to probe in a certain direction, or
Dr. Dave Chatterjee:we don't want to invest in certain things, because we don't
Dr. Dave Chatterjee:want to know what we don't know. You can go with it in many
Dr. Dave Chatterjee:different ways. I don't want any further education, because that
Dr. Dave Chatterjee:will enlighten me on my lack of awareness, right? Absolutely. So
Dr. Dave Chatterjee:so here we go in the context of ASM, you are investing in it
Dr. Dave Chatterjee:because you truly care. Because you truly want to do your part
Dr. Dave Chatterjee:in trying to secure as best as you can, we all understand that
Dr. Dave Chatterjee:you cannot secure everything and that you will never be in a
Dr. Dave Chatterjee:situation where your systems can't be compromised. But you
Dr. Dave Chatterjee:know, putting your best foot forward and doing everything you
Dr. Dave Chatterjee:can, and constantly monitoring these devices constantly making
Dr. Dave Chatterjee:sure you have an oversight team, you have a incident response
Dr. Dave Chatterjee:team or why by whatever name, you may want to call this team.
Dr. Dave Chatterjee:Bottom line, again, it boils down to asking yourself, the
Dr. Dave Chatterjee:fundamental question we've invested in this platform, are
Dr. Dave Chatterjee:we making full use of it? Are we getting what we wanted from it?
Dr. Dave Chatterjee:And if there is a deficiency, what is it? And how do we
Dr. Dave Chatterjee:address it? So that kind of active proactive approach is so
Dr. Dave Chatterjee:so critical. So David, we're running out of time, I'd like
Dr. Dave Chatterjee:you to share some final thoughts.
David Monnier:Yeah, so much of what we've said today, probably
David Monnier:sounds somewhat elementary to folks. And I'd ask everybody to
David Monnier:kind of consider why that is, like, why does something so
David Monnier:obvious, or seemingly obvious, you know, once it's explained to
David Monnier:you, why is it still so rare? And why is it? Why is it's not
David Monnier:happening in broader scale? And we should ask ourselves these
David Monnier:questions, because we are the people who are the solution,
David Monnier:right? Even if we're just the user, we can go ask the provider
David Monnier:and say, Hey, why are you why are if you're not doing this?
David Monnier:Why Why aren't you and start to kind of apply that, you know,
David Monnier:upward pressure and everything that we're doing, because, like
David Monnier:I said, we're all reliant on technology, this is not going to
David Monnier:go away. I mean, barring some type of Corona event where you
David Monnier:know, we have a sun flare, knock everything out, you know, we're
David Monnier:we're in this for the long haul, you know, capitalism alone is
David Monnier:going to drive things towards lower cost solutions. I mean,
David Monnier:that's just that, that's the direction of that energy. And if
David Monnier:we're not looking at it as an I don't, I'm not trying to paint a
David Monnier:dire picture. But if we don't I paint it as a very, very serious
David Monnier:component of our entire existence, I fear that we're
David Monnier:going to miss something. So when it is that, you know, someone
David Monnier:comes along and kind of upsets a space, arguably, as we have with
David Monnier:these new capabilities, we should ask ourselves, why why
David Monnier:why is that? And? And if that was like that, what more could
David Monnier:we be doing? And of those, what more's, how many of those things
David Monnier:are unknown. So like, if you're out there, and you have an idea,
David Monnier:you think like, oh, man, you could even then go add on to X,
David Monnier:Y, or Z, share that idea, or start up in a solution, because
David Monnier:frankly, the world needs it. We're getting more and more
David Monnier:reliant on technology, more and more of our whole life, data
David Monnier:wise, is stored electronically. And for us to be such so reliant
David Monnier:on something that's seemingly under constant attack and
David Monnier:continuously growing, and just, you know, out of hand, we should
David Monnier:be asking, you know, is everything being done that we
David Monnier:could, and I don't mean just asking of ourselves, but like I
David Monnier:said, we should be asking the people that we take services
David Monnier:from, you know, what are you doing to secure my things that
David Monnier:you, you know, have possession of? So I know, again, that's
David Monnier:kind of, you know, the lofty answer, but I think it really
David Monnier:does, it comes down to mass participation, like you said,
David Monnier:it's that we can do attitude, it's absolutely critical. We're
David Monnier:all subject to the technology. So let's at least make it work
David Monnier:to our will. And that's, that's what I think would be a bright
David Monnier:future. And if everybody got involved, including just every
David Monnier:user, so absolutely,
Dr. Dave Chatterjee:Absolutely! Well, David, this was great.
Dr. Dave Chatterjee:Thanks for your time, for your insights, I know the listeners
Dr. Dave Chatterjee:appreciate it.
David Monnier:Thank you Dr.
Dr. Dave Chatterjee:A special thanks to David Monnier for his
Dr. Dave Chatterjee:time and insights. If you like what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also,
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.