The cyber attack surface just keeps growing to the point that it seems endless. Protecting it all is impossible. Is there anything that can be done to reduce that attack surface and limit your exposure?
Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Jonathan Trull (@jonathantrull), CISO, Qualys.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor Qualys
[David Spark] The cyber-attack surface just keeps growing to the point that it seems endless. Protecting it all is impossible. Is there anything that can be done to reduce the attack surface and, well, limit your exposure?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. Joining me for this very episode, you know him very well, his name is Steve Zalewski. Steve, make some noise that you would make if your vocal cords work properly, which I believe they are currently.
[Steve Zalewski] All right. Hello, audience, for another great episode.
[David Spark] We’re guaranteeing it. In fact, I’m going to give people double their money back, the audience that’s listening, should this not be a great episode. Are you with me on this, Steve?
[Steve Zalewski] Absolutely.
[David Spark] There you go. Two times zero is…? Zero. There you go, they all figured that out. Our sponsor for today’s episode is Qualys. Qualys, which I know our entire audience knows Qualys, but we’re going to be talking about a specific area, about exposure management or attack surface management on today’s episode, and they actually offer cybersecurity asset management themselves, but at a new level. And we actually had talked about this I think about a year ago, and it’s actually quite developed over time, and we’re going to hear more about this on today’s episode.
But I want to bring up – prior to this episode, Steve – I was chatting with our guest about the topic of attack surface reduction, and we were debating what it meant, or attack surface management. Steve, you pointed out that you had posted on a very similar topic but referred to it as “exposure management” also questioning what the heck does this actually mean. Now, is this a new security development philosophy or is it just a rebranding of vulnerability management? And what value does it have in comparison to other popular theories? And again, these are just philosophies on security such as zero trust and defense in depth. I mean, they all kind of cross over, don’t they? It’s just about the approach. Your take.
[Steve Zalewski] I would say in this case, it’s not just about the approach, it is not coalescing to the same thing. I believe what we’re foundationally talking about here is vulnerability management as a traditional play in looking at my perimeter, and exposure management which was not just looking at vulnerabilities but looking at exploitabilities, the likely ways that I am going to be attacked and focusing on the exposure and the exploits rather than the vulnerabilities and the patches.
[David Spark] Good way of thinking of it. Well, we are going to discuss this topic, what it means, what this kind of approach to security can do for your environment. And the person we have joining us is our sponsored guest from Qualys, he is the CISO, it’s none other than Jonathan Trull. Jonathan, thank you so much for joining us.
[Jonathan Trull] Yeah, thanks for having me on the show. Excited to participate in this great topic.
What’s the issue here?
[David Spark] Abhishek Singh of Araali Networks said, “Attack surface management versus vulnerability management – is it more around detecting accidental and new exposure versus monitoring for unknown, unmitigated exposure?” And Pramod Gosavi of JupiterOne said, “In cyber, it would mean you have known vulnerabilities, but you cannot fix it and you have to manage the exposure. Its more about known knowns than unknowns.” So, there’s a lot of different theories here, Steve, about what is known, what you do know and can’t fix, and whether you need to fix it or not just because the vulnerability doesn’t necessarily mean you’re exposed, as you mentioned in the opening. Your take?
[Steve Zalewski] So, identify, detect, prevent, respond, recover. I think what we’re seeing here is each of those being considered, and there’s some name collision, name overlap that is talking about what phase are you in that cyber lifecycle of looking at the problem and knowing what to do about it. And so when I see these two quotes, they’re both right because they’re both touching different parts of that elephant. And so what I see as such a positive thing when I first looked at these new phrases and seeing them come out was I thought, “Well, is this the analysts giving us another way to rehash the problem or actually is this the beginnings of the maturity for us to realize the problem is twofold, but within vulnerability versus exploitability, we still have to do the visibility, detection, prevention, response?”
[David Spark] That was quite a mouthful there, Steve.
[Steve Zalewski] Well, this is supposed to be Defense in Depth, right?
[David Spark] Yes.
[Steve Zalewski] So, we’re here to talk about the truth and not beat around the bushes, so I just gave it to you all out.
[David Spark] All right. Jonathan, your take on these quotes and how Steve approaches this.
[Jonathan Trull] Yeah, listen, I agree. I think both of these quotes are accurate, actually. I think they represent, when we talk about whether it’s exposure management or attack surface management, the overall challenge that we’re trying to get our arms around. Which is with anyone’s environment, there’s always some unmanaged assets from the standpoint of the CISO or the security organization. Controls fail and so I think we’re always trying to get our arms around these unmanaged assets. And again, those could be traditional assets, cloud assets, they could be a piece of software.
[David Spark] And this includes the assets you don’t even know about, is that what we’re also referring to like came up here?
[Jonathan Trull] Exactly. Exactly. Oftentimes the security team may have been skipped in some type of deployment process, it didn’t go through the proper change controls, and some type of asset was unmanaged by the security team. It didn’t have the traditional security review, security tools that were placed on it. And so its state of compliance with corporate policy could be well off what would be the expectation, but it’s unmanaged by security.
[Steve Zalewski] So, I’m going to riff on this because I went technical and David rightly so said, “Hey.” So, let me try it again.
[David Spark] That’s quite all right.
[Steve Zalewski] I know.
[David Spark] I’m not reeling you in.
[Steve Zalewski] Reel me in. Let me give you an example of what the issue is here, and it’s something I did at Levi’s several years ago. If I have a perimeter that I’m trying to protect, what do I do? I’ll come in and I’ll do an assessment, I’ll bring somebody in to look at my controls, I’ll bring somebody in to do a pentest, I’ll potentially bring in the white hats to find flaws in my attack surface and pay them. Now, that’s great. Those are all one-time static exercises that the moment that I’m done they’re useless because it was a point in time and my perimeter is dynamic, it’s not static.
So, when we start to move into that kind of a conversation, it became, well, when the attackers look at my perimeter, they have tools and they have techniques not to actually do the direct attack but to look at my perimeter and see if it is suspect that it’s likely attackable, and if so in what direction. So, that if I have a website like levis.com and I’m pushing out new changes all the time, what’s secure now may not be secure 20 minutes from now on the next push. So, when we talk about this exposure management or attack surface posture management, what we’re trying to say is how can I get a more real-time view of what my defensive perimeter looks like so that as weaknesses might be injected, I’m having an opportunity to take a proactive response at the same time that the bad guys are seeing that I am vulnerable?
What should we be measuring?
[David Spark] Jason Hoffman, Global CISO over at Saba Software, said, “Vulnerability management is a technical security term. Exposure management seems like it’s moving towards risk management, and boards want to hear things in terms of risk. Vulnerability management already has exposure built in – it’s called impact.” And Clifford Ziarno of World Fuel Services said, “This may be a fairly small brain but isn’t everything exposure management? Being very similar of threat modeling as a holistic life concept!” Jonathan, there’s a lot of debate here about terminology but I kind of like Clifford’s comment of like, “Isn’t it all exposure management? Isn’t that what we’re doing?”
[Jonathan Trull] Yeah. I think to a certain extent it is, right? As security professionals, what we’re thinking about first and foremost is to give the attacker the most limited amount of exposure to attack in any given situation. And honestly, the term was founded in the software development practice, so things like configuration, like how would you securely access an application. Well, let’s not give someone four different methods. Let’s do one and really lock it down. And so I think the terminology isn’t necessarily new, but I would say I think the term actually better resonates with board level and C-level decision makers.
[David Spark] As per Jason’s comment, yeah.
[Jonathan Trull] Than vulnerability management, honestly, right? Like vulnerability management, I think oftentimes is thought of as very tactical. You get a patch, you deploy a patch, check that it works, great. But when we start talking about exposure management, we start thinking about like assets exposed to the internet, we start thinking about our employees and are they susceptible to some type of exposure that would put us at risk, and I think it’s a more comfortable topic for boards to talk about, honestly.
[David Spark] Well, heck, anyone not in cybersecurity too. Steve?
[Steve Zalewski] So, I’ll go back to this is actually a very positive conversation in my mind because a lot of CISOs, a lot of security practitioners are technologists, and they came in under the CIO, and we talked about vulnerabilities and patching to make the problem go away, and we still spend a lot of time there. But as we’ve moved to become cyber risk CISOs and talk about identify, detect, prevent, respond, recover, and we start to move to cyber risk, then exposure and exploitability, as Jonathan says, that’s the language of the executive team and the audit committees of the boards. So, we’ve moved now from being a technologist to a business risk practitioner, and that was a huge step.
[David Spark] And you’re better accepted at this point too.
[Steve Zalewski] You’re better accepted because you’re speaking their language, but you’re also starting to think about risk as they think about it relative to your value to the company. And so I kind of go through that because I say this is a great episode because the fact that we are now looking at exposure management or exploitability is really telling us that more and more the industry is understanding that they have to move to that language, but they also have to move to that philosophy. And that’s what’s going to make progress for us to be able to do better at holding the bad guys at bay.
[David Spark] That’s a good point and I want you to tag off of that, Jonathan. I started by saying is this a different philosophy for security professionals, but as Steve points out, it’s not a philosophy for security professionals, it’s a philosophy for everybody but them to communicate to security professionals. What do you think about that take?
[Jonathan Trull] I think as the profession has evolved, we are trying to be more aligned with how business decisions are made, right? And I think for a long time, there was always the idea can we get down to a zero exposure rate, and you simply can’t. There’s always some level of exposure in any business decision. And being able to translate a very technical type of thing like Log4j or whatever, SSH exposed to the internet, and what that means from an exposure to the company. That translation is really what moves you into kind of that C level, business level decision making. And truly, I think that’s why almost repurposing the way you think about a vulnerability management program to be an attack surface reduction or exposure management program really elevates it. It puts it into a much more strategic level of interest for you as a CISO, for the CIO, for those in your organization. So, I think that simple way of translating between the technical to the risk exposure components really make security a more acceptable and understanding business decision for any company.
What are they looking for?
[David Spark] Bishop Bettini, CISO over at LifeOmic, said, “According to M87 Cyber Security, ‘exposure management’ involves: 1. Knowing your assets; 2. Understanding your weaknesses; 3. Prioritizing your risks; 4. Adjusting and responding.” Seems like a good process right there. And he goes on and says, “Sounds like a tactical implementation of the sixth requirement of GRC principled performance: ‘Prevent, Detect, and Reduce Adversity and Weaknesses.'” David Hazar of Next Level3 Software said, “This is a little broader than attack surface management and really boils down to how much risk an organization is willing or should take on. Yes, we can reduce our attack surface, but what about choosing not to do something that requires us to store more sensitive data? Or implementing zero trust concepts that reduce the quantity of data or systems that are accessible in the event we are compromised? We rarely go back and revisit decisions we made years ago, and that could be increasing our exposure.” I really like that last comment, Steve.
[Steve Zalewski] Yes. And what I like about these two is Bishop is an awesome technologist. He just told us from a technologist’s perspective, “This is what you have to do to lock down your company and make sure that you’re safe.” What David’s doing is saying, “Yes. But when you can’t do that, how do I manage my risks? How do I manage my vulnerabilities? How do I talk about to the business can I make some changes to how I deploy my technology?”
But ultimately what both of those are doing is trying to get to a conversation that goes something like this, “Hey, I need to manage the likelihood that I’m going to get a takedown on levis.com that’s going to expose my consumer data.” And the exploitability from that perspective is that I am using an awful lot of offshore contractors, and we don’t have all of the training that we should have so that they’re following a good security practice. Versus, “Hey, our software development lifecycle process, I’m trying to bolt on Veracode so I can do some code testing checking and the application development team doesn’t want to do it.” That’s the difference in the conversation that’s being called out here, which is the latter is where we were, the former is where we need to be to talk about exploitability as a business perspective, to then be able to do what David and Bishop were saying which was, “How do I revisit my perimeter knowing how I want to have a business conversation on exploitability?”
[David Spark] Jonathan, I like this idea of revisiting where we’re at because this comment about we rarely go back and look at old decisions and how they’re impacting us, and my feeling is that has a lot to do with configuration drift, when things, you set them, and you never come back to them, like, “Oh, geez. What the heck just happened?”
[Jonathan Trull] Yeah, yeah. No, I think where we find ourselves as a security team getting in trouble are typically decisions that were made many years ago that drifted from policy with some type of exception that was given at the time, that based on current conditions and attacker techniques and procedures, really isn’t the right decision any longer. And so what I really like about these two comments is when I think about how you would divide up a very tactical program to deal with this. I think one is very much get your assets under management and table stakes, in my opinion, is alerting to any significant deviation or unmanaged asset exposed to the internet. And the reason that is is because, listen, it’s easily attackable. Anything exposed to the internet is open to anyone. There’s really not a lot of layers of additional defense and depth between that, again, open port, that new service that was exposed, to an attacker anywhere in the world.
But then you have the other component which David talks about which, listen, is near and dear to my heart, which is really think about the design and the deployment of the applications and the solutions. And it’s not just about, again, vulnerabilities. It’s about do we need to collect the data. If I don’t need PII, I don’t want to protect it, I don’t want to manage it if there’s not a really good need. And I think unfortunately what we see oftentimes is that developers will say, “Well, let’s just log everything. Let’s log everything because maybe we’ll need it at some point in time.”
[David Spark] That is a common, common thing. And one of the other things, and we haven’t brought this up, but we’ve brought this up in past shows, it’s the classic case of holding onto really ancient data and how vulnerable that makes you and exposed. I’m talking about like just leaving hard drives in a closet, it can be as simple as that. That’s not a good idea.
[Jonathan Trull] That’s a great point. I think any amount of data at some point needs to be deleted and removed, once you get through whatever contractual or compliance requirements that you have to meet. Because again, anything you’re holding on that’s sensitive or controlled data, that’s exposure.
[David Spark] And the key thing, and let me add to that, is that’s expensive.
[Jonathan Trull] It is.
[David Spark] I think we’ve fallen into the trap of thinking to store data is incredibly cheap, if not close to free. But holding onto what you just said, it’s really expensive.
[Jonathan Trull] Oh, absolutely. And as you think about that, as you hold onto more data for an indefinite period of time, the risk of some type of exposure grows because the amount of data and the amount of sensitive data you’re holding and managing, and your obligations are growing. And honestly, I think it’s kind of an unknown or unrecognized cost of most organizations, they often don’t think about that. But when I really think about getting mature from an exposure management perspective, it is reducing, as you build applications and choose certain solutions and how you’re going to use them and configure them, to minimize that overall risk to your organization. That’s a big component of any program, I think.
No one said it would be easy.
[David Spark] Yaron Levi who’s CISO over at Dolby Laboratories, been a guest many times here, said, “For a long time we were talking about the perimeter, and then many people said that the perimeter disappeared, but I would argue that it didn’t. In fact, it transformed to be a collection of hundreds or thousands of smaller perimeters.” Interesting take. Steve?
[Steve Zalewski] Yes. So, I want to go back to when we started this show. What we talked about here is what is attack surface reduction, how do we do it, and then we talked about exposure management as is that one and the same, what are we trying to do? And it’s interesting because whether you believe in attack surface reduction or you believe in exposure management, it does come back to assets, it comes back to knowing what you’re accountable to protect. And what’s interesting about what Yaron said, for me, is whether you think of it as a thousand small perimeters or a reestablishment of a new perimeter with third party risk and imputed fourth party risk, the point being here you can’t protect what you can’t see. And so in reevaluating the assets that you have to manage. And now with a lot of third party and cloud, I think the key is do you want to do it in the traditional method of identifying the assets and then trying to protect them or is exploitability actually mandatory that we have to go to a risk-first approach because whether you think of it as a thousand unique assets or an extra hundred thousand assets, it’s net new.
[David Spark] Jonathan, so this theory of the perimeter is far from disappeared, it’s just become many, many, many smaller ones. It’s definitely a different way of thinking and a different way of thinking of your exposure.
[Jonathan Trull] Yeah. I definitely think that what we’re all facing these days is multiple different perimeters, some that are fully within our control, some that are shared with cloud providers that we’re leveraging. Some of that is fluid in nature. And I’ll give you an example of your traditional employee desktop. If they’re connecting to a corporate network in a physical location or through a VPN, maybe it is behind many layers of kind of traditional network defenses. But listen, if they’re sitting at a coffee shop and they’re connecting to a Wi-Fi, suddenly that exposure, that perimeter looks very different just for that one device. So, I think the perimeter’s always honestly been a very fluid concept.
If you talk to most pentesters and you review a lot of these incidents, I spent a lot time doing incident response, be hard on the outside and soft in the middle network design was never a good philosophy. So, I think thinking about your exposure has to be really a 360-degree evaluation. It’s got to look at third parties that you’re leveraging, cloud assets and even what form of cloud right? Is it an IaaS, PaaS, SaaS workload? Because again, your responsibility changes and the exposure to the perimeter changes, and then you have to come up with a strategy for trying to gain control of that. Sometimes it’s through identity, sometimes it’s through networking, sometimes it’s through hardening a specific device. But you definitely have to think much more holistic than, “Hey, this is my domain, this is the network IP address space I control.” If you only think about that, you’re probably going to miss some significant exposure points.
[David Spark] It’s inevitable.
[Jonathan Trull] Yeah. Everyone, whether you like it or not, your perimeter and your exposure is much larger than just, again, your IP addresses that you own.
[Steve Zalewski] Which Jonathan brings up a good point here which was let’s do a little maverick thinking for a moment.
[David Spark] Ah. Maverick. Love it. By the way, just so the audience who just tuned in to Steve, this is his setup for you’re going to hear something you haven’t heard before and you may or may not like it. Go ahead.
[Steve Zalewski] Okay. So, thousands of small perimeters, and all new perimeter and third party, which is we still have a default that we think about the assets that we’re managing are things. And more and more, what we’re managing is intangibles. We’re managing people, we’re managing data, we’re managing objects, and so this concept of data has an identity. Everything has an identity. That exploitability in a traditional sense, or vulnerability management meaning we’re patching software, is becoming less and less of the conversation. So, the maverick thinking here is what we really have are all kinds of identities and establishing those thousands of smaller identities out there to be able to know how to then manage the perimeter so that if there’s an exploit, we can do something about it, I think is also part of this zero trust conversation that David talked about. So, as all of us out there as security practitioners are looking at this concept about exploitability management and asset management, we really want to think about it as now that the perimeter has moved, are we identifying the right assets that we’re supposed to be managing?
[David Spark] Good point.
[David Spark] And that brings us to the end of the show, but it’s a portion of the show where I ask both of you which quote was your favorite and why, and I’m going to start with you, Jonathan. Do you have a favorite quote and why?
[Jonathan Trull] Yeah. I really liked David Hazar’s quote, and again, he broadens I think the topic of attack surface to really where it needs to be, and he rightly divides up the conversation between managing what you currently have in the exposure and then obviously dealing with things that are going to be moving into your environment to reduce the attack surface before it moves into production. So, his quote really resonated with me.
[David Spark] Excellent. Steve, your favorite.
[Steve Zalewski] I’m going to go with Yaron Levi’s quote but I’m going to actually modify it slightly. Because he says, “For a long time, we were talking about the perimeter, and then many people said that the perimeter disappeared, but I would argue that it didn’t. In fact, it transformed to be a collection of hundreds or thousands of smaller perimeters.” I’m going to say what that really means is it’s transformed to a collection of hundreds of thousands of smaller perimeters. Because as I look at that with maverick thinking, when you’re looking at identities and everything is identity, you’re taking it magnitudes higher in the assets that you identify with trying to protect and with how you can protect them.
[David Spark] Good point. Excellent. Well, thank you very much, Steve. Thank you very much, Jonathan. Jonathan, I let you have the very last comment here but I’m going to set you up on a few things. First, I’m going to say thank you to your company Qualys for sponsoring this episode, and just generally being a phenomenal sponsor of the CISO Series, we greatly appreciate it. Now, for those of you people listening that just walked into cybersecurity yesterday, Qualys is spelled Q-U-A-L-Y-S and if you were to throw a .com at the end of it, you’d get to their site. The question I ask all our guests, Jonathan, is are you hiring, so make sure you have an answer to that. But first, Steve.
[Steve Zalewski] Okay. I want to say thank you to the audience. This was a very difficult show. We talked about a lot of concepts; we didn’t just talk about a lot of examples. But I’m really excited because like I said when we started the show, Jonathan did a great job of talking about assets and how Qualys works, and I kind of talked about some of the larger direction that we’ve gone. So, for me for people listening, I want to say thank you for continuing to support us and giving us this opportunity to kind of talk about where we have to go as well as the journey of how we get there.
[David Spark] Excellent. All right. Jonathan, anything you want to talk about what Qualys is doing right now? And let me know if you’re hiring, and also how people can follow up with you should they want to do that.
[Jonathan Trull] Sure. So, at Qualys, we obviously are laser focused in developing technologies that help CISOs and their teams solve very difficult challenges. And I think attack surface management is one of those that we put a lot of energy and focus on, [Inaudible 00:29:08] asset manage it, web app security issues, traditional vulnerability management whether on prem and in the cloud, posture management. All of those things have to be automated and have to have clear data made available very quickly to decision makers. And so we pride ourselves on being one of the core tools for the security practitioners and for CISOs out there. With that said, we are hiring absolutely for all roles and all positions, both internal on my security team, those that are helping work with our customers as architects and deploy products in a secure and effective manner. So, definitely hiring. So, if you’re interested in working for a great company, obviously let me know. You can reach me on LinkedIn is probably the best way to get in touch with me.
[David Spark] We’ll have a link to it on our post for this episode linked to your profile.
[Jonathan Trull] Fantastic. I check my messages daily and so please reach out if interested in connecting.
[David Spark] By the way, if they mention they heard you on here, it will at least get you a response.
[Jonathan Trull] That’s right.
[David Spark] That’s what I’m claiming right here.
[Jonathan Trull] That’s right.
[David Spark] It helps. All right. Thank you very much, Jonathan. I appreciate it. Thank you to our audience, we appreciate everything that you do, your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please – write a review. Leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.