Mapping Your Attack Surface For Compliance

Ephemeral lights conveying a mapping your attack surface with compliance

Your attack surface is in a constant state of flux.

Businesses are becoming more connected through their vendors via supply chain or other digital methods—their attack surface—which is in a constant state of flux. In 2014, we witnessed the impact of a poorly protected attack surface from a cybersecurity standpoint—the Target breach through their HVAC partner1. Only now, the problem has become much more commonplace as opposed to confined to larger vendors like Target, blurring the network boundaries between them, their vendors, and their customers. It is hard enough to keep track of your boundary’s security compliance with the many security frameworks, regulations, international, national and local laws, but now your perimeter’s security is being influenced by your vendor’s security posture—for better or worse — and the vendors that influence them, and so on. Requiring a new risk and compliance methodology that is contextually driven, and robust enough to understand this shift in partner complexity.

Building a Surface Risk and Compliance (SRC) Framework

One way to build this new approach is with a Surface Risk and Compliance (SRC) framework. We built this framework in response to customers hoping to map attack surface with compliance, data protection, and attack frameworks. How does it work?

The SRC framework builds a contextual view into an organization’s cyber risk across five dimensions of influence: reach, risk, relevance, impact and threat:

  • Reach is a company’s reliance upon other vendors for services, goods, or productivity, referred to as the vendor audience.
  • Risk identifies the issues found that have potential to cause harm to your company and its reach.
  • Relevance is the compliance or posture of your company and its reach in relation to the risks found. 
  • Impact represents the level of severity of a compromised risk compared against the company’s business and customer delivery model. 
  • Threat is the chain of adversary tactics and techniques that can be used against those risks found across the company and its reach. 

Identifying Cyber Risk and Compliance

Together, these five dimensions identify a company’s true cyber risk and compliance posture and how it is influenced by its vendor audience.

How do we put the framework into action? By developing a perspective on each of the individual vendors and the company they support. The initial data points in this framework include:

  1. Reach: Obtaining the vendors that provide services and support to the company
  2. Risk: Identifying a list of exposed assets, and their attributes, on the network perimeter that can potentially be compromised or weaken the security posture of an organization and their vendor audience
  3. Relevance: Understanding the risks in terms of exposed, misconfigured, and non-compliant services as mapped to required security frameworks (e.g., CMMC, NIST 800-171, Section 889(b), HIPAA, HITRUST, etc)
  4. Impact: Assessing the severity of various types of exposures in the context of an organization’s customer delivery model and critical assets  (e.g., data sensitivity levels as related to FIPS 199, GDPR, etc.)
  5. Threat: Aligning specific real-world adversary tactics and vulnerabilities that could target relevant exposures, as aligned to common frameworks and threat intelligence contexts (e.g., MITRE ATT&CK, OWASP, specific threat intelligence feeds)

Now we have a framework with contextual analysis that empowers security leaders to identify non-compliance within their sphere of influence, know how adversaries will attack their customer delivery model, decisively prioritize remediation of exposed assets by what is truly critical, and measures their compliance in terms of practiced evaluation methods. Which flips-the-script on checkbox math by turning a contextual risk rating into an informed conversation that will allow security leaders to evaluate not only a vendor’s cybersecurity posture, but also the role they play in their company’s business model and capacity for growth. It views risk as an informed decision that can drive innovative approaches while at the same time protecting the security interests of their company.

Expanse can provide a real-time contextual evaluation and rating based on preliminary standards such as NIST 800-53r4/5, NIST800-171, PCI, CMMC, and other related models. Our solution is purpose-built for this exact issue. It allows programs and companies to identify all of their vendors, illuminate their exposed and vulnerable assets, define the criticality of services within their vendor surface area, uses that same criticality rating to understand where sensitive information is at risk, and maps specific threats to those risky services to generate a contextualized view of risk.

Can Expanse help you?
Expanse doesn’t require any installation or additional agents. Download a datasheet to learn how Expanse can help you reduce your attack surface. You can also request a demo and we’ll bring actionable insights about your enterprise to our very first meeting.

Sources:
1 https://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/