Steps to Solutions

Integrated Defense: Optimizing ASM Tooling and Processes

Step 1: Define, understand, and prioritize

Optimizing ASM begins with defining “discovery.” Until recently, “discovery” focused on understanding VMs and devices in your own subnet. But the attack surface has evolved to include domains and subdomains; your organization’s APIs for building corporate applications and integrating third-party resources; and the data, systems, and users that connect to your corporate systems via the Internet.

Any of these portals can be exposed to the dark web, a source for capturing credentials and other information about users and assets. Today, “discovery” means systematically probing for potential vulnerabilities across the attack surface.

When it comes to ASM, there is no silver bullet for discovery. A thorough approach requires a mix of tools that access and aggregate the right data for your organization.1 One expert described this process as “understanding your ‘onion’—how your tooling is built out to protect your organization.”

Discovery tools need to evaluate exposure in depth, and they must integrate to offer breadth of coverage. Tooling can be deployed at different levels, including:

ASM passive scans, which capture all externally accessible problem points.
Risk profiling, which adds threat intelligence to passive scan results and aids in prioritizing remediation efforts.
Continuous validation (CV), which closes the loop by ensuring remediation measures work—then uses red teaming to probe for weaknesses and invoke SOC responses, which can be further evaluated for efficacy.

¹See “ASM/CV: Vendors to Watch, Know, Understand”

[Source: Stratascale 2021]

These capabilities are necessary to establish an effective ASM approach, which includes:

Automating discovery: Using a combination of tools to see potential vulnerabilities arising from the cloud, remote workers and customers, external data feeds, IoT, and other sources.
Applying intelligence to evaluate threat vectors: Understanding the most critical vulnerabilities and identifying ways to address those exposures.
Remediation: Taking effective action to protect systems, networks, data, users, and more.
Validation: Ensuring remediation efforts have been effective.

Effective process management optimizes the value of internal and external resources. An example of a management framework that can be applied is the OODA Loop, which consists of four stages:

Observe. Identify threat sources, either as a point-in-time snapshot or an ongoing activity. ASM best practice is the latter: continuous discovery, achieved through use of integrated tools.
Orient. Analyze and synthesize observations of threat sources with respect to their urgency and criticality, then prioritize for remediation. Use automation to identify common remediation measures addressing specific vulnerabilities.
- The inventor of the OODA Loop, Colonel John Boyd, considered orientation to be the most important part of the process "since it shapes the way we observe, the way we decide, the way we act."²
Decide. Use previous observation and orientation to develop a strategy and move forward. In the context of the SOC, this stage involves multiple decisions that distribute action items to the staff best able to respond to the threat.
Act. After the decision, follow through with a physical response. As noted above, this step (like "decision") should be primarily managed by the SOC.

²Boyd, John R. “A Discourse on Winning and Losing,” page 243.

Type your content here…

Integrated Defense: Optimizing ASM Tooling and Processes

Step 2. Enhance staff resources through partnerships and processes

The scarcity and high cost of cybersecurity professionals has led most organizations to partner with third-party specialists. These firms can build domain expertise in key areas that do not require deep business-level understanding—such as capabilities and best integration practices for automation tools—that deliver real cost- and resource-effective value to the corporation. There are additional reasons for using third parties as well, including the fact that they, like the attackers looking to exploit vulnerabilities, are external to the organization and have a different perspective than the corporate cybersecurity team.

Internal cybersecurity staff should manage other essential ASM functions. The internal SOC team understands the criticality and business risk associated with specific assets, which is the most important factor in prioritizing remediation efforts. It is best positioned to remediate threats, since it understands how a defensive measure applied to one system might create a performance or security issue in another. It’s also attuned to what actions might address a more serious incident. As one expert opined, “think of an external provider as being like a roofer or firefighter, and the internal staff as a homeowner. The service provider can apply a patch to stop leaks or can extinguish a fire, but the homeowner needs to determine the extent of the damage and the appropriate remedy.”

The OODA Loop applied to cybersecurity

The OODA Loop emphasizes iteration, which aligns with the demands of responding to numerous threats and the broader business objective of agility. In actual practice, the loop can become quite complex, requiring coordination of many individual tasks. With respect to cybersecurity, these tasks should include integrating front-end (continuous discovery) and back-end (continuous validation) automation within a process that enables rapid alignment of the corporate security posture with the volatile external attack surface.

Use the OODA Loop to understand options in several related areas: It identifies how and why business requirements for inputs, analytics, and rapid deployment will continue to expand, and it can be used to illustrate an ASM/CV process that spans observation, action, and validation.

[Source: Stratascale 2021]