Recommendations

ASM/CV in Practice: Putting

It All Together

Practical steps towards automating discovery and validation

Cybersecurity professionals often begin strategy analysis by asking “What are you securing and protecting, and why?” This is a useful first step in evaluating ASM as well. Threat prioritization is rooted in an understanding of the criticality and business value of specific assets and informs the four recommendations below.

1. Integrate business risk with continuous monitoring and testing to understand and validate your overall risk profile.

In the same way that having an incomplete understanding of the overall breadth of the attack surface creates the potential for exposure, discontinuous awareness of the environment’s current state may allow vulnerabilities to remain unnoticed until they are exploited.

There is a current, growing, and inescapable need for using automation to address business risk.

The era in which an annual pen test represented a valid approach to discovery has long since passed. In fact, so has the era in which manual processes are sufficient. Contemporary ASM requires automated, continuous discovery and validation: Daily passive scans of the environment, supplemented by automated exploits (via automated red teaming, Pen Test as a Service, or similar means), are emerging as important elements of a future-ready risk management posture.

These capabilities are most effective when coupled with a formalized understanding of business risk and asset value. Clear asset priorities enforced by the SOC, potentially with the help of Policy-as-a-Service systems, provide a sound foundation for effective ASM.

2. Establish, document, and track your risk profiles.

The ability to respond rapidly to highest-priority threats requires the SOC (and the systems used by SOC professionals) to understand which threats require immediate attention. The SOC needs clear priority guidance as well as support to identify best response options and to avoid alternatives that may create performance or security problems elsewhere in the corporate environment. Leaders should recognize this work is not a "set it and forget it" exercise: They need ongoing tracking and updated documentation associated with risk profiles to align current resources with evolving threats.

3. Identify gaps in capabilities, processes, and technologies to find potential opportunities to lower your risk profile.

ASM relies on systems that identify threats and vulnerabilities across the breadth of the organization. However, establishing comprehensive coverage will likely entail multiple tools, and the resulting complexity may itself create a source of risk.

Practical steps towards automating discovery and validation

Best practices call for security leaders to create a framework for understanding factors that impact the attack surface and the ways that tools, third-party suppliers, and internal staff combine to discover, prioritize, remediate, and validate ASM. Staff in the SOC, especially, need to react to automated inputs, make use of dedicated tooling, and make decisions and take actions based on their experience, training, and policy guidelines. And where external suppliers are part of the overall delivery of ASM/CV, it is important for management to ensure successful two-way interaction between internal teams, outsourcers, and consultants by integrating processes and aligning reporting templates.

Defining ASM/CV for the enterprise

[Source: Stratascale 2021]

Practical steps towards automating discovery and validation

4. Articulate a holistic vision of the ASM/CV approach to internal stakeholder constituencies.

To succeed, organizations must implement effective alignment and communication. The benefits of doing so span multiple objectives. For example, implementing a common set of processes and reporting templates drives common understanding (and pursuit) of objectives that need alignment between internal and third-party resources. Similarly, the ASM/CV vision has the most impact when it connects across three critical constituencies:

Responsible parties, who need to test, articulate, or subscribe to a common view of ASM.
Adjacent parties, who need to understand how new assets will fit into the ASM framework.
Dependent parties, who rely on the effectiveness of the total risk management strategy as they pursue enterprise business objectives.

Relationships in the ASM/CV responsibility/value chain

[Source: Stratascale 2021]

In all cases, effective communication is essential to building awareness throughout the organization and can help the security team position itself as supporting innovation across the business.