CISOs understand that the smaller a company’s attack surface, the fewer areas need to be protected. Keeping a low profile lets you make better use of your resources, as Esther Shein reports in this edition of Expert Focus by SC Magazine which examines how organizations can enhance their cybersecurity by reducing their attack surface.
One might think that large, high-tech enterprises that are often the targets of cyberattacks would be the most knowledgeable and experienced in cybersecurity. After all, those in technology-driven industries must know more than those in non-tech fields that are less often targeted, right?
While one might think that, they would be wrong. Before David Lagacé arrived at the 50-year-old Montreal-based telecommunications infrastructure provider Telecon in mid-2018, security was done on an ad hoc basis.
It was not the primary focus of the company, which was founded in 1967, he says, adding, “If we had time to do security, we would.” With 3,200 mostly mobile users and some 2,500 endpoints and devices to manage across Canada and the U.S., Telecon’s attack surface is broad.
Because of the company’s prior stance, Lagacé, Senior Manager of IT Security for Information Technology, knows the company has been living on borrowed time. “You’re only as lucky as your next infection,” he notes wryly.
In his first 90 days on the job, Lagacé discovered software patches had not been applied, so once those were done, he made sure systems were put on a regular patching schedule.
Telecon also did not have any vulnerability scanning capabilities so that IT could check for any new common vulnerabilities and exposures (CVEs), report them, and get the operations team to mitigate any issues.
Ideally, security teams would patch all known vulnerabilities and update hardware and software on a regular basis, effectively reducing their attack surface to virtually zero. Of course, that is not realistic in today’s hyperscale enterprise environment, where new assets are added as demand dictates, making it a challenge for IT to keep up.
Many organizations today are also managing hybrid environments, adding to the complexity. To manage such a dynamic attack surface, organizations need to ensure they have the right set of security controls in place to reduce the chance that an attacker can exploit that attack surface.
These security controls should prevent zero-day payloads from executing; identify newly discovered malicious behavior; prevent common and uncommon attack vectors; and take decisive, automated response actions without the need for human intervention.
Most of all, these security tools need to be resilient, and require minimal updating without degrading their abilities to protect the environment.