Agencies need to defend a much more nebulous infrastructure than was necessary just a few years ago. Today, as agencies transform their operations digitally, they must support users anywhere, anytime and on (almost) any device.
“That reality makes attack surface management (ASM) critical to any cybersecurity approach,” said Michael Sieber, DoD cybersecurity lead and senior director of cybersecurity at Maximus.
“Attack surface management is part of defense in depth, where you’re trying to make sure that you can see your entire network, understand what vulnerabilities are present, and prioritize mitigation based on risk,” Sieber said. “You’re addressing the high-risk items first and then mitigating so that there is less attack room for an adversary to come in and gain access to your network.”
We asked Sieber and Kynan Carver, cybersecurity leader with Maximus’ Technology and Consulting Services, to explain more about ASM in use and why it’s valuable in helping agencies keep pace continually with cyber needs as they digitally transform their operations.
Rapid digital transformation and ASM
As agencies are modernizing technology and also transforming their operations to become more digital, there’s more new technology being implemented alongside efforts to improve existing business processes, team culture, and user and customer experience, Carver said.
All those things “drive — unintentionally, generally speaking — potential vulnerabilities or holes in agencies’ security posture,” he said.
By leveraging ASM, you can stay one step ahead of potential vulnerabilities and take proactive measures to prevent them from being exploited. With ASM, you have the ability to discover and address potential security issues before they become a major problem.
The government’s zero trust mandates have prompted agencies to modernize their security frameworks and adopt related zero trust measures.
“That’s why the attack surface is rapidly expanding due to the emergence of new technologies,” Carver said.
Taking on attack surface challenges
Given that most federal employees will likely continue to work remotely for some part of each week and the continuing push to use the cloud to provide services to users, potentially exploitable entry points are becoming more prevalent.
“Now, we’re dealing with not only federal equipment, but we’re also dealing with individual equipment or company-furnished equipment from end users’ homes,” Sieber said.
He laid out the five steps of an ASM approach:
Identify what’s on your network
Categorize what’s on your network, whether it’s a high vulnerability, medium vulnerability or low vulnerability based on a holistic look at risk factors
Prioritize those vulnerabilities against mission outcomes
Do everything you can to secure that environment from most vulnerable to least
Maintain enterprisewide visibility and continue to adapt the cybersecurity posture as necessary
What’s critical to keep in mind is that these environments are dynamic and so is ASM, he said.
Networks expand and shrink all the time, Sieber pointed out. “We’ve gone from on-premises networks to cloud networks to multicloud networks to some sort of a hybrid capability, where you have a little bit of your data secured in on-premises environment, a little bit secured in a cloud environment.”
The hybrid environment means that every agency’s attack surface expands and contracts. ASM provides an approach so that agencies have the capability to both dynamically understand the current boundaries of their networks and also proactively secure that constantly shifting environment, Sieber said.
What’s more, during digital transformation, agencies are integrating many new and existing systems and applications. That creates the potential for misconfigurations and the chance of introducing vulnerabilities in an organization’s cyber posture, making the agency susceptible to both known threats as well as dangerous unknown unknowns, he said.
“If we can address and understand the unknown unknowns through an adversary lens, that will help us to strengthen our defenses from an attack surface management perspective,” Sieber said.
ASM best-practice pointers
ASM also integrates supply chain risk management, which Sieber called a key element of the cyber approach.
“Software companies, hardware companies are constantly changing hands,” Carver noted. “That also means the process and the people that touch that equipment or software changes hands. That continuous evaluation of those products is where we’re really starting to see a growing need. People do the security upfront, but they’re not necessarily constantly reevaluating.”
Agencies need to know if a piece of software can still be trusted, he said. Who owns it know? Who has updated it? “In regard to supply chain risk management, agencies need to do due diligence on a regular or cyclical cycle,” Carver said.
Given that recurring need along with the increased amount of information that security teams now must monitor, it’s essential to lean into more automation and orchestration, both Sieber and Carver said.
“If you look at a security operations center, there’s so much information for them to track that it’s impossible for them to ingest data manually,” Sieber said. “You have to take advantage of tools and make sure that those tools are giving you a common operating picture so that you can understand what your network looks like, where your weaknesses are and mitigate any vulnerabilities.”
He also pointed to artificial intelligence as a way to mitigate the inevitable alert fatigue.
“Artificial intelligence can help you digest a lot of that data and then get rid of some of the noise, so you can clearly understand what some of the threats are and pay attention to the things that really matter,” Sieber said.
Carver added that with digital transformation and the expanded dependence on cloud, it’s also incumbent on agencies to ensure that people at all levels are both cloud- and cyber-literate. “It’s understanding what the cloud is and what it offers,” and the role that everyone now must play in securing federal data, Carver said.
The same yet not — cyber needs in DoD and IC vs. civilian agencies
Although all federal agencies must continually improve their cybersecurity posture, there remain some differentiators in the needs of the Defense Department and Intelligence Community compared to civilian agencies.
Ultimately, the main difference is data classification, Maximus’ Michael Sieber said.
“You’re going to have a mixture of mandatory and discretionary access controls to ensure that people who don’t have a need to know or that don’t have clearance for that information, don’t have the ability to gain access to it — that you can control where that data is flowing to,” Sieber said.
That makes the need for end-to-end visibility imperative and is why an attack surface management approach works well, he said. “From a DoD and IC perspective, it’s really important to understand who’s responsible for securing data through every stage of that defense in depth model.”
That challenge grows as organizations adopt cloud, Maximus’ Kynan Carver said. And that’s a challenge for all agencies, not just those in DoD or IC.
“The IC has more labeling that’s required,” Carver said. “But that doesn’t necessarily extract to the actual metadata. That metadata tagging is where we need to get consistency and then share that consistency across the federal government, because it’s not just a DoD or IC thing. Other federal agencies that utilize that information, for example, to make the homeland more secure. If we want to do this effectively, then we have to address those layers,” he said.