The Modern Attack Surface
Organizations of all sizes have embraced digital transformation to create new business models and ecosystems, deliver new products and services and operate more efficiently in the digital economy. New digital compute platforms and development shifts such as cloud, mobile, SaaS and DevOps have made it possible to move from concept to capability on a daily basis. Physical devices and systems of all types - from corporate conference systems to power grids - are now network connected and programmable, creating even more opportunities for digital transformation.
Some say these digital technologies are the future. But the truth is, the future is here and now. By 2019, there will be over 9 billion IoT devices deployed in the enterprise and over 90% of organizations have applications running in the cloud today.
While digital transformation opens up a whole new world of opportunities, this is your new cyber attack surface to defend.
And it's exploding.
The Cyber Exposure Gap
The tools and approaches organizations are using to understand cyber risk don’t even work in the old world of client/server, on-premise data centers and a linear software development lifecycle where there is less complexity and more control over security. An asset is no longer just a laptop or server. It’s now a complex mix of digital compute platforms and assets which represent your modern attack surface, where the assets themselves and their associated vulnerabilities are constantly expanding, contracting and evolving - like a living organism.
This elastic attack surface has created a massive gap in an organization’s ability to truly understand its Cyber Exposure at any given time. We call this the Cyber Exposure gap.
The larger the Cyber Exposure gap, the greater the odds a business-impacting cyber event will occur.
Organizations Attempt to Close the Cyber Exposure Gap in a Few Ways
Throw hundreds of security tools at the problem to protect from the 'threat of the week', creating siloed visibility, management overhead and reactive firefighting.
Rely on a CMDB to get visibility into assets and their configurations, but 85% of these projects fail in part due to the stale data - and CMDBs weren't built to discover and map today's modern assets.
Take a 'scan the network' approach to identify vulnerabilities. While this is foundational to understanding your Cyber Exposure gap, the old "one size fits all" techniques and tools haven't adapted for the modern attack surface.
Welcome to the Modern Era of Cyber Exposure
Cyber Exposure is an emerging discipline for managing and measuring your modern attack surface to accurately understand and reduce your cyber risk. Cyber Exposure transforms security from static and siloed visibility to dynamic and holistic visibility across the modern attack surface. Cyber Exposure provides live visibility with technology purpose-built for security. Understanding Cyber Exposure will transform security from a raw list of vulnerabilities to a metrics-driven program, where cyber risk is quantified and measured alongside every other business risk and every strategic business decision will rely on it. Understanding Cyber Exposure will not be an impediment to digital transformation. It will enable it.
Cyber Exposure builds on the roots of Vulnerability Management for traditional IT applications, endpoints and systems, moving from identifying bugs and misconfigurations and expanding to the following:
Live discovery of every modern asset across any computing environment
Continuous visibility into where an asset is secure, or exposed, and to what extent
Add context to the exposure to prioritize and select the appropriate remediation technique
Accurately represent and communicate cyber risk to the business - in business terms
Apply Cyber Exposure data as a key risk metric for strategic decision support
Cyber Exposure Lifecycle
Provide an objective way to quantify Cyber Exposure across your organization and your entire supply chain.
Help define the overall IT strategy by informing technology decisions. For example, will adopting cloud technologies increase risk or what is the risk versus cost of supporting outdated platforms.
Understand where you are in the pack by comparing your organization's Cyber Exposure against your industry peers.
Identify and map every asset across any environment. From here you can baseline the current and desired operational state.
With every change, automatically assess the current state against the baseline state of the environment, including misconfigurations, vulnerabilities and other key indicators of security health, such as out of date antivirus or high risk users.
Add context to the asset’s exposure to prioritize remediation based on the asset’s business criticality and the severity of the vulnerability.
Prioritize which exposures to fix first, if at all, and select the appropriate remediation technique, whether it’s a temporary security control or a complete fix.
Cyber Exposure has an operational security lifecycle which aims to provide common visibility to Security and IT teams to identify and remediate security issues quickly and efficiently. Cyber Exposure also creates a strategic baseline and a business discussion between the CISO, the CIO and the business, translating raw security data into a common language for communicating risk.
Every organization, no matter how large or small,
will be able to confidently answer three questions at all times: