Attack Surface Visibility, The Key: Vijendra Katiyar, Trend Micro
In conversation with Vijendra Katiyar, Country Manager, India & SAARC, Trend Micro, BW Businessworld does a deep dive into the growing attack surface in the cyber space and explores how attack surface visibility holds the key to addressing vulnerabilities. Read on for excerpts from the interview.
Edited Excerpts:
Why are organisations failing to protect themselves today, despite knowing the dangers of growing attack surface?
If you look at incidents that have happened recently related to supply chain, especially, in last few years, such as SolarWinds. What is actually happening is that organisations are taking on digitisation. Today, we are using different platforms, services, and integrating with multiple supply chain providers, service providers, and shadow IT. This is the new way in which business is happening. But there is limited visibility for this expanding digital surface. While we are interacting or opening up APIs for doing business, and integrating with multiple different service providers, attack surface continues to expand, creating a problem.
To give you an instance, I was recently talking to a CISO and he said that he didn't even know that there was a team taking care of the product marketing and they had created a microsite on the cloud. If that microsite is vulnerable, who is responsible? Of course, the IT and security team is responsible for this because it is part of the digital surface of the organisation. This is where it is becoming very challenging and we are seeing expansion in terms of digital surface and hence, the attack surface expanding.
Since the attack surface is forever expanding, how do we deal with cyber risks?
The most important thing is you need to have visibility of your external attack surface. Due to the supply chain disruptions recently in the hype cycle of security operations, Gartner introduced the term EASM (External Attack Surface Management), which is essentially continuously monitoring your actual surfaces, whether it is your IP, URL, your domain name, or anything that is externally facing or public facing. You need to continuously monitor it. So, there should be a mechanism or a tool in place with which you are able to discover this. It has to be a continuous process. You keep on monitoring, understanding, keep on looking at the new source. Once you have the visibility, you can keep on addressing the new vulnerabilities it brings in or new risks that get introduced. So, if you have a good process of doing this, you will be able to solve a lot of problems.
How can organisations contain the broadening attack surface and improve visibility problems associated with it?
When you talk about mitigation, or how to handle the attack surface – it can be a very similar approach. You have to look at two things very clearly. One is looking at whatever is happening externally and the other is when you are looking from the internal cyberattack surface.
You have to evaluate the risks associated with the users. Are these users genuine or not? What is their location? Especially, with remote workforce, where are the people logging in from - different locations? Or, if the devices they are using are complaint as per the corporate policy? Are they patched or are they using any application, which is unauthorised? Based on these, you arrive at a risk score.
This is what we do at Trend Micro. We arrive at a cyber asset risk score. At any given time, if we know that the risk score is below a certain threshold, we introduce a Zero Trust strategy, wherein we stop the access for that specific user or application because the risk score is low. If the user is carrying certain risks, that user is vulnerable. Hence, we don’t want that user to access network. If you have new users, devices, or applications, you have to keep monitoring that too. The other thing we address is the external attack surface, which is pretty much the same. You need to have visibility of what is happening to the external attack surface, continuously. Organisations need to look at multiple departments, businesses, and the digital platforms that they are running.
You don't want to have a shadow IT, wherein people are doing their own thing. That is something organisations should avoid.
How can organisations address the menace of ransomware? Is there anything particular that they should be doing?
There is no silver bullet because ransomware has evolved. As an organisation, the most important thing you should do is be proactive. This means that at any point of time, you should know what is happening inside your organisation. This again, goes back to the same thought process of having clear visibility. SecOps (security operations) becomes very important.
A lot of times I have seen quarterly audits and quarterly checks happening in organisations. But that is not good enough. You need to have a continuous vulnerability management program. One very interesting thing which we are doing at Trend Micro is prioritising the vulnerability. Now, there are so many vulnerabilities in the wild, globally, and it becomes difficult to understand which one should be an organisation’s number one priority. What you need to do in such a scenario is look at the universe which is relevant to your line of business. This should be priority number one – you don’t need to look at what is happening in 10 other organisations. So, this is what we help the customers do at Trend Micro. Once you are able to prioritise the vulnerabilities, you can mitigate that and have solutions, do virtual patching and address it in multiple ways.
Also Read: In India, Average Cost Of Data Breach Is Rs 17.6 Cr: Report
