Unravelling Cyber Tool Sprawl: Time for Vendor Housekeeping Across Your Cloud, On-Prem, API and Web Infrastructures

By Josh Neame, CTO, BlueFort Security

A new study by Enterprise Technology Research, released in time for this month’s RSA Conference, revealed that the average company has between 60 and 75 cyber tools in its arsenal. 51% of respondents expect to increase the number of vendors in their security stack over the next 12 months. What’s interesting is that the findings are a complete U-turn on the industry’s shift towards platform integration, highlighting that the “best of breed” approach is still very much in vogue.

However, this “best of breed” approach is creating a problem all of its own – cyber sprawl – and this is becoming a significant challenge. While each tool may address a specific aspect of security, the cumulative effect can lead to not only redundancy, complexity, widening skills gaps and inefficiency – but an increased risk of falling victim to a cyber attack. 

Less is More

The irony is that for many organisations an increase in the number of cyber tools has actually made them more likely to be the victim of a cyber attack, not less. This is because all those extra tools deployed to protect cloud data, APIs, web infrastructure and of course, on-prem environments, have expanded an organisation’s overall external attack surface, adding to the possible ways an attacker can get into your network.

At the heart of many of the significant cybersecurity problems encountered by businesses today, restricted or insufficient visibility of the external attack surface is the primary catalyst. Without a comprehensive view of this external attack surface, companies are leaving themselves wide open to cyber attack. 

Threat Landscape Constantly in Flux

Added to this, the external threat landscape is constantly changing. The volume and variety of attacks – particularly ransomware –  is growing exponentially. According to recent analysis, we ended 2023 with 28902 published CVEs, up over 15% from the 25081 CVEs published in 2022. On average, there were 79.18 CVEs published per day.

When all is said and done, if there is no clear visibility over an organisation’s  IT estate, it is not possible to accurately validate potential threats, nor have any control over them. When it comes to cybersecurity, contrary to the old adage – what you can’t see can definitely hurt you.

Think Like an Attacker, Continuously

Attackers relentlessly look for ways in – the path of least resistance; whether that’s an unpatched endpoint exposed to the internet, or a misconfigured cloud bucket – they’ll keep searching until they find it and then they’ll exploit that weakness. Organisations need to adopt the same approach and play them at their own game – but be better. The only way to do this is to continuously review the total external attack surface looking for those weak spots.

The critical word in the previous sentence is “continuously”. This is not a point in time exercise. First written about in 1993, Gartner’s CTEM (Continuous Threat Exposure Management) program recommended that organisation’s focus on continuously identifying and tackling threats to an organisation, in real time. BlueFort’s Continuous Discovery, Validation and Control methodology aligns directly with both CTEM and NIST frameworks, and is designed to surface and actively prioritise whatever most threatens your business. Only when visibility is clear, can validation and control be wrapped around the known elements, enabling positive controls to be put in place.

That said, visibility is an ongoing journey; no single tool, technology or process will deliver complete point in time visibility over this changing and often unpredictable IT security landscape. Any set of processes and solutions must be tailored to the specific needs and structure of the organisation. Even the tools and technologies available to better protect organisations from cybersecurity threats are constantly evolving.

CISO Survey Highlights the Cybersecurity Visibility Issue

A recent survey revealed that 600 UK CISOs admit to experiencing challenges around visibility, intelligence and control. More than half (57%) of those surveyed admitted that they do not know where some or all their data is, or how it’s protected. One third (36%) said they lack visibility of movers, joiners and leavers, and 34% said that dormant email accounts are another significant concern.

My key takeaway from this study is that visibility is one of the most pressing issues facing CISOs, and a key element of this is assessing their estate, establishing which cybersecurity solutions they have, and consolidating duplicate or no-longer used technology. Put simply, organisations need to learn what they can live without.

Getting Started on the Visibility Journey

According to the famous Chinese proverb, a journey starts with the first step. When it comes to cybersecurity, asking yourself the four questions below will set you on the path of understanding your cyber threat status, and what needs to be done to make it as watertight as possible.

  1. Do you have visibility of your entire external attack surface? 

Only by looking from the outside in will you be able to establish a clear understanding of where the gaps are in your security estate, and which areas are most likely to be exploited by an attacker. Every organisation’s external attack surface is in constant flux. Changing users, devices, IT assets and digital infrastructure mean the external attack surface – and associated security risk – is constantly growing and changing. Complete discovery, classification and assessment of every aspect of the organisation’s fluctuating external attack surface must be organic – indeed automated – to be effective in the long term. Gaining visibility into your external attack surface will uncover the mass of shadow IT that plagues virtually every organisation. These unmanaged – and in most cases unknown – assets will be the obvious entry point for an external threat actor. The attack surface management process is the first step in uncovering these issues before they are exploited.

  1. Do you have visibility of all cloud assets, workloads and their associated policies?

The widespread move to the cloud represents a fundamental shift in how IT and security teams need to approach visibility. Despite this, many security teams are still struggling to establish visibility and control in the new cloud era. With security misconfiguration cited as the number one cybersecurity threat experienced by CISOs over the last 12 months, neglecting cloud security issues presents a real and present danger to organisations. Cloud security posture management is crucial for any organisation operating in one or several cloud environments; automating security and compliance validation across any cloud environment from: AWS, Azure and Google Cloud to Kubernetes.

  1. Can you continuously and autonomously test assets and infrastructure to discover vulnerabilities and misconfigurations?

To be as effective as possible, testing cannot be a point in time exercise. Automated security validation (ASV) provides continuous testing and validation across the entire attack surface, both internal and external, emulating genuine tactics, techniques and procedures (TTPs) that will be deployed against the organisation by malicious threat actors.       

The effect ASV has on solving many of the roadblocks facing security teams in gaining visibility – from information and alert overload to persistent skills gap – is best described by the Pareto Principle of outcomes. This states that 80% of outcomes are the result of 20% of causes. The visibility ASV provides into risk and security exposure is extremely accurate, focusing first on prioritising and remediating the most likely weaknesses to be breached, in real time as they are created. This process enables security teams to focus on the 5% of weaknesses that constitute 95% of the risk to the organisation.

  1. Can you account for all joiners, movers and leavers, and ensure the correct provisioning/de-provisioning of services?

In this year’s Verizon Data Breaches Investigation Report (DBIR), stolen or compromised user credentials were once again one of the top attack drivers. Managing identities – including users, device and entities – is the cornerstone to securing an organisation’s IT environment, preventing intrusions and maintaining compliance. As the CISO survey referenced earlier found, one third of organisations don’t have visibility of movers, leavers and joiners. Today’s dispersed workforce means the challenge of assuring identity across the organisation is becoming harder. Identities – whether users or devices – have fast become the new perimeter.

Assuring identity involves a comprehensive assessment of the IT environment, and a combination of tools, technologies and services designed to centralise controls, simplify management, and increase the granularity of access permissions. The use of assurance tools such as single sign on (SSO), privileged access management (PAM) and multi-factor authentication (MFA), strengthens perimeter defences and limits the potential for account compromise or credential hacking.

Cybersecurity is a Never-Ending Story

Akin to painting the Forth Road Bridge, the task of cybersecurity is never finished. However, by adopting a more proactive approach that continuously monitors, assesses, prioritises and resolves security issues by improving threat exploitability, it is possible to significantly lessen the vulnerabilities in your external attack surface. It all starts with knowing what you’re dealing with. Continuous discovery leads to more control. 

Get in touch with BlueFort