Attack surface is evolving faster than ever before. If you think of a business like a human being– living, breathing, thriving, changing—then it might be easier to conceptualize the rate of change for the modern attack surface. Consider the software and systems required to manage your business. Now add a layer of complexity for the level of customization you have applied to each. Now think quick—who has access? Has that ever changed? If so, what does that change management process look like? Accountabilities are easy to track initially, until turnover, growth, mergers, digital transformation, and other perfectly normal business operations muddle it all up. These are some of the reasons why two-thirds of organizations say attack surface management is more difficult today than it was two years ago.
While attack surface drift typically occurs over many years of growth and business change, it can also happen suddenly, and unexpectedly. COVID-19-induced “shelter in place” orders have forced a quick shift to fully remote work (where possible). But accelerated timelines for introducing new online services have caused many organizations to shortcut standard security testing protocols. And while the arrangement may not last, the impact of mismanaged IT will.
This legacy plus the increase in attack surface highlights a big issue. There was 50x more online data in 2020 than in 2016. On its own, this increase is not necessarily bad. As organizations mature, they naturally undertake normal growth activities like business transformation, attrition, hyper-growth, and mergers and acquisitions (M&A). These initiatives expand their web of internet-facing assets, but with limited resources and dispersed accountability, the ability to maintain oversight wanes. And in the shadows, malicious attackers lurk.
As security teams strive to stay ahead of these attackers, visibility into the attack surface is crucial. This brings us to a key point we’ll keep coming back to throughout this guide–how can you secure what you don’t know exists?