In response to recent ransomware attacks, the White house issued an executive order1 to companies to improve their cybersecurity postures. One of the key tenants of the order was a call for organizations to adopt a zero-trust framework in their security practices.
The order defines zero-trust model as:
"The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment."
Zero-trust framework for Attack Surface Management
While zero-trust architecture for traditional networks are well defined, it is important to also apply the zero-trust model to your Attack Surface Management (ASM) program since your organization’s attack surface forms the basis of all your security deployments.
Here are five steps on how to deploy zero-trust framework in your ASM practice:
Define your attack surface
Comprehensive visibility into all your known and unknown assets is crucial before you build out any security practice. Without granular visibility into all assets, including constantly changing cloud assets, it is impossible to ensure attack surface security. Attack Surface Management provides a single source of truth of internet-connected assets for your organization, and this system of record should be the validation method for your zero-trust processes.
Cortex® Xpanse™ cross-references data points and device signatures to discover more assets with high accuracy than any other ASM vendor to comprehensively discover all your assets.
Setup traffic flow monitoring
Traditional zero-trust architecture mandates monitoring traffic using an inside-out perspective to capture malicious traffic. However, with the increase in ransomware attacks through publicly accessible command and control nodes, it is also important to monitor malicious communications using an outside-in approach.
Xpanse uses global internet flow data to surface communications between internet-connected assets to detect and stop risky communications that can be exploited for data breaches or ransomware.
While having an asset exposed to the internet isn’t in itself dangerous, it is dangerous when it is exposed without being monitored. Organizations must be able to define custom policies that don't just keep them secure but also agile. Using a central policy engine to globally enforce policies and alert on violations is crucial.
Xpanse helps organizations develop custom policies and also develop fingerprints to quickly discover exposed devices on their network when a P0 CVE is announced.
Automate prioritization and remediation
An ASM solution must be able to not just discover issues but also automatically prioritize them and assign them for remediation. Without remediation, an organization cannot secure its attack surface.
Xpanse has integrations with several SOAR solutions including Cortex XSOAR that help organizations automate remediation of discovered issues.
Perhaps the most important aspect of a zero-trust architecture is to be able to independently and continuously monitor your attack surface. Your ASM solution must be able to alert on exposed assets and also allow you to verify the successful remediation of a risk.
Xpanse helps organizations benchmark their Attack Surface Management program through custom benchmarking assessments and dashboards to help reduce their mean time to inventory, mean time to discover, and mean time to respond.
These five steps help organizations answer the important who, what, when, where, and how questions critical in securing their attack surface. If you want to learn more on how you can secure your attack surface, check out: https://www.paloaltonetworks.com/cortex/cortex-xpanse
1 Executive Order on Improving the Nation’s Cybersecurity, May 12, 2021