Historically, the “attack surface” was limited to well-known points of external exposure—the traditional perimeter of websites, external IP addresses, and endpoints. Our cyber attack surface has expanded dramatically over the past five years, now encompassing our cloud estate, millions of devices at the edge, and mobile and remote workers, in addition to our internet-facing infrastructure.
This expansion of the definition to include cloud, end-user, and internal assets has been driven by the increasing sophistication of cyber attacks. The table below breaks down today’s complex attack surface into several categories, based on a framework presented by Steve Santos of Gartner at a conference in June 2024:
Attack Surface Category | Description | Mitigation Examples |
Digital | A combination of social media, dark web data, compromised assets, and digital assets impacting brand, reputation, or security. | Threat intel, Digital Risk Protection |
External | Internet-reachable assets in the public IP space. This is the most commonly probed surface. | DNS, WHOIS registration, SSL certificates, internet scans |
Cloud | Assets that run on public cloud, private cloud, or SaaS providers. | Management console APIs, SSPM/CSPM, SDLC/Terraform |
Internal | On-premises assets that include traditional IT, IoT, and OT assets. | VM data, CMDB, Firewalls, SCCM, NDR |
End-user | Mobile and fixed end-user assets such as phones and laptops used to connect | SCCM, EDR, SSE |
As Figure 1 shows, the attack surface today is the sum of all possible points where an unauthorized user can try to enter data into or extract data from an environment, and it includes hardware, software, and network components.
Reduction and protection of the attack surface are separate but obviously interlinked strategies for improving security overall. Reducing the attack surface means eliminating points of potential exposure or walling off access to them, which requires a thorough grasp of those points of vulnerability. There are always concrete opportunities for such reduction, but this approach quickly runs up against the reality of today’s integrated and distributed work and networks. Better protection begins with improved visibility and runs to hardening all the identified points of vulnerability against unauthorized access and malicious code.
The table highlights the complexity and diversity of today’s cyber attack surface, illustrating how it extends beyond traditional boundaries. This expanded landscape signifies that organizations must adopt a more comprehensive approach to security, considering not just external threats but also internal vulnerabilities. By understanding these components, businesses can prioritize their security strategies, focusing on both reducing exposure and enhancing protection. This sets the stage for exploring effective methods to safeguard your assets in the next section.
Reducing and robustly protecting your cyber attack surface requires a strategic approach and the right tools. Below are the top nine actions you can take, with the relevant attack surfaces noted for each item:
1. Reduce points of exposure
(Attack surfaces: External, Internal, End-user)
Streamlining and securing points of exposure is crucial in minimizing vulnerabilities. By encrypting communications, organizations can significantly reduce their attack surface, ensuring that data is safeguarded both during transmission and when stored.
2. Enhance visibility
(Attack surfaces: Cloud, Internal, End-user)
Ensuring comprehensive visibility into your network, devices, and user activities is crucial for proactively reducing the attack surface. By identifying and addressing vulnerabilities and threats in real-time, visibility allows you to understand and minimize potential entry points for attackers. Without it, you remain unaware of existing weaknesses, leaving your system exposed. A short checklist to enhance visibility includes:
3. Implement unified security policy management
(Attack surfaces: Cloud, Internal, End-user)
Unified security policy management is crucial for maintaining consistent security across all network segments and endpoints. It simplifies the enforcement of security policies, ensuring that all users, devices, and applications adhere to the same rules. Related key steps include:
4. Adopt Zero Trust Network Access (ZTNA) with advanced capabilities
(Attack surfaces: External, Internal, End-user)
With the increase in remote and hybrid work, securing remote access is more important than ever. Zero Trust Network Access (ZTNA) solutions enforce strict identity verification and access controls for such users, but it’s equally important to implement Zero Trust controls for your internal LAN and data center networks as well to defend against lateral movement after your network is breached and ensure a consistent access experience for your users, whether they are inside or outside the corporate network. Advanced capabilities like Dynamic Access Control further enhance ZTNA by adjusting access permissions based on the current context and risk level. ZTNA is essential for both internal and remote users to prevent unauthorized access and minimize lateral movement within networks. By enforcing strict identity verification, ZTNA ensures that only authenticated users can access specific resources, regardless of their location. This approach limits a malicious user’s ability to exploit weak points by:
5. Enhance legacy infrastructure with a software-defined network overlay
(Attack surfaces: Cloud, Internal, End-user)
Business locations today are varied, ranging from branch offices and campuses to remote production facilities that rely on a mix of broadband, cellular, and satellite connections. With the need to support cloud connectivity, remote users, and internet breakout, legacy infrastructure often leads to security gaps and management challenges. Steps for more robust protection at your locations include:
6. Integrate threat prevention and detection
(Attack surfaces: Digital, External, Cloud, Internal, End-user)
Integrated threat prevention and detection involves using advanced security technologies that have been developed in a single, modern SASE or SSE platform to exploit synergies and monitor attack vectors, identify attacks, and mitigate threats in real time. Ideal platform security capabilities include:
7. Extend Zero Trust to devices
(Attack surfaces: Internal, End-user)
“Device trust” ensures that only authorized devices gain network access. This involves verifying device identity and authentication, distinguishing between company-owned and BYOD (Bring Your Own Device), and applying access controls based on security criteria.
8. Device posture check
(Attack surfaces: External, Internal, End-user)
Evaluating the security posture of devices attempting to access the network includes baselining normal behavior and identifying anomalies that might indicate the device has been compromised, adaptive and conditional access controls, ensuring security compliance, identifying device vulnerabilities, and taking action based on these posture checks.
9. Extend Zero Trust to internal and external apps and workloads
(Attack surfaces: External, Cloud)
Application and workload access involves verifying access rights, ensuring specific access controls, and determining whether the applications or workloads are available to the internet. It is critical to secure internet-facing admin controls, APIs, and workloads comprehensively.
Figure 2 below outlines how each action above addresses specific attack surface categories identified by Gartner.
Action | Description | Digital | External | Cloud | Internal | End-user |
1 | Reduce points of exposure | X | X | X | ||
2 | Enhance visibility | X | X | X | ||
3 | Implement unified security policy management | X | X | X | ||
4 | Adopt Zero Trust Network Access (ZTNA) | X | X | X | ||
5 | Enhance legacy infrastructure with software-defined network overlay | X | X | X | ||
6 | Integrate threat prevention and detection | X | X | X | X | X |
7 | Extend Zero Trust to devices | X | X | |||
8 | Device posture check | X | X | X | ||
9 | Extend Zero Trust to internal and external apps | X | X |
Reducing and improving the protection of your cyber attack surface is a continuous process that requires a combination of strategic planning, advanced security technologies, and proactive management. By implementing device trust, adopting user identity verification, performing regular posture checks, securing application access, implementing encrypted communication, and embracing zero trust, you can significantly enhance your organization’s cybersecurity posture. Modern SASE and SSE platforms provide an opportunity to implement a holistic strategy for protecting your attack surface, rather than addressing each action area in isolation.
For more detailed guidance and practical steps, consider attending our upcoming webinar on “Top 9 Actions to Reduce and Protect Your Cyber Attack Surface.” We will provide checklists, templates, and actionable advice to help you implement these strategies effectively.