Welcome to the Chaos
Nov. 7, 2024

Can We Make Attack Surface Management … Fun? | Chaos Lever

Can We Make Attack Surface Management … Fun? | Chaos Lever
Apple Podcasts podcast player icon Overcast podcast player icon Spotify podcast player icon PocketCasts podcast player icon Castro podcast player icon Podcast Addict podcast player icon Youtube Music podcast player icon iHeartRadio podcast player icon RSS Feed podcast player icon Deezer podcast player icon Amazon Music podcast player icon PlayerFM podcast player icon Castbox podcast player icon Goodpods podcast player icon Podchaser podcast player icon
Apple Podcasts podcast player icon Overcast podcast player icon Spotify podcast player icon PocketCasts podcast player icon Castro podcast player icon Podcast Addict podcast player icon Youtube Music podcast player icon iHeartRadio podcast player icon RSS Feed podcast player icon Deezer podcast player icon Amazon Music podcast player icon PlayerFM podcast player icon Castbox podcast player icon Goodpods podcast player icon Podchaser podcast player icon

 In today’s episode, we’re diving into one of IT’s murkiest topics: Attack Surface Management, or ASM. Can ASM be fun? Maybe. Is it critical for modern security? Absolutely. If you’ve ever wondered what ASM actually does, or why it’s more than just the latest buzzword, we’ve got answers (and helping handfuls of snark).

We explore how ASM helps businesses stay on top of their digital perimeters—those tricky-to-manage spaces outside the traditional data center walls. From spotting exposed IPs and misconfigured servers to reining in shadow IT, ASM aims to give organizations continuous visibility into their “attack surface.” And while ASM can’t replace yearly pen tests or manage itself like a SOAR, it’s an invaluable tool for identifying vulnerabilities before hackers do.

Join us as we untangle ASM’s purpose, benefits, and its place in a security stack alongside tools like SIEM and SOAR. Could ASM be your best defense against hidden threats? Tune in to find out! And remember, in security, making the news is rarely a good thing. 

LINKS: 

- Gartner’s Insights into Attack Surface Management (https://www.gartner.com/en/documents/5341663) 
- BlueKeep: Still Crazy (Good at Being Used for Hacking RDP) After All These Years (https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-168a) 

Transcript

[01:00:00.08]
Chris: Oh, I thought you meant just use comic sans for everything.


[01:00:04.01]
Ned: But I repeat myself. Well, that's one of the four fonts that we're allowing, right? There's Times New Roman, Helvetica, comic sands, and papyrus.


[01:00:16.29]
Chris: You mispronounce wingdings.


[01:00:28.06]
Ned: Hello, alleged human, and welcome to the Chaos Lever podcast. My name is Ned, and I'm definitely not a robot. I'm a real human person who can read Wingdings in its native format and have done so for the entirety of the Shakespearean plays. With me is Chris, who is also here and loves Wingdings. Hi, Chris.


[01:00:50.10]
Chris: Chicken wing, chicken wing, death skull, as we say.


[01:00:54.14]
Ned: As we do. To be or not to be is much amazing when you read it in its native wingding format.


[01:01:04.23]
Chris: Yeah, the surfing snake really gives it a je nez a quoi that I think Shakespeare finally gets across the message he intended.


[01:01:13.23]
Ned: It really ties it together. The closest approximation that I can give is trying to do it in an emoji, which someone has also tried to do.


[01:01:23.29]
Chris: I'm not looking that up.


[01:01:26.23]
Ned: No, you probably shouldn't, but there was definitely a period of time where people were trying to express entire plays purely with emoji because people have too much time on their hands.


[01:01:38.28]
Chris: Accurate. But also, there aren't enough emojis to do that?


[01:01:44.20]
Ned: Creating of use of combinations is really where it's at.


[01:01:48.03]
Chris: There's no towel emoji.


[01:01:51.16]
Ned: That can't possibly be right.


[01:01:53.06]
Chris: Explain this to me.


[01:01:54.22]
Ned: I am angry about this immediately. Not just because of my deep love for Douglas Adams, but also it's a towel, man. That seems like a pretty universal thing that everybody has.


[01:02:09.10]
Chris: Nope, apparently not.


[01:02:12.28]
Ned: And yet there's an octopus.


[01:02:16.27]
Chris: Well, yeah, the secret overlords of the world obviously have to be well-represented. It's a valid point.


[01:02:25.19]
Ned: There's some Netflix documentary that involves a person and an Octopus. I think it's my Teacher, My Octopus or something. I refuse to watch it because I feel like it'll make me deeply uncomfortable.


[01:02:36.11]
Chris: I think it won an Oscar. I'm pretty sure.


[01:02:41.01]
Ned: You're not selling it to me. Let's talk about something equally fun. What do you got?


[01:02:49.15]
Chris: I'm going to do that thing.


[01:02:52.14]
Ned: Okay.


[01:02:53.18]
Chris: You know the one?


[01:02:54.22]
Ned: The thing you do.


[01:02:57.21]
Chris: Well, I was going to sing the song, I don't want to get sued, and it's too early in the morning.


[01:03:02.25]
Ned: It's far too early for you, yes. It's actually afternoon by our internal clocks because fucking daylight savings.


[01:03:11.07]
Chris: Oh, that should have been the episode. We just curse about daylight savings for 45 minutes.


[01:03:15.20]
Ned: It still could be.


[01:03:17.09]
Chris: But instead, we're going to talk about attack surface management.


[01:03:21.19]
Ned: Would have gone with daylight savings.


[01:03:24.20]
Chris: The question one has to ask oneself is, self, can we make a tax surface management management fun?


[01:03:34.06]
Ned: Maybe.


[01:03:36.12]
Chris: Well, I appreciate that enthusiasm, but I'm not as optimistic. But gosh, we're going to try.


[01:03:43.15]
Ned: Okay.


[01:03:45.01]
Chris: So first of all, attack service management is one of those weird phrases that has come around in IT, relatively speaking, recently. I'm saying that in vague terms, because if you try to research the first usage of the term attack surface management, you come up with nothing definitive. It's very similar to other terms like digital transformation. There are many claimants who, proudly, I guess, believe that they were the first to use it. I guess what I'm saying is this is not a super cloud situation. Am I right?


[01:04:34.13]
Ned: We can definitely point to who, if not coined it, is pushing it.


[01:04:43.01]
Chris: But anyway, in terms of where it came from or why it came from. Long story short, a tax surface management or ASM, as I will go back and forth between calling it, depending on whether or not I think the audience has forgotten what the acronym means.


[01:04:56.15]
Ned: Fair.


[01:04:57.11]
Chris: It evolved as businesses continued moving their business and their data and their operations out of the standard four walls of the data center. Things stopped being simply perimeter security or firewalls and VPNs, as far as the eye can see, around the early 2010s. That's around where the concept of attack surface management came from. And honestly, that's about as well as we can nail it down.


[01:05:28.19]
Ned: That's fair. I mean, that's right around the time that shadow IT really took off. So whether you wanted your organization to be outside those four walls, it was.


[01:05:38.29]
Chris: Right. And shadow IT was a big driver of things like this, as we shall see.


[01:05:44.28]
Ned: Okay.


[01:05:45.19]
Chris: The idea was that the perimeter was no longer your standard four walls or one big old IP block, obviously a flat network for simplicity. Who needs VLANs? Am I right? The traditional boundaries, for lack of a better word, were not good enough anymore to describe or explain what your organization actually was. To the point that you're alluding to, they probably actually hadn't been for a real long time.


[01:06:18.16]
Ned: Valid point.


[01:06:20.04]
Chris: So a tax service management takes this idea and expands to everything that could possibly part of your business, whether you know it or like it. Not just inside the four walls, everything. Or to quote, IT expert... Oh, shit. I've already forgotten his name. I almost said Gary Busey, and that's not right.


[01:06:42.02]
Ned: Yeah. Gary Busey might have some interesting things to say about ASM.


[01:06:46.27]
Chris: It's Gary somebody. Gary Senece? No. Anyway.


[01:06:51.29]
Ned: Kasparov?


[01:06:55.02]
Chris: Gary the Snale?


[01:06:56.29]
Ned: Oh.


[01:06:57.19]
Chris: That might be the right one.


[01:06:58.27]
Ned: I think that's the one. That sounds correct We're back to the snails.


[01:07:01.28]
Chris: Good call back. So, yeah, the term attack service management is not extraordinarily well defined, just like the idea of attack surface. But my hope is that by the end of this, at the very least, you'll know what I mean.


[01:07:15.29]
Ned: Okay. Yeah.


[01:07:17.19]
Chris: We used to have this idea where it was very solid. This was the data center. This is where our stuff is. Then it became, holy crap, our stuff is everywhere. The cloud exists. Shadow IT is a thing. We've got to account for all of this stuff.


[01:07:31.17]
Ned: Right. It's not enough to just have one point of entry, your firewall, and try to put all the security there. I mean, arguably it never was, but now, especially so.


[01:07:43.04]
Chris: Right. So the goal of an ASM program, and I'm using program on purpose in this way, and when I do it, I mean it like when we talk about zero trust. There are tools that are sold that do ASM, but having an ASM program is more of this philosophy that we've just been noodling about.


[01:08:04.09]
Ned: Okay.


[01:08:05.01]
Chris: It's an artificial construct of a sort, where you can't just buy something off the shelf and say, you have it.


[01:08:12.07]
Ned: Okay, so you can't buy ASM, but they can sure try to sell it to you.


[01:08:18.12]
Chris: Just like zero trust.


[01:08:19.22]
Ned: Yeah, or DevOps.


[01:08:23.00]
Chris: The goal here effectively is to have a continuously updated understanding of what on your network, what connections do those things allow, and from that list of things, is anything not supposed to be there or otherwise, misconfigured? Okay. So there's a lot of words in that definition. One of the biggest ones is continuous. This is not like looking things up and then saying, Oh, we're good. We'll look again in a year.


[01:09:03.10]
Ned: Right. Because things change constantly, and you need to be aware of those changes if you're going to secure those things.


[01:09:11.26]
Chris: And also it's an active situation. Certain security measures, like a firewall, is passive in a sense. And what I mean by that is you set up the firewall, and that's great. And then you just wait.


[01:09:26.20]
Ned: Right. It's a reactive tool.


[01:09:29.16]
Chris: Right. Asm, you're actively looking, and by that, I mean up to once a minute for certain systems and services, to see if something has changed.


[01:09:42.25]
Ned: Okay.


[01:09:43.27]
Chris: Then finally, the Keyword also. There's a lot of keywords. Maybe I should just stop saying keyword.


[01:09:51.05]
Ned: If they're all keywords, are any of them?


[01:09:54.18]
Chris: Profound.


[01:09:55.20]
Ned: Have you ever really looked at your hands?


[01:09:59.20]
Chris: The The word that matters at the end is management. You've got this idea of the attack surface. You're looking at it constantly, and you're using this tool as an assist to manage everything that you have. So part of it is discovery, part of it is management. Again, what this also means is that ASM is, generally speaking, not active. It is not a penetration tool, for example. So really, all it's going to do is say the door's open, other tools at that point step in and do more, like a penetration test would poke their head in the door and look around and maybe see what happens if I try to take the wallet off of the counter. Asm doesn't do any of that. Right. And this is important because this is something where I think, let's just say, casual purchasers might think that if you do one, you get out of the other. Asm does not mean you can get out of doing pen test yearly.


[01:11:09.15]
Ned: Okay.


[01:11:10.05]
Chris: Two very different things.


[01:11:12.24]
Ned: One is about detection. The other one is actually testing the security of things by actively attacking them.


[01:11:19.24]
Chris: And more importantly, depending on the industry that you're in, one of them is going to help you pass an audit, and the other isn't.


[01:11:29.12]
Ned: Generally, we What would you like passing audits.


[01:11:31.15]
Chris: Something else to consider.


[01:11:34.10]
Ned: Okay.


[01:11:36.17]
Chris: So additionally, as they were being built, ASM tools traditionally focused on the external attack surface. What can outside attackers see and target? As things progressed, however, nowadays, you can also run ASM on your internal resources. Now, this was also a way to differentiate between the penetration tests and ASM or other things like that. The idea being the attack surface is what you attack from the outside. It's one of those implied definitions. Problem is, once you get an attack that gets somebody a foothold in your environment, they don't just go home. They try to attack more things. So your attack surface is now not just the outside, not just the outer crunchy shell, but everything on the inside, too. Lateral movement is a phrase you might have heard bouncing around.


[01:12:48.03]
Ned: I have heard that before, yes.


[01:12:50.11]
Chris: So, yeah, the name ASM, the more you try to describe what it does, gets more and more confusing. But as is tradition in computers, the name is never going to change. So we're just going to have to deal with it.


[01:13:05.14]
Ned: Right. Okay.


[01:13:08.09]
Chris: So yeah, these days ASM, increasingly used for internal visibility and potential breach as well, may Mainly because one of the biggest areas of attack for a company is a resource that is open to the internet in some way that you do not know about.


[01:13:24.16]
Ned: Okay.


[01:13:25.16]
Chris: So the big four, and I bet I probably should have you guess, but since it's in the document, you can already see what they are.


[01:13:33.03]
Ned: Sure can.


[01:13:35.19]
Chris: Publikely accessible servers and applications, exposed IP addresses and open ports, cloud instances That can be absolutely anything that you can put out in any cloud that has a connection to your network. If you know AWS or Azure or GCP, there's a lot that could go in that category.


[01:13:59.17]
Ned: Yeah, The real question is, does that environment have a connection back to your internal network? Because they don't necessarily have that.


[01:14:08.04]
Chris: Then finally, shadow IT, as we've alluded to. The funny thing is, all four of those categories overlap in many different ways. Sure. A resource could conceivably be all of the above, which would be great. But the you do not know about it is the super important part. Now, it is probably well known to the audience, the number one way attackers gain entry to any environment is...


[01:14:43.20]
Ned: Do you want the real answer? Because the real answer is social engineering of some kind. Right.


[01:14:55.00]
Chris: Okay. What's number two?


[01:14:59.11]
Ned: Oh, jeez. It's probably some vulnerability in software that you've left hanging out on the internet.


[01:15:05.27]
Chris: Correct. Systems that have been forgotten about and left online and thus never updated.


[01:15:13.22]
Ned: Yeah, it's that FTP server you had to set up for that client you were working with six years ago that no one ever spun down or patched.


[01:15:22.29]
Chris: Or that test system that you thought was going to be up for a couple of days and then just never turned off.


[01:15:30.29]
Ned: Yep, you got busy. And the worst part is, if it's running in the cloud, you will get a bill. So at least you have that reminder that something is still running. If it's something you spun up in-That's cute.


[01:15:43.13]
Chris: I mean- You see people look at their bill?


[01:15:46.02]
Ned: Somebody might look at the Bill. But if you spun up a virtual machine in a data center and left it running and somehow gave it a public IP or ported something through, you can easily forget that machine exists forever.


[01:16:00.27]
Chris: What happens, for example, if that system that you have forgotten about was on a network segment that then got repurposed?


[01:16:09.00]
Ned: You think we have segments? That's adorable.


[01:16:14.20]
Chris: The thing is, the way that these systems become attacked and the attacks that are used, it's all very banal. It is extremely rare that attacks are carried out with actual zero that end up being the major breaches we see on the news. First of all, it's extremely rare that any of these attacks work. A lot of the time, even the attacks that make the news and the ones that we hear about, they require a lot to go exactly right in the exact right order at the exact right time. Remember, hacking is forcing a computer to break in a specific way. So even is a very narrow thing is incredibly fragile. Even some of the most famous ones, I'll use one example, the Windows RDP being attacked by Blue Keep. Now, this one has been... This is probably in the hacker Hall of Fame. But guess what? It doesn't work every time. It's a simple script. You can try it yourself if you'd like. The exploit is available on GitHub. Go ahead and download it, right? Then go set up a VM, unpatched Windows 2003 or whatever server, run the exploit. Guess what? What? Seven out of times, nothing happens.


[01:17:45.19]
Ned: Seven times out of 10.


[01:17:46.24]
Chris: Seven times out of 10. Surprising. The thing is, with Hackers, it's a numbers game. Seven failures in a row. Well, actually, that just means it's the Yankees in a clutch situation. Got them. Keep hitting home runs against the White Sox, Judge. We're all proud of you. I'm just saying. Too soon?


[01:18:11.10]
Ned: I don't even know what you're talking about, so I will just smile and nod, Chris.


[01:18:16.15]
Chris: Anyway. So these things fail constantly. Somebody might try it, it doesn't work, and then they go back to playing Xbox. The thing is, what hackers have is unlimited time. If If one person gives up, there's another 15 that are going to try it. Eventually, one's going to work. That's why Blue Keep, as a zero day, probably didn't get a ton of traction. I'm sure it was successful, and there was some drama at the time, but Now, five years later, if you have a system that has been up that entire time that has been susceptible, chances are it's been tried and probably succeeded.


[01:18:58.28]
Ned: Right. Yeah, no, that makes sense. People are constantly scanning public IP addresses and seeing if anything's listening on 3389, just constantly. People might only knock on the door once, but like you said, if everybody's scanning all the time, you're going to get 30 knocks a minute, and one of those is going to get through if your system is susceptible.


[01:19:24.19]
Chris: Best case scenario, the hack crashes the computer. Worst scenario, you end up on the news.


[01:19:32.23]
Ned: There's at least one really good YouTube video of someone setting up a honeypot, just a VM listening on 3389 on a public IP, and then waiting to see how quickly it's attacked. It is within seconds.


[01:19:46.11]
Chris: Yeah, I've done that before as an exercise. It's a lot of fun.


[01:19:51.07]
Ned: You and I have different ideas of fun, but okay.


[01:19:56.10]
Chris: So in short, if you have an external automated system to help you observe these types of things, you have a much higher chance of finding these vulnerabilities that otherwise may have been forgotten about. You've got the external aspect of ASM that helps you with visibility of your public-facing shield, and you've got internal ASM assessing the security of assets within your network. Again, it's 2024. We cannot assume that anything is secure. Just because it's inside your network doesn't make it good enough.


[01:20:28.13]
Ned: Right.


[01:20:30.27]
Chris: In short, ASM, continuous asset discovery across defined organizational working environments, both internally and externally. Continuous real-time assessment of those vulnerabilities. Now, this includes trying to figure out what's going on. Is it an open port? Does it have outdated software? Is there some miss configuration? That last one is particularly important when it comes to cloud things.


[01:21:00.01]
Ned: Leaving that S3 bucket public.


[01:21:01.28]
Chris: That's a good one. Yeah, but it's okay because nobody ever does that anymore. And finally, these systems also give you risk prioritization. You look this up, you run an ASM or any scan like this, to be honest, against your internal environment, you're going to come up with errors and you're going to come up with a lot of them. But there's two categories here. One is, is it actually a significant vulnerability? And two would be, does it matter? Some vulnerabilities are so severe that they could take over your system immediately, but they're so impossible that they've never been observed in the wild. Yeah, you should fix it, but you don't have to fix it this second, probably.


[01:21:47.15]
Ned: Right.


[01:21:47.29]
Chris: So a couple of things now that ASM is not. First thing is, it's not a soar. It Sore is security, orchestration, and response.


[01:22:03.20]
Ned: Oh, okay.


[01:22:05.16]
Chris: It's not like flying through the air like a birdie.


[01:22:08.05]
Ned: That is sad.


[01:22:10.12]
Chris: Soar is sad. Okay.


[01:22:12.28]
Ned: No, soar is soar. If it was sad, it would be a different acronym.


[01:22:17.04]
Chris: Soar is a complicated system that basically you can use to create runbooks that will automatically take action if certain conditions are met.


[01:22:28.14]
Ned: Okay.


[01:22:29.14]
Chris: They will do stuff for you. That's the response part of sore. Asm ain't that. Although, of course, it can be connected to a soar. Other things you can do, ASM can connect to, say, a knowledge base and give you manual recommendations. Hey, we've seen something run on 3389. Stop it.


[01:22:53.21]
Ned: Yeah, everywhere, all the time. No RDP, please.


[01:22:58.04]
Chris: Similarly, ASM is not an inventory tool all by itself. It does the detection and will tell you what inventory exists based on the filter and searches that you're doing, but you still need some single source of truth. So ASM has, there's that word again, integrations.


[01:23:20.19]
Ned: Okay.


[01:23:21.18]
Chris: What you can do now is, let's say you have some type of an ITSM tool that has your inventory and it has your network scan ranges. And let's say in that range, you've got 100 systems identified. The ASM tool looks at the entire range and comes up with 105. Now you have a little bit of a pickle. But this is super helpful because now you have five things to look into. There might be other errors, but the fact that you have systems that are unidentified running on your network is going to jump to the top of that list. So you fix them, you reconcile it, you add them to the ITSM, and then everything starts to get back into harmony. Speaking of logging, which is a word I meant to say earlier, but I don't think that I did. That's all right. Asm doesn't really log, per se. In specific, it is not a SIM, which SIM, another complicated and expensive acronym, stands for Security Information and Event Management. And a SIM is a much larger beast. It focuses on collecting log data from all points in your environment. Take them in, aggregate them, use these things points in time, correlate based on conditions, identify anomalies, sudden unexpected changes.


[01:24:50.21]
Chris: And then if the system is set up correctly, you can even do real-time answers to questions like, if server X was in fact compromised, what other systems nearby are at immediate risk. Can't do that with an ASM. That's just too complicated.


[01:25:06.20]
Ned: Okay.


[01:25:07.20]
Chris: Once again, though, ASM can inform a SIM, which is good. Right. But it's probably annoying the hell out of people. And the question always comes up, why? Just why? Why can't the system do everything? Why can't, I don't know, one system do ASM and SOR and SIEM and blah, blah, blah. Some of them, in particular, ASM versus a pen test, they don't seem that much different. Well, I mean, yeah, you know things. I mean, not like a lot of things, but you knew that one.


[01:25:51.19]
Ned: Very narrow range of things that I know. It seems to me my experience is the broader the of a tool, the worse it is at any given thing. And if you're not sure about that, I point you at Microsoft.


[01:26:07.26]
Chris: Windows?


[01:26:09.20]
Ned: No, just Microsoft as a whole.


[01:26:12.08]
Chris: Yeah, I mean, That's the correct answer. You generally don't want to expand too far out. Jack of all trades, master of none, et cetera, et cetera. Think about it in practical terms. Do you actually want a car that turns into a boat that is also a toaster? Of course you do.


[01:26:32.28]
Ned: This seems amazing. I can have my toast in the water and then drive on land? Yes, I want all those things.


[01:26:42.04]
Chris: Now think of all the ways that that's not going to work and/or kill you.


[01:26:47.22]
Ned: Yeah, okay. Fine. We'll leave the toaster out.


[01:26:50.22]
Chris: The philosophy of the one meal warming vehicle to rule them all, it just doesn't work. I mean, there are cars that turn into boats, and they suck at in cars, and they suck at being boats.


[01:27:04.07]
Ned: Point taken.


[01:27:05.28]
Chris: Same thing happens in software. Now, I don't want to get too complicated about this stuff, but just think about it. If you have one thing that you're an expert at, why would you want to mash something else that you're not an expert at into that same tool? Then you also come into the situation where you end up being guilty of that second thing being terrible, And people assuming your entire software stack is not good. So there's a reputational risk for the people that write this software. In addition, as you get better at this one thing, you get real good at this one thing. And these tools will expand and get very specific and very niche. I don't want to spend a lot of time because this particular thing is not really necessary for most businesses. In addition, I'm also watching the clock. Asm tools can now do something called DRPS, which is Digital Risk Protection Services. Basically, We already talked about your inventory, servers, services, all the stuff that's running. In addition to that, these ASM tools can check out your reputation online, whether it's your staff, whether it's your company. It can monitor online activity, the open web, the dark web, communication about your company, even social media, seeking indicators of risk that could lead to brand damage, reputational harm, or targeted attacks of very important people.


[01:28:51.24]
Chris: Because remember, identity is now very quickly becoming part of your inventory.


[01:28:57.26]
Ned: That's an interesting way to think it.


[01:29:01.10]
Chris: All of these things constitute what could be made into an attack of some kind, but wouldn't make any sense to incorporate into a penetration test. It's just different, right? Now, having said that, I will say that there are companies out there that offer all of these things. That is true. And it's especially if you're interested in being a one pane of glass shop, it's a valid approach. But what I will say is, even though you are probably only cutting one check to one company, what you're actually getting under the hood is a whole bunch of disconnected tools. In many cases, those tools were all purchased rather than developed in-house. A little startup here. Plucky competitor over there, mush them all together, Web 3.0, charge five times as much. That does not mean that they're bad, but just recognize what is happening and what you're getting.


[01:30:21.14]
Ned: It's not going to feel like a tightly integrated package when you start using it because the integrations across these different purchase pieces of software might It might not be that great. I would look for products that have really good integration with other best of breed products rather than one company that has all of the things under a single label.


[01:30:47.07]
Chris: In any case, do your research. The other thing is, when you look at these types of deployments, some of these tools are going to be more important to your company than others. So maybe it makes sense spend a lot of money on the SIEM and get the lowest cost ASM or vice versa. Your specific business case, your specific needs. There's a reason that there's a hundred of these tools. But the other thing to think about, these tools are complicated. They are large. They take a lot of interactivity, even among themselves, in order to work. Going back to the idea of Sims, for example, Gartner believes that the way forward is in the cloud. And the reason is not just because then you can charge a monthly subscription. Although that may or may not be part of it.


[01:31:46.15]
Ned: It certainly is. Yeah.


[01:31:49.05]
Chris: The tool itself is getting so complicated that nobody wants to manage it anymore. So they believe that on-prem is going to be a vanishing minority and a very niche thing for companies that insist on having data in their four walls. And I believe them, and I think it's going to be the case for all of these tools. Asm tools, it doesn't really make sense to run from on your data center because you're checking it from the outside in any way. But from other perspectives, installing and maintaining an elk stack is hard. And it doesn't scale great. And I've been trying to avoid using company names this entire time, but can you imagine what it's like to run Splunk on Prem?


[01:32:39.10]
Ned: It sounds painful.


[01:32:40.23]
Chris: It's not easy. Let's just leave it at that.


[01:32:44.16]
Ned: All right.


[01:32:46.18]
Chris: So, okay, what might your environment look like if you want to use any or all of these tools? And I already answered this question, but I'm going to ask it anyway. You might be thinking, do I even need all of these tools? You're going to love the answer.


[01:33:05.20]
Ned: Oh, I know the answer.


[01:33:06.26]
Chris: The answer is it depends.


[01:33:10.18]
Ned: It always depends. Tm. It always depends. It's almost like these kinds of things are nuanced and require context.


[01:33:22.03]
Chris: Yes. Thinking about the way that these different things operate and communicate and provide more intelligence on top of more intelligence, the word of the day is, of course, defense in-depth. It stands to reason that an organization will have some version of ASM, a pen testing program, SIM for logging, soar for response, or some type of response mechanism, modern endpoint protection, obviously, firewalls, CASP. I could go on and on.


[01:33:57.13]
Ned: And on.


[01:33:58.14]
Chris: And on. But how would all them work together? So funnily enough, when I was working on this episode, I put together a complete theoretical case study, and I left it out because I realized it would double the length of the episode. So what I'm going to do is the short, short version.


[01:34:22.28]
Ned: Okay.


[01:34:24.17]
Chris: And show you a hypothetical tool stack for a modern enterprise. And enterprise is a strong word, and we're going to have to, as an industry, come up with another one. Because a lot of times I think enterprise, when people hear the word enterprise, they immediately think, Fortune 500. Right.


[01:34:44.17]
Ned: Not the case. Ten thousand seats. Yeah, that size. We're not talking about that. You don't have to be that size and scale because so many of these tools are cloud-based, so you don't have to have the hardware on-prem to run it.


[01:34:58.03]
Chris: Right. That's another advantage of the cloud-based thing is you also don't have to have the employee count. A lot of the times, again, when you think enterprise, you probably think 10,000 employees. Everything we're talking about here, you can do for a company with 10 employees.


[01:35:14.21]
Ned: Which is good. It might be overkill.


[01:35:17.24]
Chris: It might be, but it's better than the alternative. True. Anyway, in a hypothetical tool stack, you could have, number one, A centralized inventory system that operates as a single source of truth. If something is on your network that is not in the inventory system, that's a problem. The system can also, if you choose to go to this level, manage configurations and configuration files as well, which would add more edge to the alerting possibilities. This also brings in the idea of I IoT. Wait, no, that's not what I was looking for. Infrastructure as code, IAC. That's completely different. The idea is that you've got this central source of truth, and if anything is a miss, or outside of what is identified in that central source of truth, a flag is raised, and so is an alert.


[01:36:22.09]
Ned: I've done work for a company where their big claim is they scan all of your code repositories, all of your Terraform state files and your cloud accounts and match everything up. They can tell you these 12 systems, none of these are in your code, but they're all in your AWS account. You might want to take a look at that.


[01:36:43.28]
Chris: Right. The word of the day is configuration drift. So anyway, centralized inventory system. On top of that and connected to it, you have your ASM continuously scanning internally and externally, identifying and alerting on miss configurations or vulnerabilities and allowing you to update that inventory system. These all throw their logs into a SIM to keep up with what's going on, especially changes over the past, say, I don't know, two or three weeks. Connected that to a soar to take automated actions and responses on your behalf or at your triggering. Because response doesn't necessarily have to be completely 100% autonomous. Similar to keeping your configuration in a centralized system so that they stay consistent and they're always updated. The changes that you make can be scripted out so that you don't accidentally make a mistake when you're putting in the quote unquote fix. Using all these systems together to tie into, obviously, a robust monitoring system and a ticketing system, which could potentially be part of the centralized inventory system, depending on how you do it, allows you to use the findings to direct pen testing every six months to look at specific things and provide detailed assessments towards the already identified high-risk areas.


[01:38:22.08]
Chris: Now, this is super valuable because you might say to yourself, Well, we know the data lake is over here, and that is where the keys to the kingdom are. So yes, we want the penetration test to be black box, be blind, but we also want to be absolutely certain that these identified risks are looked at. That's a real short version of all that stuff, but you can see how all the different pieces have a different role to play and how they inform each other in helping you keep as secure as humanly possible. Asm, since it is the continuous part of all this stuff, provides you a foundational view of your assets, both known and unknown. Complementary systems that we just talked about, automate, validate, monitor, and alert on more specialized security functions and security concerns. And what is the purpose of all of this? It's not just to spend the company's money, although that's obviously part of it.


[01:39:22.17]
Ned: I mean, that's half the fun.


[01:39:25.11]
Chris: All of it adds up to reduced response times in the event that there's an incident. Properly configured and maintained systems like this, working together will, no doubt, identify and alert on issues so you can resolve them faster. Full stop. Obviously, properly configured and maintained is an important part of the recipe. But even just out of the box with ASM, you will get more perspectives and more eyes on your environment. Not to go all fear and loathing in IT security on you, but honestly, in many cases, without these types of tools, you won't find out about an issue at all until you hear about it from the New York Times. And just so there's no ambiguity here in the context of IT security making the news, generally speaking, making the news is bad.


[01:40:29.26]
Ned: Bad, yeah. The best IT security is the one you never notice.


[01:40:36.28]
Chris: Just like Stage Crew.


[01:40:41.10]
Ned: Hey, thanks for listening or something. I guess you found it worthwhile enough if you made it all the way to the end. So congratulations to you, friend. You accomplished something today. Now you can go sit on the couch, fire up a cloud-based ASM, and see what assets are lurking in your environment. You've earned it. You can find more about the show by visiting our LinkedIn page. Just search Chaos Lever or go to our website, chaoslever. Com, where you'll find show notes, blog posts, and general Tom foolry. We'll be back next week to see what fresh hell is upon us. Ta-ta for now.


[01:41:20.12]
Chris: Did I ever tell you this story about when I was in Stage Crew and I was asked to help with the lighting for a show because somebody was sick?


[01:41:28.24]
Ned: No.


[01:41:30.01]
Chris: Long story short, they were like, When a certain thing happens, you're going to hear a symbol, and then you need to turn on all the lights.


[01:41:37.05]
Ned: All of the lights?


[01:41:38.09]
Chris: And I was like, Okay. So certain thing happened. I heard a symbol, and I turned on all the lights. And they looked at me and they said, We meant the stage lights. Not, apparently, the house lights.