During the past few months, Microsoft Exchange servers have been like chum in a shark-feeding frenzy. Threat actors have attacked critical zero-day flaws in the email software: an unrelenting cyber campaign that the US government has described as “widespread domestic and international exploitation” that could affect hundreds of thousands of people worldwide. Gaining visibility into an issue like this requires a full understanding of all assets connected to a company’s network. This type of continuous tracking of inventory doesn’t scale with how humans work, but machines can handle it easily.
For business executives with multiple, post-pandemic priorities, the time is now to start prioritizing security. “It’s pretty much impossible these days to run almost any size company where if your IT goes down, your company is still able to run,” observes Matt Kraning, chief technology officer and co-founder of Cortex Xpanse, an attack surface management software vendor recently acquired by Palo Alto Networks.
You might ask why companies don’t simply patch their systems and make these problems disappear. If only it were that simple. Unless businesses have implemented a way to find and keep track of their assets, that supposedly simple question is a head-scratcher.
But businesses have a tough time answering what seems like a straightforward question: namely, how many routers, servers, or assets do they have? If cybersecurity executives don’t know the answer, it’s impossible to then convey an accurate level of vulnerability to the board of directors. And if the board doesn’t understand the risk—and is blindsided by something even worse than the Exchange Server and 2020 SolarWinds attacks—well, the story almost writes itself.
That’s why Kraning thinks it’s so important to create a minimum set of standards. And, he says, “Boards and senior executives need to be minimally conversant in some ways about cybersecurity risk and analysis of those metrics.” Because without that level of understanding, boards aren’t asking the right questions—and cybersecurity executives aren’t having the right conversations.
Kraning believes attack service management is a better way to secure companies with a continuous process of asset discovery, including the discovery of all assets exposed to the public internet—what he calls “unknown unknowns.” New assets can appear from anywhere at any time. “This is actually a solvable problem largely with a lot of technology that's being developed,” Kraning says. “Once you know a problem exists, actually fixing it is actually rather straightforward.” And that’s better for not just companies, but for the entire corporate ecosystem.
Show notes and links:
“A leadership agenda to take on tomorrow,” Global CEO Survey survey, PwC