Last Updated on January 15, 2024
We’ve spent the last two and a half years with rapidly rising cloud adoption. It was a rocket ship before that, but the COVID-19 pandemic has only accelerated it and caused everybody to scramble to protect an expanded attack surface.
We’re still playing catch-up to get equivalent security treatments for people working remotely as for the folks working in the office.
Every client has concerns about their current exposure, which is why the topic of this episode of The Virtual CISO Podcast is so important.
Michelangelo Sidagni, Chief Technology Officer at NopSec, joined this episode to talk to us all about:
- Why his firm is all in on Attack Surface Management, and how it’s different than your standard vulnerability management
- How attack surface management unifies current vulnerability and configuration management strategies
- Attack path analysis, what it is and what it isn’t
- The NopSec client customer journey
What is Attack Surface Management?
At its core, attack surface management encompasses the whole of vulnerability management.
Vulnerability management goes from asset inventory management to vulnerability assessment and prioritization to remediation and security testing. Trying to separately coordinate all these different areas that can result in a lot of competing priorities and leadership directives.
Attack Surface Management ultimately aims to unify all these areas, plus throw in threat intelligence and configuration management. In a holistic approach, finding the assets, finding the vulnerabilities, and most importantly for blocking an attacker, connecting the dots to spot the worst dangers and the attack paths to exploiting them.
“Not all vulnerabilities are created equal.” Michelangelo Sidagni
Some vulnerabilities are exploitable, sure, but some can create a real problem for the defender. Identifying those most critical vulnerabilities is what Attack Surface Management aims to get a handle on.
It’s a Configuration Issue
There’s a strong connection between attack surface management and vulnerability management, but what about the fine line between vulnerability and configuration management?
A bad configuration can be a vulnerability, but managing configurations isn’t just about eliminating vulnerabilities. So how does attack surface management relate to vulnerability management and configuration management?
“In the cloud world…every single real vulnerability of the environment is a configuration issue, or a lack thereof.” Michelangelo Sidagni
You can think of attack surface management as encompassing both vulnerability and configuration management. How you identify or scan for vulnerabilities may change as technology become more sophisticated. But what won’t change is the need to holistically manage the overarching attack surface that both vulnerabilities and misconfigurations are part of.
The NopSec Customer Journey
NopSec isn’t out to reinvent the wheel.
“We don’t want to recreate the wheel, we want to offer a service that puts intelligence on the workflow, not recreate a vulnerability scanner.” Michelangelo Sidagni
They’re out to offer a service that puts intelligence and automation into the vulnerability assessment and remediation workflow, not recreate a vulnerability scanner. They partner with scanner providers and other data source providers. They’re focused on putting the pieces together to operationalize a process to identify and prioritize the most critical vulnerabilities to fix, across what traditionally have been silos of data.
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.