istock 1483450723

iStock/Thanakorn Lappattaranan

By Microsoft Security

Organizations are moving more infrastructure, data, and apps to the cloud – supporting remote work and engaging with third-party ecosystems. This broader, more dynamic environment results in an expanded set of attack surfaces. Threat actors are taking advantage of this complexity, exploiting gaps and relentlessly stepping up the volume of attacks. Paired with the growth of the cybercrime-as-a-service ecosystem, the threat landscape has become broader and more complex.

The good news is basic security hygiene still protects against 98% of cyberattacks. But keeping up with today’s threats means securing every main attack surface: Internal, cloud, and external. While the challenges to each continue to evolve, so are the options available to defenders.

Ask yourself this: If you were an attacker trying to get in, what could you exploit? Read on for actionable tips on defending each of the three main attack surfaces.

Attack surface #1: Internal – protecting things you can control

Email, identity, endpoint devices, and the Internet of Things (IoT) are all under constant attack by threat actors, adding risk to day-to-day business processes.

  • In 2022, the rate of phishing attacks increased by 61% compared to 2021; Microsoft alone blocks 710 million phishing emails every week. Safeguards such as URL checking and disabling macros can help, but employee education is essential – especially as threat actors use more sophisticated social engineering tactics, including using AI to create more persuasive emails.
  • With an estimated 921 password attacks every second in 2022 – a 74% increase from 2021 – threat actors are getting more aggressive and creative. Mitigating identity attacks means more than securing user accounts: it spans cloud access, as well as workload identities (identities assigned to software workloads like applications to access other services and resources). Maintaining a comprehensive understanding of identity and access will continue to be mission critical.
  • Securing endpoints has become more challenging but is especially critical when defending internal attack surfaces. BYOD (bring your own devices) policies have led to a huge growth in unmanaged devices. On average, there are 3,500 unprotected, connected devices per enterprise. Unpatched servers provide additional points of entry. It’s essential to keep up with patches and employ endpoint detection and response agents.
  • By 2025, IDC predicts that 41 billion IoT devices will be present within enterprise and consumer environments. In one study, 35% of security practitioners reported that in the last two years, an IoT device was used to conduct a broader attack on their organization. While many countries are mandating improvements in IoT device cybersecurity, each organization needs to be especially mindful of their risks. Greater visibility into every connected device is crucial.

Attack surface #2: Cloud – defending offsite, multi-cloud and hybrid environments

Securing the cloud environment means defending a range of services, including SaaS, IaaS and PaaS, distributed across multiple clouds. This can make it difficult to achieve end-to-end visibility across the entire cloud enterprise. Without this visibility, organizations are at an increased risk for critical security gaps. Microsoft found that 84% of organizations who suffered ransomware attacks did not integrate their multi-cloud assets with their security tooling.

Unknown code-based vulnerabilities in cloud-native applications have dramatically increased the risk of compromise. Embracing a “Shift-left” security approach – incorporating security thinking in the earliest stages of app development – can help organizations strengthen their security posture and avoid introducing these vulnerabilities in the first place.

Attack surface #3: External – meeting an internet-scale challenge

The global attack surface has grown with the internet, spanning multiple clouds, complex digital supply chains, and massive third-party ecosystems. The internet is now part of the network, and despite its almost unfathomable size, security teams must defend their organization’s presence throughout the internet to the same degree as everything behind their firewalls.

Your entire supply chain is at risk – not only your suppliers and partners, but their vendors and partners. A 2020 Ponemon report revealed that 53% of organizations had experienced at least one data breach caused by a third party in the past two years, costing an average of $7.5 million to remediate.

Component makers and third-party code developers can be hacked, potentially leading to stolen customer credentials or back doors into your systems. Meanwhile, cloud environments compromised by phishing attacks could enable threat actors access to your confidential data. This means taking inventory of internet-exposed assets has become more urgent than ever.

Visibility is the linchpin of security

You can’t protect what you don’t understand. Viewing the organization from the outside-in is a good place to start when evaluating your security posture. Beyond Vulnerability Assessment and Penetration Testing (VAPT), it’s important to gain deep visibility into your attack surfaces so you can identify vulnerabilities throughout the entirety of your environment and extended ecosystem. Security teams need powerful threat intelligence to provide timely and relevant context into current attack behavior and trends.

The benefits are twofold: first, the right threat intelligence helps security teams to successfully identify vulnerabilities, prioritize alerts, and disrupt attacks. Second, if and when a breach occurs, holistic threat intelligence is essential to learning what happened and preventing it from happening again. Simply put, organizations that leverage more threat intelligence will be better able to successfully secure their organization.

End-to-end visibility into threats is foundational for good security hygiene. Once you know your vulnerabilities, you can apply the right defenses for your organization – including human-centered approaches like Zero Trust principles, patch management, identity and access controls, and user education.

Ready to learn more about protecting all of your attack surfaces? Read our in-depth threat brief and visit us at Microsoft Security Insider for more cybersecurity insights.

Copyright © 2023 IDG Communications, Inc.