Surmonter les vulnérabilités grâce à la gestion de la surface d'attaque

Good afternoon or good morning to those of you joining us today. My name is Doctor Dustin Sachs. I’m Chief Technologist, Senior Director of Programs for the Cyber Risk Collaborative, which is our cybersecurity, community here for CISOs and senior leaders and security departments at organizations. And I’m really excited to be here talking today, Overcoming Vulnerabilities with Attack Surface Management in 2025. We wanna start off, obviously, by thanking our sponsor, Semperis, and, really excited to welcome my panelist today. Alexandra Weaver, who is a Senior Solutions Architect with Semperis. Alexandra, you wanna introduce yourself a little bit to the audience? Yeah. So thank you. Nice to meet virtually meet everyone. I have been an Active Directory administrator for over twenty years now. I work for Semperis, which is a cybersecurity company that on o while while Alexandra oh, there. You’re back. Yeah. I’m back. Fun Internet connectivity issues at home. Absolutely. So to set the stage, you know, obviously, to set the stage about, what we’re gonna be talking about today, you know, when we talk about attack surface management, it’s a very wide topic. It’s kinda like saying we’re gonna talk about biology. I mean, you’re not getting very specific. But some of the statistics that are out there are really interesting and concerning. There was a the Ponemon Institute in their 2024 cyber risk report revealed that ninety three percent of organizations have experienced multiple or repeated attacks due to an unmanaged or unknown attack surface. IBM in their cost of data breach report this year also said that the average cost of a data breach involving unmanaged attack surface is somewhere in the neighborhood of about four point five million dollars. And that’s the cost you know of. Right? Just to quickly interrupt you. Absolutely. Right. Yeah. But, you know, kind of and the last statistic also again from Poneman was that sixty two percent of data breaches are traced to vulnerabilities in the third party’s attack surface. So it’s definitely a big issue. Now at the same time though, there are some promising statistics. The Verizon data breach report again, sixty eight percent of organizations now use automated attack surface management tools. Yes. And the remote the switch to remote work due to the pandemic really only increased the attack surface complexity by about thirty seven percent. So it was not a massive increase percentage, though. You don’t remember that. Right? Not in as massive as you thought it was. That’s true. That is true. I call it be anywhere, anytime on any device. Right? That’s what we’re now protecting. Right? And the attack surface management ASM is a relatively new cybersecurity focus. Right? And I think it’s important that we’re now focusing on that. Absolutely. So starting off, you know, for those who because we have people who are all along the spectrum of experience. Of course. Explain for us when we talk about ASM, when we talk about the attack surface management, what are we talking about? What is what does it mean? So ASM, the attack surface management, is a discipline within cybersecurity. That sounds a little stringent, if you will. And a lot of us have maybe heard the term, but maybe aren’t necessarily implementing it quite yet. But it’s definitely a push. We can see it coming up as a predominant force within environments that need to be accepted because ASM identifies, assesses, and monitors assets. Right? So subdomain shadow IT devices, you know, APIs across the cloud, on prem, hybrid, all of that. What ultimately it’s doing is ASM wants to detect and address potential vulnerabilities that hackers can exploit. So it goes back to common acronyms that we hear, you know, attack vectors or vulnerabilities or indicators of exposure, the IOEs in our environment. We need to be able to identify those across our environment. And now that our environment is not just on prem, it’s, you know, hybrid and fully in the cloud, whatnot, a bunch of different applications, you know, SaaS based, whatnot. We have to be able to identify our attack vectors. Right? That’s a big deal. We have to be able to do that in real time. So running, you know, a report or doing an assessment once a year is not enough. No. Absolutely. And I think, you know, one of the things that we have learned over the last couple years with some of the breaches, you know, log four j, move it, etcetera, is that the the attack surface can be a lot more complex, a lot deeper, a lot more out of your control than you might even have thought, you know. Yeah. It is easy to understand that in this remote work environment that we live in, you’re now talking about people’s home routers and star phones and stuff. All of that is easy to understand, but what you’re what what is really hard to understand, and it’s funny because we had a a webinar on supply chain resilience yesterday that I moderated, and we were talking about this, which is you may not know and maybe you do, but you may know about the surface of the the attack surface for your third parties. But what you don’t know is the attack surface for their third parties and their third parties and their third parties. And when you get, you know, when you look at something like log four j where you could be three, four, five links down the chain, and it’s, you know, coming back at you or SolarWinds or any of these others that are out there. Move it where where you don’t didn’t even realize MoveIt was being used in a file transfer tool you’re using or that one of your vendors is using. That attack surface can get very complex and very, very, very, hard to manage at times. It can. And that’s why I think organizations have to adopt, you know, ASM, the attack surface management, where they have that holistic view, that single pane view into their environment. You want to be able to get a very clear understanding of your attack surface. You also wanna be able to get it in real time. We call it find it, fix it fast. Right? That’s what we need to ultimately be able to do. We want to be able to close those indicators of exposure. And ASM is also, at the forefront of building a cohesive strategy for organizations that not only help you map out the attack surfaces, but also gives the ability to organizations to be proactive, and that’s a very rare thing. You know, as a former AD administrator of, you know, twenty plus years, I was typically reactive in every department I’ve worked in and every environment I’ve worked in. We haven’t had the ability to be proactive. By have by having these these challenges, you certainly have to address, you know, and and by having a good attack surface management program, you certainly can address all of the concerns that are out there and you can you know, I like that you said it was a holistic approach because I think, you know, that it really is a new way of looking at the way you manage your security program. Because we have you have two aspects, you know, I think it’s important also to mention we have two aspects of attack surface management that you’ll hear people, which is you’ll hear about external attack surface management and internal. Yes. And the external one, it’s really interesting because external attack surface management has been around for a couple years, but it was maybe two or three years that I as a practitioner really started to see people caring about it. What would happen is you get a call, I remember getting calls or emails from vendors of ours or customers of ours going, hey. Your security scorecard score has dropped below a permissible level. We wanna understand what’s going on and, you know, you talk with them and you explain it and whatever, but you having to take time now to answer questions because of an external scan that is not intrusive into our environment, but certainly the way you’re being viewed by it’s the way you’re being viewed. I mean, it’s think of it as your credit score of your company’s assets. That’s true. Then I like that. We also talk about, you know, the internal attack surface management aspect, which is internal looking out, which for most of us in security, that’s the easy one because that’s the one that you’re in the most control over. You can’t control how you are perceived from the outside necessarily, but you can control how you are on the inside. And I think the other thing that you said that was really important is it’s about reducing the time and the speed and increasing the speed of finding these things. You know, going back to Verizon data breach report, which I think is probably at this point for security practitioners, the go to resource when it comes to things. But they I mean, this year alone, they they pointed out the average time to identify and mitigate an unknown asset is ninety seven days. I mean, that’s three months, over three months that it takes when you’ve got an unknown asset, and it’s not hard to see why. I mean, I remember back to the move it breach, we had, you know, we found out about it, and that one we were talking about it yesterday as well. That one was interesting because most of the security professionals found out about it the same time the rest of the world found out about it. In the news, on a Monday morning going, oh, crap. But we did I remember we did an analysis at the organization I was at and said, oh, we don’t have any move it. We’re good. And then three days later, we found out about some assets somebody had stood up somewhere that we didn’t know about that they’re like, wait. Our FTP is not working. And we go, okay. What’s the name of the software you’re using? That’s the shadow IT. Right? Seriously. That’s exactly what we’re talking about is we have people anywhere, anytime, and on any device. So you think you aren’t using MoveIt, but I guarantee you someone in your office was using MoveIt. Right? Exactly. We were talking about, you know, attack surface management, ASM. That is really a security first approach, but that has to be an organization’s objective top down. Right? When we talk about the, you know, an Active Directory team or security team or incident response, really, ASM is promoting, the cross culture of collaboration between all of these teams. You can see that shift, I think, as well, but it does come top down. You know, it’s interesting because it has to be part of your company’s, culture. Right? And even presenting it as a responsibility. So I commonly say, you know, in Active Directory, in security specifically, we have to be right all of the time. They have to be right you know, cyber criminal has to be right just once. Now while that’s true, it takes all teams to present that unified front and to keep an environment secure. It isn’t just one team or one person’s responsibility. That security focus comes from the top down. Absolutely. So that raises an interesting question, which is, you know, obviously, we’re talking about this being a holistic approach and a cultural approach and a strategic approach. You know, we are always talking and I hear lots of CISOs, in the conversations that I’m having with them where they talk about, well, but we’re resource strapped or financially, you know, budgetarily strapped. Of course. How can an organization effectively handle attack surface management, all the elements, vulnerability, prioritization, all of the things that they need to do because it literally attacks surface management means addressing everything in your environment. It is. How do you do that in a resource constrained environment, though? Well, so there are some free utilities, and I’m gonna have do a shameless plug here for Purple Knight. It’s one of Semperis’ products, and it is free. So you can run it, and it gives you a security posture of your environment. So your data is on-site. Nothing is transferred. You don’t even have to be domain admin to run it. So a tool like that can give you a very detailed report of the indicators of exposure in your environment and your score. Right? And that aligns with the MITRE and the NIST frameworks. So you can see the categories within AD, like GPOs or Kerberos or accounts, what’s weak, and what you need to fix. So that gives you a path to remediation. It also gives you a great benchmark. So that’s a perfect starting point. And to make it less of a shameless plug, I will say this, which is if you’ve got I mean, if you’re if you are, you know, going back to your reference of being, you know, an Active Directory, you know, aficionado. If you’ve got Microsoft in your environment, if you’re using Microsoft Defender, rule one should be, do all of our devices on our network have a defendant agent on them Exactly. Or some agent into a tool that will then into our asset management system so that we at least knows know it exists. Exactly. We know people are bringing their own devices. So, you know, we can start at the very basics because it is overwhelming when you look at that attack surface, you know, as, in its totality. Right? But there are things that we can do as AD administrators or in the security field. I jokingly say we’ve all been secretly and quietly promoted into security. We can do things. So we can put, you know, privilege access workstation pause in place. We can do just in time administration, just enough administration. We can put MFA. Those are things that we can do, and they’re fairly a lot of that’s free until you get to the MFA, and that still can be low cost. You can at least do MFA on your administrator accounts. You can also do password phrases. You know, we know that we wanna go passwordless. We’re not there yet. We all you know, fingers crossed, we’re gonna go to Windows Hello. But until we do, make strong passwords, you know, thirty two characters, if you will, but don’t require people to change it every thirty days. That’s kind of that compromise. Right? So there are a lot of options out there that as AD administrators, we can deploy, and we should be deploying. You can layer your network. Right? You can segment. You do your layered approach, things of that nature. So I’m gonna give those who are listening, the the eighty or so people who are here live, the the first mark off on their webcast bingo card. What is the role that, that, you know, it when we talk about all these free tools, all of these tools that are available, what role does AI and automation play in all of this? How can AI and automation maybe help security teams in a positive way address some of these issues? For sure. Well, I think we’ve been using AI and machine learning for a long time. It’s really nothing new. But what machine learning or AI allows or is allowing for in a security space in a positive way is the ability to fast track behavioral problems, right, analysis, and also attack patterns. You can spot them more quickly, any anomalies in your environment. So those are big deals for us, right, as AD, you know, administrators, I still refer to myself as an AD administrator. We want to be able to spot that fast because we wanna reduce our time to fix. Oh, yeah. Absolutely. And as somebody who spent quite a bit of time as a SOC analyst, the number of alerts that you take in and the amount of fatigue It’s insane. People hit. I mean, if you just Yeah. You just sit there for fifteen minutes and you’re like, I’m exhausted. This is like, there’s not enough coffee to keep you going. No. No. All of these automations really help because they can remove some of the easy things to do. If I don’t have to look at phishing, you know, phishing emails anymore, now I can look at password attacks. Password attacks. If I use AI and ML and automation to identify what are really truly legitimate, you know, impossible travel alerts, like those things that are easy for a machine to use rules to identify, then I can focus on the the user who clicked, you know, who is downloading malware on their computer, and and address that a lot quicker. Hopefully so. I mean, it’s crazy to think that, like, you know, seventy five percent of attacks start with phishing emails. Right? And then now we have the yes scam. Have you heard about that? Where they say, Alexander Weaver, and you say yes, and they have your voice saying yes. And that’s a nice little clip. So that’s fun. I haven’t heard of it. I’ve heard bits and pieces and variations of that, which is, you know, now, now with deep fakes and all of that, they’re making some really scary kind of, you know, even just They’re good. On calling up. I mean, I still remember the one from, like, a year ago, the woman in South Florida who got a call from supposedly her daughter saying, you know, mom, I’m so sorry. You know, please don’t hold this against me. I really just need, like, five thousand dollars, and she wired five thousand dollars to this account. And it was a it was in malicious attacker, and her daughter was perfectly fine and had no idea that this thing had even happened. You know, those those those things happen plus just the, you know, the the the scams that are happening with help desk, service desk, you know, call up and just go, hey. I need to get reset on my computer and the information that’s being asked for is publicly, you know, easy to get information for an attacker. Those are questions that you do normally ask, like your four security questions. Right? Yeah. So the thing about cyber criminals, they are definitely part of our ecosystem. They are unfortunately very smart. And, apparently, they have also a gift for marketing themselves, right, in becoming bigger and better. They’re trying to find a way to make money. I swear if they were collectively put together, they could probably solve cancer. Instead, they’re doing, you know, malicious activity and causing great a great deal of damage. And there’s no holds barred. Nothing is off limits. You know, there is no honor among thieves. So we, again, have to have some sort of, focus identity focus in our environment. So we’re really what we can control is our identity and protecting the identity. And then attack surface management, it gives us that view of looking external versus looking internal. Right? So we’re now looking at the external path into our environment, and that’s also a different approach. Absolutely. What yeah. No. Absolutely. So what are some of the technologies that are out there that are making the biggest impact or some of the strategies that are making the biggest impact that, you know, if somebody listening to this webinar is like, I’m trying to kinda put together the list of strategies or technologies I wanna implement in 2025 to enhance my attack surface management so that this time next year, I’m in a much better position. What are some of the technology, some of the strategies that they should be should be top of the list? Okay. That’s a great question. I think what again, as an AD administrator, the only control plan we have in everything going on is that identity. I was just speaking to that a minute ago, so I think I gave you a great lead in there. So the first part of a breach is really a credential ceiling. Right? That’s a login. That’s just the threshold they need because they’re gonna try every door they can. And once they get that password, that’s the exact foothold they need to enter your environment. So for me, any software that focuses on securing the identity is gonna be a a critical must have. I’m also gonna want real time monitoring. I want visibility into my environment, and I wanna be able to see everything as a domain controller sees it because that way I’m seeing all my attributes. I’m seeing everything that’s replicated in my environment. That’s a critical must have for me. As far as the security side of the house on those identities, I think we all know we need to have MFA at this point, and at the very least, we need to have MFA on our admin accounts. We also should have tiered administrative models. As far as third party vendors, though, I would definitely want to know their security processes. We’ve seen recent breaches of other organizations or companies or products. We wanna know what their process is right as well, how they work in their environment, how they keep their product safe. Those are questions I don’t think we all would have asked maybe five years ago, and now we definitely are asking about that. We’re including that in our, vetting process. No. Absolutely. So, you know, the other question, which is, you know, so we talk about these different technologies to different strategies to implement. How should organizations be approaching it and what should they be thinking about so that they can implement these strategies, especially identity based strategies without disrupting operations because, you know, you say, oh, I’m gonna add in MFA, and now I’m gonna slow you down. And then the first response is, well, I can’t do that because it’s gonna take me an extra couple of minutes or whatever. Okay. And that’s a great point. We are gonna always have friction with our user base, and it’s not because, you know, we know more. We just know something different than them. Right? It’s because the thirty two character password I mean, no one is gonna tell you, oh, that’s easy and that’s fantastic, but we should all be using password vaults at this point. We shouldn’t be writing anything down. And if I only require you to change your passwords every six months, but yet I require a thirty two password, I feel like that’s a decent compromise. Now requiring MFA, I realize there’s MFA fatigue. I understand that. It’s real, but we still have to have that. So what it comes down to is when I hear people complain, like, well, I have to change my password every thirty days. I just I will commonly say, well, you just went through a security breach, and you had to change all of your passwords and put a credit freeze on your information. So would changing your password be easier? Because the friction is always going to exist for us to be secure, but it has to be. Right? We can reduce the friction, but it’s never gonna just be seamless. It no longer can be. It has to be conscious at the very minimum. We know that we have to protect again. We have to protect our identity. We have to have solutions that look at identity first. That’s the only control plane we have. And what’s interesting is and we’ve talked about this as well on previous webinars that I that I’ve been involved in and even just, you know, from my own kind of research and work that I do in, you know, behavioral science and cybersecurity, it’s interesting because you have people who who get very frustrated about the friction. But at the very at the other end, when you implement passwordless and you take away all the friction, they go, well, this doesn’t feel right because I’m not being prompted for anything anymore. So it’s I know. I know. You can’t go any one way on either side of the spectrum without somebody, you know, freaking out. So it’s where is that equilibrium? Where do you find the point where they’re like, this is just enough friction to make me comfortable, but it’s also not enough friction that it’s slowing me down. But that’s also where I think the user involvement and the user training needs to come from. I think if users were involved in this process saying, hey. Look at these attacks. Look at how often we’re getting password sprays. You know, and actually showing them, like, even just a visual lab, a training, a brown bag lunch. I really feel as though making our users a part of our security process is helpful. Right? You know, you have some fake, email test to see. You know, we conduct that here at Semperis and see who goes for it. Right? And, hopefully, we don’t. But every once in a while, you’re tired, and I’ve had friends that, you know, they’re like, oh, wow. A coupon from Costco, and then they realize Costco isn’t spelled correctly or something along those right lines. Right? So we’re all susceptible to it, especially when we’re tired or excited about a coupon, but we have to remain vigilant. But I think involving all parties and realizing that we all, as a collective whole, need to participate in security will help reduce that friction. No. Absolutely. So, you know, one of the kind of things that we need to, we need to probably spend a little bit of time discussing though is, you know, what I’ll call kind of the elephant in the room, which is, yes, the digital footprint, the attack surface has expanded over the last four years. Due to the pandemic, due to a shift to global work remote work Yep. And that now being kind of almost the expectation of this work from wherever. Yep. Yep. What impact does that really have? How does it contribute to the risk, and what can organizations do to maybe help minimize some of that risk? Well, I would hope, and I think maybe, hope springs eternal, that we’re at the point where we’re realizing we have to support our users and their home networks. But more importantly, that we, again, as AD administrators, as security folks, have different mechanisms in place to secure our environment. Right? We know people are logging in from home, and who knows the last time they updated, you know, their on their end. Right? Or they’re going into Starbucks. But, you know, there’s VPNs. Right? The strong passwords, the, you know, network segmentation, things along those lines can help protect our environment. So those are things that we can do and that we should be doing. I wanna say, you know, again, I hope that we’re doing that at this point. So that’s a little bit. Absolutely. Absolutely. I know you’re thinking more. So a couple things. First of all, if anyone has any questions, please feel free to use the q and a function and submit them. A question was asked about is this being recorded. It absolutely is. It will be available later this afternoon on the SC media website. So you can definitely, you can definitely keep an eye on that one and, and and go from there. For me, you know, when I think about it and when I when I look at, you know, how does it contribute to risk, I think the first thing is it becomes unfortunately, and it’s this is a tricky thing because it becomes a little bit more important for us as security practitioners to educate the less technical members of our organizations on some of the basic blocking and tackling at home. You should have AV on every one of your computers regardless if it’s a personal device. You should be monitoring to see if any device connects to your WiFi network that you shouldn’t have. You should probably, change your the default password on your router with Routers, please. Which is a, conversation that took me about ten years with my father-in-law to finally convince him otherwise because he we’d go over to the house and they and be like, what’s the Wi Fi password? He’d go look on the back of the router. It’s back there. I’m like, okay. Yeah. I know. Changing the defaults. Those types of things that you do at work are the same things you should be doing at home, and it becomes important for us to really educate people on that, you know. Exactly. Exactly. Unfortunately, in cybersecurity at times, we focus a lot of energy during the month of October about educating everybody about cybersecurity awareness, but we don’t do it the rest of the year. So I know one of the things that I was fortunate to be able to implement when I was in charge of security awareness in GRC at, a organization was every meeting that we had, every meeting, whether security or otherwise, the very first minute was a security awareness message. And it would be something simple like, hey. A new iOS update just came out. Make sure you update your phone. Here’s what’s in the update that’s gonna protect you. Or, hey. You need to have a passcode that is more than just four characters or four numbers. Exactly. Little things like that to to remind people because they, you know, you should probably in January and February be reminding your employees if you get an email saying please send us W-2 information that doesn’t or if you get anything about W-2 or IRS that doesn’t come from these email addresses within our company or these official email addresses from the government, you should be worried you should be concerned, you know. If it’s right before summer I mean, this time of year, I’d be sending I I would be sending messages saying, hey. If you get a request to purchase gift cards, make sure you know the person, pick up the phone, call that person, and say, hey. Would you send me a a request for a gift card? No. Yep. You know, one of the things that we do at CRA that I really liked that I would encourage all organizations to do is have the senior leaders send to employees their cell phone numbers or whatever numbers they’re using as a primary contact number and say if you get a text message from a number that is not this number, it’s not me. You know? Our CEO does that, and it’s really great. I love that you mentioned that. So Mickey Bresman, the CEO of Semperis, just did that recently. So, again, that top down security approach, he sent out an email saying, I will never text you asking you for money or asking you to do anything right away. I will call you. Yeah. So just putting that out there that that is a method of communication, I think is critical. Doug Manoni here at CRA did the same does the same thing. He’ll send out an email, go here’s my cell phone number. Here’s you know, my cell phone number. Put it in your phone. If you get a text message from any number other than this, we can give you a call. I don’t know what can you hear me? We can hear you. Yeah. Okay. That’s good. I cannot I can no longer hear you. Uh-oh. I’m gonna just refresh. Okay. So yeah. So, again, the the point of the matter is make sure, you know, encourage your executives to share the ways that they will communicate with people, to let them know to let you know what are the the ways that they will. You know, we would send out a message regularly at my last company saying the CEO, you know, the senior executives will not text you. They’re not going to be your text buddies. And it sounds funny, but you do that and you know that when you send that or, you know, when when you see those messages, you’ll know that those are not legitimate messages. So oh, let’s see. And I think, Alexandra, are you able to hear us? I am. I just switched. Okay. Yeah. So what I was sharing was the fact that, you know, Doug Manoney, our our president, CEO here or our CEO here sends a message regularly saying, hey. Here’s my cell phone number. Put it in your phone. If you get a text message from anything else saying claiming to be me, it’s not me. We used to send at my last company, we would send what we thought was a kind of cheeky message, but we would be like this. The the senior you know, it was a fortune one hundred company, so the number of people who had, you know, text message access to the CEO of the company was very minimal. So we sent the CEO was never gonna just text you out of the blue. Exactly. And the CEO is never gonna text you. Yeah. You’re not that important. Hate to break it to you. You know, kind of you’re funny. I will forever remember that at my last company, I get a text message from somebody claiming to be the CEO of the company. I’m in charge of security awareness. So first, that was a poor, obviously, the person didn’t do research into who they were sending the message to. They also messaged the CISO about it, which was really interesting as well because he is text messaged, with the CEO. But it was one of those where I was like, this is the first time I’ve ever talked to this person. There’s no way that CEO is gonna text me for the first time I ever talk to the person, you know. And those things sound trivial, but they’re very important for attack surface management. Also remembering that you know, we talk about things like endpoints and what have you, and remembering that even though you’ve got stuff in the cloud, even though you’re you’re using SAS services, those are all part of your attack surface. Your attack surface is not just physical devices anymore. Yes. And that’s one thing to really remember is that there is more to this than just saying, you know, I have endpoint detection or I have antivirus. We really have to consider that, you know, with all the cloud based offering, that we have out there that that is scanned as well. Like, what is our visibility into that environment? And also, are we actually monitoring for security in that space? Because so many people are relying on the cloud platforms to bring security, and that is not, enough. That’s not a good idea. And I think the other thing and Rob brings this up in the chat, and I’m gonna vary it a little bit, which is this idea that really, you know, we sit here and we talk as security professionals about we’re gonna move towards zero trust, we’re gonna move towards zero trust, we’re gonna move towards zero trust. We think of it as a technology and it’s, you know, we’re gonna put these certain controls in place, but we should all, from even a human interaction element, have the level of zero trust that we put in play of. Is this really, like, is this the way this person normally communicates with me? Is this the the kind of communication somebody would send me? Is the time of day that I’m getting this communication maybe suspicious? If I’m getting an email, if I’ve you normally don’t get work messages or urgent work messages on a Saturday and all of a sudden I get one, I should not saying that it’s not a legitimate message, but you should apply some level of scrutiny. Go a little bit farther in your checking of things because, again, your attack surface, it’s so hard now in the world we live in to limit your attack surface and say, we’re just gonna put a good guardrail good fence around our organization because you don’t have that fence anymore. Right. For sure. For sure. So, you know, before we move into the question and answer period, and again, people, if you have questions, or those who are attending, if you have questions, please feel free to submit those questions in the question and answer, even in the chat function, and we’ll do our best to get to them. But, you know, one of the biggest challenges as well, not only is this idea of not disrupting operations, but just the pure, like, where do I start? Where do I implement? How do I go about implementing this stuff? You know, does it make sense or, you know, is is your is the guidance that you typically give to security organizations and security leaders, is it you should start with governance and policy frameworks? You should implement this this this kind of basic hygiene? What is it that can help overcome those barriers to I don’t know where to start or it’s it’s overwhelming. It’s gonna take me too too long to implement all of this. Yeah. And I think a lot of people, you know, have that beginning, fear of, you know, where to start. It’s, perhaps, you know, as folks say, you never eat an elephant in one bite. Right? Right. So take a step back. And then for me, what I personally have done at different organizations and different environments where I’ve worked is starting to get a baseline, you know, of my groups, right, and get a handle on really access and permission. So what does that look like? Identifying the tier zero critical assets even if you’re not, you know, monitoring or in charge of domain controllers, you still are most likely responsible for file servers, and you’re still gonna wanna find out who has access and how much access do they have. Right? So still looking at attack paths. So reducing, permissions or unnecessary permissions, I think, is a big one. Putting in place, you know, tiered administrative models, that’s, critical. So there is an article, Daniel Petrie, excuse me. So look him up. But he has a great administrative model and how to set that up. It follows, you know, Microsoft’s tiered administrative model, explains how to implement that. So those are really good first steps. Right? And then look at things that you can put in play, like the just in time administration and just enough administration. So you’re putting administrative or granting administrative permissions for just a time period or just for specific work, and it’s not a persistent. Right? So there’s some really basic things that I think administrators can do in their environment to tighten it up. Right? Ultimately, it comes down to protecting the keys to your kingdom. Right? That and then go add circles back to that identity is how can you protect and focus on your identities. Yeah. No. Absolutely. So, just real quick, just to kinda circle back so that that, we can make sure that it’s clear on the recording. And if for those who are listening, you mentioned that Semperis has a tool that, is freely available that can, get an understanding of current gaps. Is that a tool that if they go to the website, they can find that pretty easily? Yes. It’s Purple Knight, and it’s a free download. What I love about it is you don’t have to be a domain admin to run it. You just can be run it as a domain join system, but that gives you that detailed report of your indicators of exposure within Active Directory so you can work to mitigate those risks. Right? We call it, like, the low hanging fruit. But what’s funny to me or interesting, I should say, not funny, is it’s gonna tell you some things that you probably didn’t even know about your environment. Right? Because it is a very detailed report, and it’s a onetime lead. But what’s nice about it is it gives you, path to remediation to improve your score, and then you could use that as a baseline, you know, run it a couple months later and see the improvement in your environment. That’s the kind of product that you want in place that’s able to monitor the indicators of exposure and show you the attack vectors, show you the path to remediation, and most importantly, give you recommendations for fixing them. Right? What ultimately you want is that real time capability or functionality. Absolutely. So a couple of questions that have come in, that I think are really interesting and really good ones to talk about, which is, you know, the first one, which is, you know, we’ve talked about the fact that attack surface management now includes, you know, and has included third party supply chain risks and what have you. Mhmm. What are some of the things, some of the ways to address the challenges that come with monitoring third parties or supply chain risk because either the, you know, the vendor isn’t gonna be forthcoming with the information, or, you know, what should you as an organization you know, we and we’ve talked about this as well on other webinars I’ve been on recently, which is this idea that, you know, we do this really great job of of third party risk management at the very outset of a relationship, and and then we kind of forget about it. We, you know, or we come back and maybe every year it’s, hey, are you still using this tool to the business? And I go, yeah. And we go, okay, cool. And then that’s it. And, oh, we’ve checked. Or, hey, we haven’t seen any breaches from them. We haven’t had any issues, so we’ll just continue going on. What are the things that if you’re really truly serious about attack surface management that you should be doing when it comes to your third parties? So that’s a I think, you know, it’s interesting and it’s also challenging now because what we’ve allowed for is become, you know, almost essential. Right? If you look at even some security vendor software that is running or was running in environments, that were granted fairly wide permissions, right, and then had a catastrophic impact to your environment. So you’re gonna obviously wanna know how code is being released. You’re gonna wanna know their internal checks and balances and their processes. At several large organizations where I worked, we always always had a dev space, and so products were very well vetted prior to being put into production. I know that’s a luxury that not a lot of people have, especially in the small and medium business. Right? But what you can do at the bare minimum is still just build, an isolated lab, right, in an environment where you can at least get a copy, in a copy exact of, right, your AD environment and export, if you will, and at least test that product. And then also look at the permissions that it is taking, or has or needs. Right? Because you can map that out very easily with a couple of different tools. And then look at the products that it needs. And then also find out, does it need access across the board? You know, as we all know, the target breach that happened, that was a third party software. But due to the lack of net network segmentation, that vendor had access everywhere. Right? And it didn’t need to. They were an HVAC vendor. So Right. We have to look at where we’re granting access. I think what comes into play, also is looking at, you know, the attack paths. We’re talking about ASM and different software and security vendors. What and how do we manage our tier zero assets? That’s a critical part of this because we have to be able to define them. So if you have your attack path to those, you can then look at where you’re also granting access and take that into consideration with a lot of third party vendors. But for me, getting back to the question is I would definitely want to test this in a dev space, and I would wanna know the access they’re granting, their release cycles, and how their, code is interjected or playing in my environment, the access that it needs and has. Absolutely. And I would also just share that, you know and and I think I mentioned it on a webinar yesterday. This week, we actually just released for the cyber risk within the cyber risk collaboratives, two CISO developed tools that really speak to this question. One is, it’s a shortened questionnaire as anybody who knows, you know, dealing with third parties or supply chain. The questionnaires at times can be very daunting. Hundreds of questions. It is. We sat down we sat down, a group of CISOs and I sat down. We came up with essentially the thirty most important questions in the main categories. And the idea was we only included questions where if the answer is no, that’s going to typically be a red flag. So that’s a really great questionnaire. It’s a starting point. It’s not obviously or your organization, it may vary, but at least these are the questions you absolutely everyone should be asking. The other thing that we created was another resource guide that allows, or that that talks through what to do, you know, what to do when the third party vendor isn’t being transparent. When if you’ve asked for this, asked this question, what evidence should you be requesting? And if they don’t give you that evidence, what is the decision framework look like? Right. So we’ve we’ve built those tools and resources as part of a larger cloud, security resource toolkit. I would encourage anybody who’s listening, who’s interested in learning more about that. I’m gonna put an email address in the chat, but reach out to Tom Ward, who can help get you access to or talk about how to get access to these tools because they are really helpful. And, you know, it’s about, you know, one of the things that’s very important here at the Cyber Risk Collaborative is to make sure that we’re not, you’re not having to reinvent the wheel. And as part of your RFP or request for proposal to any sort of, you know, company, you’re gonna wanna make sure you’re getting their detailed information on their software. You know, is their traffic encrypted, you know, at rest, all of that kind of stuff that maybe we don’t necessarily ask, but we wanna dig into. Right? How are they when they say, they can back up Active Directory. Okay. Are they doing any validation that the backups are, good? Right? You know, having a backup is obviously not gonna do you any good if the data is not usable. So how are they doing any sort of crosschecks there? That’s really what you wanna do. If you can do a POC, you know, proof of concept in an isolated lab to do that testing, that’s also critical. So you’re gonna you’re gonna wanna look at that. The other thing I think is important to call out is within your contract, your different service level agreements that you have, what do they have as offering? That’s really important for me. I wanna know the support I’m gonna get at my worst moment because that’s what counts. It really like, what’s your incident response team look like? Who’s on that team? You know, what fall of the sun coverage do you have? That type of stuff. For me, the support goes a long long way. Right? I I want that. I also wanna have a long term relationship. It’s like, you know, I’m just being a physical therapist or whatnot. This is now another party in my life. I wanna have cadence calls. I wanna be able to road map with these vendors. That needs to be part of that relationship. I wanna know, am I having assistance in upgrading? Am I gonna be able to do yearly tabletops or, you know, BCDR, the business continuity disaster recovery plans? I wanna know if that’s a part of my package. I think those are all really important things. Do they have professional services? Those are the things that I wanna know. I also wanna know who’s on your team. Right? I want the best and the brightest, you know, when I call at two in the morning. Absolutely. And going back to your purely hypothetical, not anywhere close to reality scenario of the major vendor who has an issue that causes a widespread outage. We also wanna know where you sit in the queue of companies because when a hundred thousand companies have an outage all at the same time, are you number one? Are you number seven? Are you number nine hundred ninety nine thousand nine hundred ninety nine? Where are you in the queue? It’s important. So what’s your company’s motto? Ours is force for good, which I completely stand behind and I really like because it does make you feel, you know, as a collective whole, a part of fighting cybersecurity. They’re criminals. I mean, let’s just call them what they are. And it’s an amazing thing to be standing against that and helping people at companies remain vigilant. And it really comes down to people because it’s your data out there. Don’t think they won’t extort you. You know, it’s your work computer, but oops, you have someone’s wedding photos or you have your personal contacts on there or whatever. They’re gonna extort that. They’re gonna use that any way they can to get money. So the last question before we kinda wrap up here, and this is probably a really good one to kinda end our discussion on. But, you know, we talked about attack surface vulnerabilities and attack surface management as being this, you know, large, you know, sometimes daunting thing. How should CISOs and security leaders effectively communicate the risks and aspects and the need for holistic attack surface management to the nontechnical stakeholders like the board or the C-suite or the CFO or, you know, somebody who doesn’t maybe live and breathe this the way we do. And that’s totally fair. I think, you know, everyone is skilled in their particular area. Right? So for the folks that aren’t purely technical, the upper level management, right, that we all report to that always ask us how long is this gonna take or are we back up and running, They’re most likely concerned with headcount, resource allocation, bless you, and money. Right? So how long are we down? So if you can quantify the risk that you have in your environment. So if you have Active Directory, it’s targeted eighty seven percent of the time. And that’s a true number. How often are those risks able to be taken advantage of? Eighty seven percent of the time. That means you really have to secure AD. Right? It’s twenty five years old. So if you tell your, you know, your CISO, hey. If we’re down four hours, it costs me x, that’s going to really hit home to them. So I think we all have to do our jobs in presenting data in ways that it’s relatable to their world. So if you’re talking money to me outside of how many, you know, hours were down, I don’t know what three million dollars a minute looks like. I will never know what that looks like, unfortunately. But if you’re telling me no one can log in, I know what that looks like. So we have to be able to relate to each other, and we need to be better at being able to relate to each other to press the importance of security. But it we gotta sit down together. And I and I think you make a really valid point. It goes to something that we’ve talked about increasingly on these webinars, which is the idea of telling the story of security. It’s the phrase that I continue to use. We don’t do a very good job of it. I’ve talked about how my last company, the CISO that I worked for was very big about teaching the, you know, you need to tell the story of security, and your point is well taken. Again, to use the totally hypothetical scenario that you used earlier, it’s one thing to say we’re losing, you know, three million dollars a minute by not being up and running. It’s a whole another thing to show a picture of a screaming kid in an airport who can’t get on a Delta flight. Or some airline because of an outage. Yeah. Now all of a sudden it becomes very real, you know. Yeah. It becomes very real when you can say, you know, if you turn on the water spout in your in your city, you know, that water may be contaminated. Like, that all of a sudden really brings it home to people that, hey. You can’t trust the water coming out of the tap. So we need to do a better job of telling our stories. We, as AD administrators, as security professionals, we have to make this data relatable. Right? We can no longer count on, you know, transitioning this to I don’t wanna say corporate speak, but to that to the business world. Right? That’s on us to do. So, you know, our users have to do better, but we have to educate them. The CISOs need to be more security focused, but we need to help them. So we have a role in all of this. There’s a responsibility across the board for us to collectively be better. Absolutely. Well, so we’re coming up on our time and, you know, this is, again, one of those topics we could sit here and talk for hours on. Yes. Final thoughts and then, you know, maybe maybe where can people find out more about, your organization? Yeah. Thank you for that. So, and apologies for all my technical difficulties. Again, I’m Alexandra Weaver. I work at Semperis. I’m a Senior Solution Architect. If you can’t find Purple Knight at Semperis’ website, we are a force for good. We protect Active Directory. We’re the keys to the kingdom. We protect that. Please look me up on LinkedIn, and I’ll send you the URL. I mean, it was nice to virtually meet you, so, you know, please feel free to connect with me on LinkedIn. And thank you very much, for this, opportunity to talk with everyone. Absolutely. And certainly, if you wanna have fun conversations about how to pronounce the new Microsoft terminology for identity, that’s also something I’m sure Alexandra would love to you know, we had we had quite a bit of fun talking about that in, our prep call. Thank you all for being here today. Thank you for for joining us for this webinar. Wherever you’re viewing this at, if you’re viewing this after the fact, thank you for watching this. We’ve got more of these coming up. As I’ve been saying all week and for the last couple weeks, we’re not slowing down just because it’s the end of the year. We’re gonna have these going on, you know, right up until the end of the calendar year. So thank you all for being here. Please follow, SC Media on SC World dot com, cyber risk collaborative, cyber risk collaborative dot com. Follow us on LinkedIn. Follow us, on Twitter or X, whatever. But please continue to come to these. You know, we’re continuing to try to bring topics that are, relevant and important, and will help you all make better decisions and better understand this, crazy world of cybersecurity. So thank you all for being here. Have a great rest of your week. Great holiday season. If we don’t see you on a future webinar, we will see you, in 2025 for more of these. Thank you very much, and thanks, Alexandra. Thanks, Semperis, for, sponsoring this as well. Everyone have a great day. Thank you. Thank you.