The only constant in information security is that this year will be different from last year. Not only will new individual threats emerge, but entirely new classes of threats will make their debut. Some evergreen threats will finally die off, while others will roar back from oblivion. More devices (and more types of devices!) will be connected to networks, and attack surfaces will continue to grow in sophistication and scope.
Amidst all of these dynamics, one thing remains clear: as more and more devices are attached to networks, we need faster ways to focus limited information security resources where they are needed most. The runZero research team works tirelessly to find the most efficient ways to pinpoint at-risk devices, through both precise fingerprinting and fast outlier analysis. This results in an unprecedented view of both internal and external attack surfaces across IT, OT, IoT, cloud, mobile, and remote environments.
Mining our rich Cyber Asset Attack Surface Management (CAASM) knowledge base yields insights every day that can aid in exposure mitigation. And this treasure trove of data ultimately served as the genesis of our recent runZero Research Report, which offers our perspective on the changing security landscape and provides recommendations for what your organization can do to evolve with these changes.
The power of CAASM #
CAASM was born out of the old adage that security teams can’t defend what they don’t know about. The same goes for assets with unknown attributes, like their location, type, and nature. In addition to discovering devices and their associated details, CAASM attempts to methodically uncover the types and severity of exposures impacting those assets, offering defenders a new vantage point to observe the attack surface.
CAASM elevates the discovery and visibility of assets to a first-class field under the infosec umbrella, and is now considered a foundational and critical component of an organization’s information security posture. This dynamic is directly tied to the exponential expansion of attack surfaces and to exposures outpacing defenders’ resources.
The runZero knowledge base #
runZero’s primary data collection method is the runZero Explorer: a lightweight network point-of-presence that is delivered as software and performs active scans, analyzes traffic passively, and integrates with dozens of applications and services.
runZero Explorers provide a true insider’s perspective on global cybersecurity, finding ephemeral devices (phones, watches, cars), devices that normally are less monitored (thermostats, projectors, door locks), and the vast “dark matter” of ad hoc and forgotten networks, alongside the assets already on IT’s radar.
To provide insight into what the runZero Explorers are seeing in the wild, we investigated the public runZero cloud platform data and extracted a representative, anonymized data sample for analysis. This sample consisted of nearly four million assets with almost fifty million associated, distinct data points, including more than 160 network protocols + that have been normalized into 800+ distinct attributes and filtered through more than 17,000 unique fingerprints.
This culmination of data was transformed into the first-ever runZero Research Report, a compendium of CAASM insights on the state of asset security.
Redefining attack surfaces for remote work and IT/OT convergence #
The attack surface of an organization is no longer defined by on-premises locations with a known set of managed devices. Today, the attack surface consists of personal mobile phones, smart watches, thermostats in conference rooms, aquarium pumps in the lobby, game consoles in the CEO’s living room, and countless other devices, many of which come and go from the network on a regular basis.
The COVID-19 pandemic resulted in an explosion of the attack surface perimeter. While remote work was previously a perk, suddenly it became the standard for countless organizations. Huge numbers of employees retreated from the office and added their home networks as entry points to the previously gated and walled garden under the CISO’s watchful eye.
Further complicating today’s attack surfaces, operational technology (OT) and industrial control systems (ICS) have converged with IT. The whole world has, with very rare exceptions, settled on Ethernet and the Internet Protocol stack for IT. The vast, chaotic sea of proprietary protocols and competing standards of the OT/ICS world have now joined the fray in earnest, along with all the growing pains that come with it.
Today, the world’s living rooms and parking lots have become the CISO’s responsibility, as well as its factories and utility grids. In 2024, the US Environmental Protection Agency (EPA) wrote an open letter describing how “disabling cyberattacks” are attacking water and wastewater systems throughout the United States. Not so long ago, these systems were unreachable directly from the wider Internet. Today, many of them are perilously and openly exposed to attackers from around the world. It is in this world that we, as information security practitioners, now find ourselves. Defining attack surfaces is no longer an academic exercise that can be table-topped once a quarter. As exposures emerge at light speed, rapid, real-time discovery and CAASM are more critical than ever before.
FIGURE 1 - A list of devices with multiple attack surface designations found by runZero. Devices that span attack surfaces can provide entry points for attackers into internal organizational networks.
New dynamics emerge while persistent problems remain #
Tectonic shifts are happening in the cybersecurity industry, brought about by the rapid coalescence of several powerful trends and technological developments that have been years in the making. First and foremost, vulnerabilities are being exploited at a truly unprecedented pace. And it’s working. So much so that the SEC now requires 8K filings for data breaches, not to mention the constant flow of news about emerging vulnerabilities and successful compromises across organizations of every size and sector.
While zero day attacks at the network edge have surged, suppliers are struggling to provide timely patches for their products, often leaving customers at the mercy of attackers for days or weeks. In response to the acceleration of exploitation, suppliers are now often releasing indicators of compromise (IOCs) in conjunction with their initial notifications to customers. Earlier in 2024, the xz-utils backdoor became a stark reminder that supply chains are still under immense attack with catastrophic potential. The incident also catalyzed conversations about what it means to be a responsible consumer of open source products, and what “supplier” means in a shared security model.
Meanwhile, security programs are dogged by end-of-life systems, unknown assets, and network segmentation challenges. These time-consuming issues compete for resources with short-term fire drills related to emerging threats and exposures. Defenders continue to juggle scoping, patch management, emergency response, and incident analysis on top of business requirements – all while security budgets shrink.
Our analysis also indicates that large organizations are still struggling with long-standing configuration problems. Remote management services are not in great shape. The trends for outdated TLS stacks, continued use of outdated protocols like SMB v1, and general hygiene issues with the Secure Shell and Remote Desktop Protocols continue unabated, with serious implications for long-term security. The silver lining is that default choices by operating system vendors are making a difference, but not fast enough to reduce the risk to the overall attack surface.
While generative artificial intelligence (Gen AI) and large language models (LLMs) have been touted as the next big thing for security, the reality is more modest. LLMs are helpful in many contexts, but are still prediction engines at heart. As a result, LLMs are limited to helping with the human side of security and struggle to replace expert systems and logic-based decision-making.
Closing thought #
The constantly evolving threat landscape demands agility and visibility like never before. As organizations brace for the emergence of new threats and bid farewell to obsolete ones, the need for efficient allocation of security resources becomes paramount. Speedy and accurate asset discovery, attack surface assessment, and exposure management are at the forefront of today’s most advanced cybersecurity programs.
Stay tuned for more insights from the runZero research team on what you need to know about the state of asset security and how to use runZero to strengthen your defenses.
Not a runZero customer? Start a free trial and gain complete asset inventory and attack surface visibility in minutes.