Posted on

Securing the future of IoT: Why attack surface management is key

The Internet of Things (IoT) continues to be one of the most important technology trends in the business world. From healthcare to retail, every business sector has found essential use cases for connected devices, and the possibilities in automation have effectively redefined entire industries like manufacturing.

The Asia Pacific (APAC) region has become a frontrunner for connected technology. IDC’s Worldwide Semiannual Internet of Things Spending Guide estimated IoT investments saw 10.6 percent growth over 2022. The analyst forecasts total APAC IoT spending to hit US$436 billion by 2025, with a CAGR of 10.4 per cent between 2023 and 2027.

This growth comes despite several limiting factors, such as the global economic downturn, supply chain disruptions, and semiconductor shortages. Nevertheless, the growing demand for automation and remote capabilities and the increased deployment of 5G have ensured steady growth.

The interest in large-scale smart projects in APAC has accelerated the use of IoT. Singapore, for example, launched its Smart Nation initiative in 2014 and has injected several billion to support the introduction of more smart tech in both the public and private sectors. Meanwhile, China has launched over 900 smart city projects over the last few years, spanning hundreds of cities.

How IoT can increase cyber risk exposure

Nevertheless, while IoT’s capabilities around automation and remote operations have kept it high on corporate and government agendas, it is crucial not to lose sight of the risks these opportunities bring. Unless adequately secured and monitored, each IoT device added to a network can introduce new cybersecurity vulnerabilities and increase the attack surface. Threat actors, from opportunistic criminals to organised nation-state groups, are looking for unsecured devices that will grant them an easy attack path into the system.

Weak default passwords, a lack of data encryption, and poor software patching processes are some of the most significant security issues inherent in connected devices. The rush to implement new technology and stay ahead of the curve also means organisations can quickly lose track of their deployed devices, how they relate to the network, and what a security incident might mean for them.

Attack Surface Management (ASM) is one of the most critical processes for understanding and mitigating the increased risk from IoT. However, “surface” is often misunderstood as only relating to the outermost layer of the organisation.

Also Read: The perils of oversharing: How social media feeds cyberattacks

ASM is something of a misnomer as it covers every asset that could be exposed to cyber threats, inside and out. This means every externally facing element, like deployed IoT devices, public clouds, user endpoint machines, and all of the organisation’s internal systems.

Before we go deeper into ASM works and why it’s essential for securing IoT, let’s nail down that definition.

The basics of ASM

Beyond the name being somewhat misleading, ASM is part of another umbrella term, Exposure Management (EM), which forms a trio of key processes alongside Vulnerability Management and Validation Management.

ASM also comprises three main sections with yet more acronyms.

  • External Attack Surface Management (EASM): Centred on public-facing assets like public clouds and customer-facing IoT, EASM is the subset people are most likely to confuse with ASM.
  • Digital Risk Protection Services (DRPS): Using sources like deep web, social networks, and open data containers to provide visibility into threat intelligence. This is a more advanced capability and requires a higher level of cyber maturity.
  • Cyber Asset Attack Surface Management (CAASM): CAASM focuses on collating data relating to the organisation’s vulnerabilities and managing it effectively. It could be considered the cornerstone of ASM.

With so many similar but distinct acronyms and processes, the confusion is understandable. The issue isn’t helped by the fact that ASM is commonly misrepresented as a specific solution or process, often by overly enthusiastic vendor marketing. However, ASM cannot be achieved with any one tool – it is a strategy that must span multiple solutions and processes.

How ASM helps combat cyber risk

With the definition in hand, let’s look at why ASM is so important today. The primary goal is to gain an accurate, unified view of all cyber threats facing the business. Achieving this big picture enables firms to realistically assess their risk levels and prioritise their security activity accordingly.

Without this overview, it’s easy to miss the forest for the trees, focusing on individual problems and missing the more comprehensive strategic agenda. Firms that have yet to implement ASM effectively will find their security teams running from urgent task to urgent task, unable to prioritise or get ahead of security issues.

This is particularly problematic with IoT since many connected devices remain prone to vulnerabilities and password management and security patching issues. An extensive suite of IoT devices (think the vast number of sensors and automation points in a smart factory or city) can result in a nearly endless list of security tasks and no clear idea of what to prioritise.

IT and security teams could unknowingly spend their time resolving minor issues that pose little threat to their organisation. At the same time, a single critical vulnerability makes a connected device a ticking time bomb waiting for a detonation-happy cybercriminal.

Alongside prioritising activity, a lack of ASM capabilities also makes it difficult for CISOs and other security heads to communicate cyber risk to nontechnical decision-makers. When requesting a budget and explaining the value of the activity to the board, the focus needs to be on potential business impact, not specific technical details. However, this is hard to explain without the context that ASM provides.

The first steps to get started with ASM

While some companies have little to no ASM capabilities, others have tried implementing the processes but lack the tools to make them work. We often encounter enterprises relying on heavily manual processes, with risk management data and tasks logged in Excel spreadsheets.

This is far too inefficient to keep up with an ever-evolving field like security and increases the chances of errors or critical threats going overlooked. Manual processes are also hard to scale, and even a well-thought-out system won’t last long as an IoT network expands.

Also Read: Securing the future: Navigating the digital transformation in BFSI amid cybersecurity challenges

Firms that have realised the importance of ASM are investing in the right tools and processes to pursue it effectively.

The first step is to ensure a solid understanding of the organisation’s ASM needs and how these align with other fields like EM. Once gaps have been identified, the demand can be more clearly communicated with the board to secure the necessary budget. The focus here should be on how ASM will address business risks and what this means for the overall resilience and performance of the organisation.

Before settling on solutions to aid with ASM, look at processes. One of the most significant issues with achieving a unified view of risk is that different departments are often heavily siloed. DevOps, cloud, and web teams will usually work to their own agendas and likely be unaware of what other departments are doing.

Responsibility for IoT can often be splintered across the organisation, with separate areas pursuing their own deployments without a cohesive vision. Finally, when organisations have grown enough to have external and internal security and IT teams, even these groups often work separately.

Each of these groups will have its own tools and processes, usually developed organically over several years. This means multiple overlapping solutions for tasks like scanning vulnerabilities and configuring code, all operating independently from the rest.

These silo walls need to be knocked down to create a single, normalised view across all business areas. There needs to be a single point of control that enables the CISO and other stakeholders to have a clear picture of all risk data in the same format.

With the right tools, threat data from all the various security solutions and feeds across the organisation can be aggregated to provide a single pane of glass for all cyber risks facing the business. Redundant tools and processes across different departments can also be merged or replaced, allowing for a more efficient approach with greater automation.

A unified approach to securing IoT

Getting everyone on the same page can be a challenge. Smaller organisations with low IT and security headcount will have a reasonably easy time achieving this. Still, larger enterprises will need to overcome years of organic growth that have thrown different departments out of sync. Clear communication and collaboration between department heads will help pave the way.

The goal is a unified vision of risk and a universally agreed set of KPIs for monitoring and mitigating vulnerabilities. Once the internal ASM strategy has been successfully implemented, the organisation can expand by implanting CAASM and taking on more threat intelligence.

With the right tools and processes to detect and prioritise threats, the organisation will be far more efficient in mitigating cyber risk. This will be increasingly important for those firms pursuing ambitious IoT strategies.

As the volume of connected devices integrated into the network grows, so does the attack surface present to threat actors. Organisations must have a clear and reliable picture of these risks and how they permeate the rest of their operations, or a serious breach is only a matter of time. Implementing an effective ASM strategy goes a long way to enabling firms to pursue ambitious IoT strategies without creating unnecessary risk.

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast, or infographic.

Join our e27 Telegram groupFB community, or like the e27 Facebook page.

Image credit: Canva

The post Securing the future of IoT: Why attack surface management is key appeared first on e27.