As organizations worldwide continue to adopt digital transformation to stay competitive, their digital footprints expand, creating new opportunities for innovation but also exposing them to increased cyber risks. The expanding attack surface, fueled by the integration of new technologies, remote work, cloud adoption, IoT devices, and interconnected systems, contributes significantly to the rising number of cybersecurity incidents. In this interview, we explore how the evolving attack surface impacts security, the contributing factors, and the measures organizations can take to manage and mitigate these risks.
Biography: Alexandre Blanc
With 20+ years of IT and critical infrastructure management background both in private and military sectors, including operational capabilities and security, Alexandre Blanc is an expert in cyber security and risk management. Certified ISO27001 and ISO27701 lead implementer, he’s advising organizations on their information security, governance and risk management strategies.
Named LinkedIn top voice in technology in 2020, part of 30 Security Experts to Follow on LinkedIn in 2023 by Media Sonar, with more than 70K followers, Alexandre Blanc makes a difference in the cyber security and technology field
The Interview:
Section 1: Introduction and Background
Q1: Can you please introduce yourself and share a bit about your background in cybersecurity and your experience dealing with digital transformation risks?
I’ve been working in IT and security for more than 20 years, and saw technology footprint growing in the daily operations of organizations. As I did face challenges in many environments, I had a chance to support both industrial and IT systems. Both had different growing threats, which eventually merged as systems got interconnected and consolidated over time.
Digital transformation came with a promise of incredible productivity enhancements, backed by a lot of automation. While it did, it has also been dragging security issues faster than it would allow organizations to adjust.
Q2: How would you describe the current state of digital transformation globally, and what trends have you observed in recent years that are impacting cybersecurity?
The current state of digital transformation is surfing the wave of hype, offering a dream of efficient automation, productivity and incredible ROI. Yet, it also rides the wave of deception in regards to the promises over compliance and controls. In fact, it is overselling simplicity, hiding the critical storm of data breaches and total loss of control or visibility of an organization.
Digital transformation is also overlooking risk management, being sold to risk transfer to third parties, and sadly, losing track of responsibility and accountability on the way. Things have to be said, digital transformation brings tremendous opportunities, but it’s neither simple, easy, and do not remove the need to properly handle governance, compliance and security. The shared security model, often tight to digital transformation related services, is very often misunderstood.
Q3: In your opinion, how has digital transformation contributed to the expansion of the attack surface for organizations, and what are the key vulnerabilities it has introduced?
In my opinion, digital transformation has been overly simplified by solution vendors, totally hiding the real complexity of a very wide solution supply chain. Risk ownership has been buried under marketing information, misleading decision makers into thinking that responsibility, and risk, could be easily transferred.
It also came with the illusion that automation wouldn’t require stakeholders, and therefore, that no skilled and expensive roles would be needed to achieve proper transformation. This was a big mistake.
Digital transformation introduced many third-party solutions at all levels of the organization, expanding the dependencies, the interconnectivity, and therefore adding a lot of complexity from a technical and legal standpoint. The ability to have a clear overview of an organization almost vanished with this complexity. Easy to see, big data breaches announcements always involve a third party.
Section 2: Understanding the Expanding Attack Surface
Q4: What do we mean by the “attack surface” in cybersecurity, and how does digital transformation play a role in expanding it?
The attack surface is made of all the people, processes and technologies involved in the handling of information, which could be used for an attack. Digital transformation requires all systems to be interconnected, data to be shared at many levels, and involve a blind trust in a very dynamic list of providers, all having constantly changing environments, operational reality and terms and conditions.
While legacy systems used to be under the control of a limited number of actors, and data easily restricted to a single environment (the perimeter), this is not the case when digital transformation kicks in.
Attack surface in “legacy” architecture used to be made of owned systems, clearly defined by publicly exposed services and systems, a number of people, all ruled under a unified locally crafted policies and agreements, forming the company governance. Digital transformation quickly brings a constantly growing amount of third parties, multiplying involved actors in an exponential way, involving as many terms and conditions as third party services and systems used.
Q5: Can you provide specific examples of how new digital technologies, such as cloud services, IoT, and remote work setups, have expanded the attack surface?
One of the key changes in the switch toward public cloud services, is that the accesses to the systems and services are publicly exposed. At the same time, all the data which used to transit internally, now transit in a publicly exposed network (internet).
This means that what used to be the perimeter, a safe internal cluster where mistake could be easily forgivable and non-critical, as not publicly exposed, is now a constantly public facing service.
This means that a misconfiguration, a delayed action, an inefficient control, can immediately be exploited by anyone around the planet. It’s not forgiving, given the whole internet, with all public facing services are under constant probe by attackers and automated tools.
Another key aspect is the loss of control on infrastructure, and a blurry border between cloud customer responsibility, and cloud provider responsibility. While they seem very obvious from the start, in facts, any failure, of any kinds, is always the cloud customer fault.
A key expansion of the attack surface is the switch from private and locally controlled infrastructure, to publicly exposed, unforgiving, remote systems, without other visibility than a web page (or an API which is another vulnerability), and not clearly understood, constantly changing, terms and conditions.
Q6: How do legacy systems and the integration of new technologies create complexities that contribute to potential security vulnerabilities?
As organisations embrace digital transformation, they obviously can’t get rid of all their legacy systems. At the very least, the endpoints, which are needed to access the online services, the tech stack allowing remote access (network, routing etc) need to remain in place.
This means that digital transformation is not an enhancement, but an additional environment, bringing operational capabilities, on top (or aside) of the legacy infrastructure. Some functionalities may be totally moved to the new model, but a lot of it won’t.
That means that the local constraints of legacy systems will always remain, with a change pace that is determined by the organisation, and at the same time, the adoption of digitally transformed services (online, remotely available, with a lot of automation), where change pace is dictated by the provider.
This integration known as “hybrid” operation also stress the old security model, requiring constant exposure of the systems, and additional operation stress, with high reliance on remote connectivity.
These “hybrid” environments require to multiply the documentation, tools, to achieve business continuity. Both require backups, both require audit and visibility, both require detection and response, but none of them can share the same security stack, or for most, skills. It becomes extremely complex.
Section 3: The Impact on the Frequency and Complexity of Cyber Incidents
Q7: With the growing attack surface, have you seen an increase in the number and complexity of cyber incidents? Could you share some real-world examples or statistics to illustrate this?
The growing attack surface, as I was mentioning previously, is forcing legacy systems to be more vulnerable, more exposed and stressed. It brings a lot of noise in the detection and response etc.
It also means that these hybrid environments, and they all are, bring big challenges to detect bad behaviors, spot IoCs (indicators of compromise) in a very mixed environment.
It’s a big opportunity for attackers. In the past, watching unusual network traffic, or traffic load, would be easy to detect an anomaly. This is no longer the case. With digital transformation, everything looks like an anomaly in the hybrid environment, and the public cloud is not allowing the same granular view.
Either detection capabilities are embedded in the service, either it’s not provided, but all of this can barely be consolidated, at least, not without heavy investments, AND, the addition of even more third parties in the equation (managed security, managed siem etc). Obviously, the cost growth exponentially as each third party add load on interconnection, and raise the operational cost of all the others.
An interesting statistic is that public cloud adoption growth matches the growth of incident in quantity, size and value.
It’s obvious, I’m known to use “cloud=leak”, because we barely see any cloud migration that is not followed by a massive leak. Sometimes cloud allows to breach legacy as well, sometimes legacy allows to exploit cloud workloads. This is due to the expanded attack surface.
Q8: What types of cyber incidents are most commonly associated with an expanded attack surface, and which sectors or industries are most at risk?
From my standpoint, the most commonly associated cyber incident is data leak. It doesn’t mean it’s always the same initial access (reference to MITRE ATT&CK), but it’s always the impact, which is a cyber security failure.
From business email compromise (phishing, credential stuffing, lack of MFA, session hijack), to full infrastructure take over (privilege escalation, rampant threat actor for long in the infrastructure, down to ransomware deployment).
Yet, because of digital transformation, the “always all connected” state of mind, even critical infrastructures incidents are piling up, from power plant to water treatment plants, jeopardizing safety of population at large.
Q9: How does the growing attack surface affect the ability of cybersecurity teams to detect, prevent, and respond to incidents effectively?
Alert fatigue is one of the key elements. While automation and managed services did help to take care of the heavy lifting, it opened the doors to expanding the number of managed systems, somehow erasing the benefit of the automation.
From this exponential growth, visibility is lost, and asset inventory (systems, data etc) is very complex to manage and keep updated. Due to the multiple involved providers and teams, the correlation work is complex, so as keeping policies and controls aligned in a complex environment.
At the same time, big tech claim that consolidating all under a same umbrella is simplifying things, but the issue is, this is leading to monoculture, and therefore, building single points of failure. Therefore, the equation remains complex, as complex as the number of systems and their independent continuous changes.
Section 4: Key Challenges Faced by Organizations
Q10: What are some of the key challenges organizations face in managing their expanding attack surfaces in a digitally transformed world?
Many factors need to be considered on the challenges side. First one, is resilience in an operational architecture that becomes incredibly complex, where responsibilities are blurred and dependencies are not clear.
Maintaining integrity and overlapping controls in a layered security approach can’t be standardized across the multiple platforms brought by digital transformation.
Ensuring confidentiality is a critical issue that can’t be fixed in digitally transformed world with the current state of technology. In fact, so many third parties are involved, that the insider threat issue is now expanded in all the involved providers. There is no way an organization can have effective and measured controls to cover this. The only control is the contract, or end user agreement, which is a document that is randomly modified by the third party over time.
I foresee the need to scale down and consolidate, especially for sensitive data, to try to reduce the pace of leaks in the existing tech environment. Basically, risk reduction by scaling down, instead of piling up more controls.
Q11: How can limited resources, such as budget constraints and talent shortages, affect an organization’s ability to secure its growing digital footprint?
These obvious constraints lead to ever more externalization, and the involvement of third parties in the management of organization’s digital infrastructure. Again, this is weakening the posture of organizations, not allowing to identify stakeholders, and therefore, no proper responsibility and accountability can be put in place.
Thankfully, serious organizations manage a strong third-party risk management, bringing key requirements, ruling out the involvement of weak organizations in their tech ecosystem.
Q12: How do you see the role of third-party vendors and supply chain partners influencing an organization’s attack surface and risk profile?
A strong third-party risk management is key for an organization to ensure its resilience and security posture expectations. As we saw in the past years, supply chain attacks bring exponential impacts in organizations.
Proper security framework baseline adoption within organizations allows the ones with similar risk posture to work together without endangering their posture. This is where compliance and certifications play a role.
Security controls must expend to third parties, including a proper due diligence process, which needs to be engaged for any changes in either organization.
Laws and regulations are also evolving, sometimes voiding the non-liability clauses in contracts, spotting obvious case of negligence, bringing back responsibilities on failing organizations.
Section 5: Strategies to Manage the Expanding Attack Surface
Q13: What are the best practices organizations can adopt to manage their expanding attack surface more effectively?
A key approach, after having established a formal posture and risk appetite for an organization, basically reaching managed security posture, having everything formally documented and maintained, is to integrate security in all workflows of the change management process.
Each change should trigger an impact analysis over the security posture, and assess if security controls remain effective despite the change. If not, either change is refused, or security controls are adjusted to maintain the proper posture for the organization.
Staying in the context of digital transformation, another element is to ensure that a proper due diligence process is triggered for each and every change in third party’s relationships. This process should ensure that all business partners and providers do match the risk appetite and security posture of the organization. Obviously, this can be adjusted to the scope in which the third party is involved.
Q14: Can you discuss the importance of continuous monitoring, risk assessments, and threat intelligence in managing the growing attack surface?
Digital transformation involves dynamic changes in organizations, which means that the architecture is no longer static, but constantly changing.
Therefore, one-time assessments are quickly outdated and irrelevant in such environments. It only makes sense that security controls are adjusted to the reality of organizations.
At the same time, the threat landscape is also quickly evolving, in every vertical. Therefore, the risk management of the organization is directly impacted, and threat intelligence help understanding the shift in the threat landscape, allowing to keep the risk posture aligned with the business risk appetite.
Q15: What role do technologies like Artificial Intelligence (AI) and Machine Learning (ML) play in helping organizations deal with the complexities of an expanded attack surface?
As an example, AI and ML allow automated detection and response processes to be more efficient, since the baseline is dynamic, it’s only expected to have detection mechanism to have learning capabilities against the threats.
AI and ML bring strength in classification and help security controls to be more efficient backing up monitoring capabilities with enhanced capabilities.
The issue is that attackers also benefit from AI and ML to build more advanced and dynamic attacks. Organizations have no choice but use solutions that embed such technologies to keep up with the threats, unless they reduce their attack surface and exposure, which is another approach that could reduce the operational cost.
Section 6: The Role of Security Architecture and Zero Trust Models
Q16: How does implementing a Zero Trust security model help organizations better manage their attack surfaces and reduce the likelihood of successful attacks?
Zero Trust security model bring a different approach in security, enforcing the need for multiple attributes to be involved in the decision-making process within security controls.
Basically, Zero trust brings more granular access controls, considering each and every asset of an infrastructure as objects. Each object has a risk rating. Each risk level has security control requirements to be granted access.
When an object request an access, its attributes will be verified against policies, and access will be continuously audited and monitored, ensuring that the attributes remain valid during the whole session.
This is a key difference compared to traditional authentication, where passed the gate, even with MFA, no more control is required. Yet, implementing zero trust require a big overhead, as the continuous monitoring must constantly watch all transactions, of any nature.
Q17: Can you share insights on how organizations can build resilient security architectures that adapt to the changing landscape brought by digital transformation?
Organizations should adopt a security framework and security baselines in order to drive their initiatives. This way, the security baseline will be at the core of the development, heading toward security and privacy by design and by default.
This has to be managed under the risk management umbrella, where compensation measures trigger the deployment of security controls, and integrated in the change management process to ensure that the posture doesn’t degrade overtime.
Organizations can segment their business units, infrastructure, or grouping of their choice, and classifying these as risk clusters, which will inherit the requirements matching the risk levels.
Business impact analysis is a great tool to help qualify the weight of a cluster in regard to the risks and threats it bring to the organization and the potential impact of a failure on this specific one.
It also allows to validate that the security controls are effective in their risk mitigation objectives.
Q18: What role does network segmentation, micro-segmentation, and identity management play in minimizing risks associated with the growing attack surface?
These are the key elements allowing proper access control in identified risk clusters which I referred to in the previous question.
Basically, the idea of segmentation or micro segmentation allows to reduce the impact of an incident to the defined segmented part. Then the identity (and access management) allows the containment of an incident by blocking lateral moves on a side, and restricting access only to the individuals supposed to be granted.
By using the clustered approach in risk, the growing attack surface can be handled granularly instead of having to reconsider the whole posture of the organization for each change.
Section 7: Addressing the Human Element and Building a Cyber-Aware Culture
Q19: How important is user awareness and training in addressing the risks associated with an expanded attack surface? What steps can organizations take to build a cyber-aware culture?
It’s key for an organization to develop a security culture from the get go. It happens by embedding security in all the change management process, but also making it part of the business objectives.
The growing attack surface is part of the digital transformation, but also, with shadow IT (use of solutions and services not vetted by an organization, which endanger the security posture of the data handled in such systems).
Awareness training is a key element to keep everybody in an organization aware of the policies, security requirements and remind the importance of security for the business. At the same time, security should be part of the KPI that define employee’s performance.
A common mistake is to only rate productivity, which leads to the need of shadow IT in the hope, for certain individuals, to enhance the productivity. But, when security is also part of the performance evaluation, such behavior undermines the performance, and therefore, will be naturally avoided.
Q20: What are the key challenges in aligning cybersecurity strategy with organizational goals, and how can security leaders overcome them?
Security must be part of the business goals, and integrated in the KPI, making it a clear priority from management.
The security approach should be a top down implementation process, and its impact on the business should be carefully evaluated. This is why it’s key for security stakeholders (CISOs etc) to keep an active communication with the board, and be kept aligned with the strategy and challenges that the organization face.
Q21: How can organizations better prepare their employees, stakeholders, and partners to recognize and respond to potential threats in a digitally transformed environment?
This can be achieved by developing a security culture from the get go. The digital transformation initiative could be used as an opportunity to implement proper security controls as well.
Once the strategy is defined at the board level, proper communication is key to explain how and why changes will happen, and how security will be part of these changes. Business value of security should be explained as well.
From a practical standpoint, using incident examples from organizations in the same vertical is a good way to support the action.
Section 8: Future Outlook and Recommendations
Q22: Looking ahead, how do you envision the evolution of digital transformation impacting the attack surface over the next 5 to 10 years?
It doesn’t have to be doomed, if we adopt the right mindset. I think that supporting the security and privacy by design and by default is key element for this.
At the same time, consolidation, optimization are tools that could help organization reducing their attack surface, and simplifying their stack.
The more complex an organization is, the more difficult it is to keep a proper security posture. Making sure that clear inventory is maintained, and that the necessity of each and every asset is verified on a continuous basis could help organization decommission unneeded assets, and therefore, reduce their attack surface.
Sometimes, splitting the organization in business units sharing the same risk posture can also help controlling this.
Now, in regards to the global digital transformation, smart cities, connected everything, the growth of IoT, etc, the connected world is only expanding, offering a target of choice to adversaries.
I do hope that the tech world will segment itself, limiting the exposure of all connected “things” (as in IoT), so as a “clustered” approach will be taken. Each device class belong to a risk level, that would have to comply with globally assessed security controls (this process has already started in some regulations).
We could see mandatory IoT subnets for any router on the market, with unified controls, that could remain on a universal, continuously updated baseline. This would be a great approach for the masses.
Q23: What emerging technologies or trends do you believe will significantly impact the attack surface, either positively or negatively?
The era of public cloud is turning to an end. So much abuses, spying and data theft happened due to this wrong model, that things have to change.
As in fashion, I hope and foresee workload repatriation at first.
But then, decentralization and the development of distributed, asynchronous resilient systems will help humanity, stopping abuses, and rebuilding trust in technology.
I see a combination of blockchain transaction-based network, with fully independent private systems. The current centralized and highly exposed public cloud model is pure nonsense. This will change.
A lot will disagree, but the future is not like big dangerously centralized systems in the hands of few companies.
Q24: What final advice would you give to organizations and cybersecurity professionals on staying ahead of the challenges presented by a never-ending digital transformation?
Listen to the market trends, listen to the business needs, watch continuously the threat landscape, and learn from incidents, voice your concerns, questions, network and share (without breaking NDAs).
Think out of the box. Be the architect of the future, do not fall for the hype. No growing company will ever refuse a customer. There is always time to catch the next tech. Keep solving problems, stay ahead.
Conclusion:
Q25: In conclusion, what are the three most critical takeaways for organizations aiming to manage their attack surface more effectively amidst ongoing digital transformation?
Ensure you actively keep an updated inventory, know what you have so as you know what to protect.
Make sure you have a formal change management process that trigger a security business impact analysis for each change (most of the time it will have no impact and won’t waste any time)
Target security and privacy by design and by default, making it a key business priority.
Closing:
Thank you for taking the time to share your expertise with our readers. Your insights will greatly contribute to the understanding and advancement of “The growing attack surface of a never-ending digital transformation, and how it contributes to growing the amount of incidents”.