Soon after the Covid-19 pandemic hit, Censys partnered with a state agency that wanted to scale their risk management program by automating attack surface discovery and tracking. New challenges had emerged after their workforce moved to a remote working state.
Key benefits
By partnering with Censys, the state agency gained:
- Efficiency and Time Savings – Prior to Censys, the agency didn’t have the resources to manually track their attack surface effectively. Now their organization can keep track of its assets, unsanctioned IT environments in the cloud and beyond, as well as potential risks affiliated with certificate and domain expiration, potential vulnerabilities, and other misconfigurations.
- Protection and Peace of Mind – The agency was now able to monitor for potentially exposed assets across the entirety of their remotely deployed workforce.
- Better Preventative Measures – With improved cloud visibility, the agency was better able to combat configuration mishaps. Cloud connectors also allow them to easily track cloud assets over time, measuring the security changes enacted and deployed.
- Business Continuity – The platform’s certificate management prevents disruption in running the state agency’s secure transactions online, ensuring business continuity.
The goals
Manage attack surface changes with an increasing remote workforce
Like many organizations, the agency had a number of compounding factors impacting their attack surface simultaneously. The first was the influx of remote staff working from home, outside of the traditional network boundaries setup and secured by the organization. In the words of the Chief Technology and Security Officer, “We are looking at expansion of our endpoints with several people working outside our firewall. Before, we had a small part of our staff who had laptops and took laptops home and that’s just increasing now.” Visibility of your “end points”, even outside of the traditional perimeter of the organization, is critical to an effective security program.
Protect the attack surface through a complex cloud migration
The agency was also concerned with securing their infrastructure. The security team was in the midst of migrating assets from a traditional datacenter hosted by the government to a new provider on their private cloud. They were also preparing to move additional resources to Amazon AWS infrastructure. During any migration, it’s critical to ensure the secure transfer of all your data – in particular, ensuring that your servers and anything touching the public Internet are properly configured and accounted for as you create and wind down components of your infrastructure.
Enter Attack Surface Management
Attack Surface Management (ASM) is the continuous process of discovery, inventory, and resolution of risk impacting your Internet-facing assets. Organizations are constantly reshaping their Internet-facing attack surface, whether they know it or not. Services, and the data those services utilize, are being developed, deployed, and re-configured across the Internet, many times a week. In the words of the the CISO, Jeff Ford: “We knew that our threat surface was increasing and we wanted to make sure we were using tools, specifically Censys [ASM], to understand what that threat surface looked like.”
What does that mean for the day-to-day of the security practitioner? The state agency operationalized the findings from the Censys Attack Surface Management Platform in the following ways.
Ongoing port scanning to mitigate threats to external servers – The team is now using the Censys Attack Surface Management Platform to look for exposed ports/protocols on public-facing servers. This allowed the team to quickly and effectively reduce their attack surface, labeling specific hosts as allowed to have certain ports/protocols open and continuously monitoring for security posture drift moving forward«
Tracking an expanding attack surface with employees working from home – With increasing numbers of employees working from home outside the company firewall, the state agency wanted greater visibility into the endpoints of their employees logging in everyday — where were they logging in from and how this was impacting their attack surface. Expanded visibility through the Censys Attack Surface Management Platform allowed them to protect employees working from home by monitoring for potentially exposed services that shouldn’t be.
Certificate management to ensure business continuity – Censys collects unique certificates and analyzes them to indicate how widely they are trusted, their level of encryption, if they are self-signed, and their expiration. Censys collects certificates through Internet-wide scanning and synchronizing with Certificate Transparency logs for comprehensive coverage. This vigilance is important because an expired certificate could inhibit the ability to run secure transactions online. In the word’s of the state agency’s security analyst: “The certificates expiring is a nice reminder that we see what we have expired and what we don’t.”
Improved cloud visibility to combat configuration mishaps – As the state agency migrates and expands their cloud environment, there are always concerns about misconfigurations and unsanctioned cloud services being provisioned and used by staff. With the platform’s cloud connectors, the organization gained additional visibility and insight into their new cloud environment by identifying things like: exposed S3 buckets (or other object storage), unsanctioned cloud accounts outside of the security team’s control, as well as exposed services in cloud environments like databases and RDP. Cloud connectors allow them to easily track these assets over time, measuring the security changes enacted and deployed.
Interested in reading more?
Download the Full Case Study
