Reveal Your Attack Surface Through Machine Learning Without an Agent, Scans, or Another Data Lake | Lucidum

Enterprises have gravitated towards tech strategies that make them more nimble, agile, lean, and efficient. These strategies typically involve many tech acquisitions in rapid succession, somewhat ironically leaving their infrastructures extremely bloated. Most modern enterprises cast a digital footprint so wide, you can’t even see its edges.

A 2020 study by the cloud native computing foundation found that, among large organizations:

  • 60% provide a hosted platform
  • 27% use a service mesh in production
  • 37% use a service proxy in production
  • 55% run stateful applications in containers

These advanced architectures inevitably depend on applications lent by SaaS vendors, hundreds of different microservices, and the usage of employee BYOD. Recognize that these are only the official numbers, too. Between engineers experimenting and remote employees just trying to stay connected, there’s no telling how many AWS instances, microservices, APIs and configuration items touch the company’s most-sensitive networks. Trying to introduce a cyber security framework that incorporates comprehensive endpoint management becomes akin to physically securing a building that is constantly growing, with new doors, windows, and tunnels appearing all the time.

Enterprises looking to secure their ecosystems cannot wholly rely on scans, agents, or other legacy methods to fully assess their attack surface and perform vulnerability management. Instead, they must turn to machine learning.

 

You Can’t Secure What You Can’t See — Why Common IT Asset Discovery Methods Fall Short

Modern microservices and multi-platform apps represent the cutting edge of what software is capable of. Unfortunately, the typical strategies for modern cybersecurity lag a decade or so behind the reality of how complex, distributed, and federated modern architectures are. Gone are the days where a CMDB might reflect all the physical servers and computers in a single building. Yet, firewalls and cyber security approaches in general still largely act like this is the case.

More-modern calls for proactive security typically focus around detection, isolation, and response. The major sticking point is that, right out of the starting gate, nearly all enterprises fail at adequately performing item #1: detection.

Many security compromises occur at the hazy edge of the enterprise’s intended security perimeter. Attack vectors through backdoors and byways are discovered by threat actors, resulting in zero day exploits. What organizations need, but often lack, is a method of performing a comprehensive asset inventory.

The risks of failing to proactively perform vulnerability management can easily impact reputation, revenues, and the loyalty of customers and employees. Even before they cause a single incident, discovery of possible exploits results in national news coverage. Modern regulations and corporate policies force companies of all sizes (including public agencies) to disclose any time these potential vulnerabilities are uncovered. Customers, employees, and contractors will receive emails, texts, or snail mail letters informing them that “Your information may have been exposed.” This story then spreads like wildfire to the major outlets.

Why can’t organizations predict these headline-grabbing vulnerabilities? We can’t speak for 100% of situations, but many result from invisible components to the organization’s “attack surface”: the sum of all technologies entering, exiting, and even tangentially touching upon the larger corporate technology infrastructure.

So why can’t these organizations see all of their attack surface? This question is not just rhetorical; it has personal and specific implications for the asker. The regrettable answer is that, until very recently, we lacked the purpose-built technology needed to accurately detect every single facet, nook, and cranny of it through thorough and complete IT asset discovery.

That’s largely the fault of the three main methods we used to fulfill the task of performing an asset inventory: agents, scans, and interns.

 

Why It’s Not Good Enough: Software Agents

Software agents fulfill an extremely important role. They act as a constant monitor and correspondence point on key pieces of technology. However, agents also present a Catch-22: in order to know where to install your agents, you have to know your systems — but you rely on an installed agent to know your systems.

Without agents, security and IT personnel are left groping about in blindness in most instances, hoping to stumble into a device or system that cannot respond to their call. Agents are an excellent solution in situations where you are just trying to detect devices and other configuration items that politely act in accordance with corporate governance and security policies. They also work nicely in conjunction with efforts to keep devices and other environments monitored, managed, and in compliance with current cybersecurity policies.

In reality, though, agents face two major downfalls:

  1. Many employees and contractors will promptly remove agents the moment they receive a device. They may also employ the use of technology like unsanctioned VPNs that completely and instantly take the component the agent is installed on “off the map.”
  2. Agents must be installed purposefully on every device, or with every service and instance touching the network. Not only can individuals tasked with this duty fail to catch every single asset, but they are also rarely cognizant of every single item going on the network. Employees may bring their own device, grant permissions to APIs without going through the proper channels, spin up instances of AWS or Kubernetes without running through security protocols, etc. All of these new “hooks” into the network are created in the dark, without an agent to light them up.

 

Why It’s Not Good Enough: Scans

Scans predominantly work by sending out a small data packet and seeing what responses they get back. Like sonar on a submarine, this “ping” can light up the contours of something but not accurately reveal critical tell-all information.

Also like sonar, when something is discovered, the organization won’t know exactly what it is. With IPs and other impermanent identifiers being used, the scan may not even be able to tell if something discovered was there before, or if it was expected to be on the network at all.

“These scanners spread wide but do not run deep,” explains Lucidum co-founder Dr. Joel Fulton. “In environments with multiple networks, cloud services, ephemeral assets, work from home, and bring your own device, these scanners miss as much as they see and simply slow down the network.”

Worse, the scans often raise more problems than they can ever hope to fully grasp, let alone solve. That, or they may miss something entirely.

Fulton says “the results of the scan will tell you whether there is a responding system at a given address but can’t give you any information that permits you to take action, manage, or protect it. And if that system happened to be off-line, at somebody’s house, or using another systems address temporarily, you simply can’t see it.”

 

Why It’s Not Good Enough: Interns

When we say “intern”, we don’t mean some fancy newfangled tech term you’re out of the loop on. We mean actual human beings — almost always young, inexperienced, borderline criminally underpaid human beings.

What these people lack in IT know-how they make up for in their eagerness to please and almost total lack of professional boundaries. They can be given any old task, within compliance of state and  federal laws. That often means they are given tedious, repetitive, and fiddly tasks that no human being would rightfully volunteer for at any pay grade.

Interns seeking to assist with asset inventory are given a very special project that involves them interviewing every single person of interest within the company. They ask questions about the assets the person manages, the assets’ location, and any contextual information they can glean. They then cross-reference the information they are given with data reported internally as well as the results of things like CMDB audits, agent databases, and scans/

In some respects, interns demonstrate the power of human persistence and ingenuity. The results of their “human-powered scans” can reveal some shocking insights in ways that almost no other solution could.

The biggest drawback isn’t that they might overlook something (which they most certainly will). Rather, it’s that their information will be immediately, and tragically, out of date.

Fulton laments how “modern environments create, move, and shift systems, users, and data every 15 minutes,” making the intern-powered approach, “an expensive, lengthy project that yields a sepia-toned tintype of the enterprise’s ancestor.”

 

Doing Better — Lessons on Asset Inventory Imparted Through Machine Learning

Seeing the shortcomings of these approaches and desperate for an alternative, we launched Lucidum.

Leveraging machine learning and artificial intelligence, Lucidum uses contextualized data and metadata sniffed out from the millions (sometimes billions or trillions) of interactions that happen every minute within a given enterprise ecosystem. These methods provide us with the capability to uncover not just every asset, but also every user, service, file, or other relevant item, along with how it all contextually connects with one another.

Our approach sits leagues ahead of the other, outdated, slapdash methods of IT asset discovery and vulnerability management, for a variety of specific reasons.

 

Lucidum Is Not a Scan

Lucidum superficially resembles an “always on” scan in some respects. It constantly detects the ever-shifting attack surface by listening closely to the chatter within the ecosystem produced by various activities.

Unlike a scan, however, Lucidum penetrates the outer contours of what it runs into by harvesting as much information as possible about anything it discovers. It also does so with zero slowdown or interference with daily processes.

Also unlike a scan, Lucidum arrives ready to do its homework. Any discovered assets/CIs are cross-referenced with historical data and other known factors to reveal more than a simple scan ever could. Redundant, conflicting, or otherwise misleading information is weeded out and interpreted accurately using contextualized machine learning to triangulate what lies where and why.

For example, while a scan may reveal the owner of, say, a laptop as “Janet from finance”, Lucidum can cross-reference HR records to recall that Janet quit six years ago. It may also reference user data from that laptop to show has been in use by the CFO’s son, who’s home from college as of last winter break.

Lucidum also goes further than a scan by contextualizing the revealed information in terms of an aggregated risk framework. Put in plain terms: not only are assets revealed, but so is their potential to cause major headaches or be actively leaking data in their current state.

 

Lucidum Is Not an Agent

Lucidum does not require the presence of a software agent to operate. By not relying on these agent interactions, Lucidum can detect assets that have been altered from their expected state as well as assets and CIs that were not expected to be on the network.

While installation of agents is typically a high-latency project, Lucidum remains up-to-date while sweeping for “things in the wild” that may not have the expected “animal tag” or that may typically go through the holes in the net. That includes BYOD, ephemeral assets, lowintelligence IoT, and the CEO’s iPhone stolen 3 months ago that’s now trying to connect to email.

 

Lucidum Is Not an Intern

We can promise you that Lucidum won’t find it’s way into the company because someone thought their nephew could use a summer job.

We promise that Lucidum won’t ask you for a letter of recommendation after dropping a can of coke on the new $20k photocopy machine.

We promise that Lucidum won’t need you to explain basic dress code policies, and it will never show up to work unshaved and without deodorant.

More to the point, Lucidum is an always-on solution with extremely low latency and with much less technical and logistical overhead than an Outlook calendar packed full of squeaky-voiced interviews. It is also much less brittle and more portable than an old-school spreadsheet, allowing you to leverage powerful analytics and integrate your findings with other platforms.

Lucidum automates otherwise intern-driven tasks that require cumbersome manual processes,  without the large margins of error — a high tendency for the wrong t’s to be dotted and i’s to be crossed.

 

Lucidum Is Not Another Data Lake

Finally, Lucidum does not require another expensive, lengthy project involving the pooling of data into a specific receptacle so that it can have analytics performed on it every so often.

Lucidum extracts minimal data throughout its detection cycles and only stores the most relevant information, often on an ad-hoc basis, while in compliance with your corporate governance, compliance, and risk policies. It aims for the smallest possible footprint while remaining intelligent and up-to-the-minute with its insights.

 

A Better Way to Know What You Need to Protect

Lucidum is revolutionary precisely because it was intended to replace the old, flawed ways of doing things. It not only catches assets, users, and data with their situational context, but it also provides smarter data on the things it’s detecting, what they are doing, and how they could be impacting your security, governance, and compliance goals.

In many ways, the Lucidum asset management platform is incredibly advanced, but it’s also less complicated than what you were doing before.

Find out how Lucidum can make you fast, save you time and money, and make you amazing to your organization. We provide you with the visibility, intelligence, and real-time understanding that ensures you can protect the things your organization cares about most. Request a demo today.