CISO Forum: Reducing the Attack Surface

As organizations face increasing complexity in their IT environments, reducing the attack surface has become a critical pillar of cybersecurity strategy.

During a recent Fortify Experts CISO Round Table, over 30 industry leaders shared actionable insights on minimizing exposure, leveraging cutting-edge technologies, and aligning security initiatives with business objectives.?

This article distills those discussions into a guide for security professionals striving to fortify their defenses.

75% of the security leaders felt their firms were only doing an adequate or poor job at managing the attack surface.

Attack Surface vs. Attack Vectors

To clarify, this forum focused on the attack surface which is the ingress points of threats.? This comprises the physical and digital entry points that adversaries can exploit. On the other hand, Attack Vectors are the methods used to exploit vulnerabilities.

• Attack Surface = Entry Points
• Attack Vectors = Methods

Security leaders must address this growing Attack Surface challenge, particularly as digital transformation and remote work expand the footprint of vulnerable endpoints, APIs, and cloud environments.

If we can reduce the attack surface, then the attack vectors will be easier to identify and control.?

Therefore our discussion focused on reducing the attack surface by isolating, reducing or eliminating that surface.

Key Insight:

Attack surface reduction is a business enabler. By limiting attack surfaces, organizations improve operational resilience and safeguard productivity.

Asset Discovery & Vulnerability Enumeration

Leaders agree that you can’t manage what you can’t see. To elevate federal standards, CISA required all agencies to implement a weekly scan containing the following:

• Asset Discovery creates operational visibility, and it identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts).
• Vulnerability Enumeration identifies and reports suspected vulnerabilities on those assets.?

Notable Quote:

“Attack surface management must be dynamic; as new technologies emerge, so do new vulnerabilities. Prioritizing visibility and control across SaaS and cloud environments is key to maintaining a strong security posture.”

If you do not currently have an adequate Asset and Vulnerability Discovery tool, reach out and Fortify Experts can set you up with a free tool that will scan the network and provide a complete asset and vulnerability report.

Attack Surface Prioritization:

Form attendees ranked these areas as the primary attack surfaces to focus on:

1. Endpoints
2. Cloud Infrastructure
3. Browser
4. Virtualization
5. IAM

Reducing the Endpoint Attack Surface:

Several leaders acknowledged that getting back to the concept of “dumb terminals” would be the single most impactful action a firm could take to reduce the attack surface.? This would eliminate about 80% of the attack surface.

There is a trend at the enterprise level to move toward Virtual Desktops to eliminate endpoint management and threats.

Virtual Desktop Options:

1. Azure RDP Desktops - Resource heavy.
2. Amazon Workspaces - Windows / Linux desktops
3. Fortified Desk Workspaces? - Instant BYOD.

Virtual Desktop Comparison Chart?

Reducing Cloud Attack Surface:?

Adopting Zero-Trust Architecture leveraging tools like Cloudflare for cloud-based applications or a Docker-based workspace like Fortified Desk can significantly reduce the attack surface exposure..

Cloud Security Posture Management (CSPM): Tools like AppOmni help organizations monitor and secure SaaS environments, ensuring compliance and visibility across cloud-based platforms.

Native cloud controls from providers like AWS and Azure, supplemented with third-party solutions, are crucial for identifying misconfigurations and securing cloud workloads.

Reducing the Browser Attack Surface:?

Security Leaders agreed that about 60% - 80% of today’s modern workload is accessed through the browser. With browsers hosted on the endpoint, if threats are introduced through the browser, if could adversely impact the device and the corporate infrastructure?

Consider a Browser Isolation solution such as vendors like Island or LayerX to help isolate and reduce endpoint risks.?

However, many enterprises do not want to change the endpoint browser because it introduces user friction and adds another layer of IT management.??

One solution is to use a containerized browser.? Here is an example of how a Chrome browser can be deployed without requiring additional endpoint software.? Free Isolation Browser?

Reducing the Virtualization Attack Surface

Since COVID, most enterprises have dramatically expanded their use of virtualization tools like VMWare, Hypervisor, Citrix, VPNs.? These solutions have now been designated as unsecure by the US DoD due to vulnerabilities and foreign adversarial influence.?

While creating secure remote access has been vital to corporate productivity, each additional layer of IT adds more complexity and attack surface.? These layers have introduced new vulnerabilities and have come at an extremely high cost for licensing, computing power, and IT administration.?

The DoD developed a new single virtualization solution that eliminates many of these attack surfaces and significantly reduces the complexity of virtualization.

Fortified Desk leverages this DoD-level secure virtualization to simplify virtualization and remote access.

Reducing Attack Surface Through Identity-Centric Zero-Trust

As organizations shift toward cloud-first and hybrid environments, traditional perimeter-based defenses are no longer sufficient. Leaders at the roundtable emphasized Zero Trust Architecture (ZTA) and identity-centric security as foundational strategies for attack surface reduction.

Zero Trust in Practice:

• Remove implicit trust within networks by requiring continuous identity verification.
• Leverage robust Identity and Access Management (IAM) systems like OKTA to enforce least-privilege access dynamically.

Identity-Centric Perimeters:

• Shift the security perimeter from devices to identities, ensuring that access is tightly controlled regardless of location or device.
• Use multi-factor or passwordless authentication to bolster user security.

Key Vendor Mention:

• Fortified Desk enables Zero-Trust on any application by containerizing workloads enabling MFA and integrated SSO access and removing dependencies on the endpoint’s security posture.

“Without a robust IAM system, achieving Zero Trust or meaningful attack surface reduction is nearly impossible.”

Emerging Trends: AI and Attack Surface Management

Leaders explored the potential of AI-driven solutions to enhance attack surface management:

• Generative AI: This could be used to identify unstructured sensitive data, such as documents containing PII or business-critical artifacts.
• AI Sentinels: While still in its infancy, AI as a protective layer was highlighted as a future area for exploration.

Future-Proofing Strategies:

• Invest in AI tools to discover and secure sensitive data dynamically.
• Monitor advancements in AI-driven attack surface management for early adoption opportunities.

Conclusion

Reducing the attack surface is not just a security imperative—it is a business enabler. By adopting robust isolation strategies, leveraging advanced technologies, and aligning security strategies with business priorities, organizations can significantly minimize their exposure to cyber threats.

Security leaders must remain proactive, leveraging tools like AppOmni, Fortified Desk, and CloudFlare to gain visibility and control. At the same time, embracing foundational strategies such as Zero Trust and identity-centric security will ensure resilience in an ever-evolving threat landscape.

About Tim Howard

Tim Howard is the founder of 5 technology firms including Fortify Experts which helps companies create higher-performing teams through:

• People (Executive Search and vCISO/Advisory consulting),
• Process (NIST-based security assessments and Leadership Coaching),
• Technology (Simplifying Security Solutions).

How I can help you:

1. Join over 30,000 People Getting Free Security Leadership Improvement Advice - Follow me on LinkedIn. www.dhirubhai.net/in/timhoward
2. If you want to hire a great security leader, download our free ebook on How to Hire a Great CISO.
3. If you want to quickly assess your Cybersecurity Maturity Level or Need a Strategic Improvement Roadmap, Contact me.
4. If you are looking to simplify cybersecurity, check out Fortified Desk. The Zero Client secure, instantly deployable, BYOD workspace.
5. Come be a part of the discussion in our Monthly CISO Forums.