Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability
The Contrastive Credibility Propagation Algorithm in Action: Improving ML-powered Data Loss Prevention
Attackers Exploiting Public Cobalt Strike Profiles
share iconDOWNLOAD PDFPDF
3min. read

Leveraging AI as a Force Multiplier for Attack Surface Management

By Matt Kraning, CTO for Cortex Xpanse, Palo Alto Networks

Attack surface management has grown more complex as attack surfaces increase in size and threats multiply in number, intensify in speed, and expand in diversity, giving the attackers a decided edge. But organizations can use artificial intelligence in new and innovative ways to gain a sustainable edge in controlling attack surfaces.

Attackers recently developed new tools to identify our rapidly growing and complex attack surface. To make things even more problematic, they’re using a technology that is as readily available to them as it is to us as defenders: artificial intelligence (AI).

This has changed the rules of the game when it comes to attack surface management (ASM), an increasingly complex intersection of technologies, risks, methodologies, and potentially devastating outcomes. And here’s the reality for chief information security officers (CISOs): AI has made the future of ASM extremely complex to understand and address.

Over the years, there have been three big challenges associated with using AI for cybersecurity, and until very recently, no cybersecurity solution has overcome all three. They are:

  • Customers typically do not know large and substantial fractions of the IT assets they own. They often know at most 70%.
  • There has been limited data integration between different types of data and different cybersecurity tools, impeding the creation of efficient and unified views of organization-wide security risks.
  • Attackers are innovative in their tactics and very good at changing tactics over time, which makes it hard to pinpoint their attack vectors and exploit choices.

Any attempt to make ASM more efficient and effective had to consider those three challenges.

The Role of AI in ASM

Building a truly world-class and world-leading solution for attack surface management is challenging because you have to build several components simultaneously. We believe you need to build and integrate as many as five components to do justice to ASM. But what happens when you do a great job on four but miss the mark on the fifth?

Unfortunately, you don’t get 80% of the benefit because you’ve flawlessly done four of the five components. You get substantially less of the potential benefit—maybe as little as 10%, which means your ASM defense doesn’t work because of the need for all this to be tightly integrated into a single solution.

Fortunately, ASM can be enhanced by using AI. ASM is enhanced by solutions like the Palo Alto Networks Cortex Xpanse platform in this way. The technology offers numerous benefits for ASM, including automation, scalability, performance (at scale), accuracy, and much more. It is a powerful, efficient, and reliable force multiplier of our cybersecurity teams, technologies, and ASM-directed processes.

Challenges of Continuous Monitoring of Digital Assets

In particular, AI aids in the efficient operation of ASM by providing high-quality, reliable, and consistent data collection. That’s important because while it’s fairly simple to gather attack-related data on the internet once in a “point in time” manner, it’s far more difficult to do that regularly and consistently, time after time.

It's tricky to identify and overcome challenges associated with around-the-clock monitoring of essential IT and operational technology functions. One reason centers on the notion of ownership; specifically, we have long struggled with the idea of who owns what on the internet.

For example, assume we identify a company, and that company has a subsidiary. We may know that the subsidiary bought another company six years ago, and they had a web server configured in a specific way. Today, that web server is running on Azure, exposing a database server to the internet insecurely. That’s complex, but it’s also relatively simple. But when this scenario is extrapolated across our customer base, it becomes substantially more complex.

Another issue to consider is the knowledge graphs built to understand customers and their assets over time. That knowledge graph must be perfectly accurate for ASM to work properly. This can only be done efficiently and comprehensively with AI.

Finally, keep in mind that attackers have figured out that they can use AI to expand their attack surface in the same way as we seek to defend it: automated, scalable, with high performance and precise accuracy. They want to use AI to maintain the competitive edge they built up over the years against cyber defenders.

In order to prevent that from happening, we have to take AI to the next level to fulfill ASM's potential.

An AI-Charged ASM Solution That Puts Defenders in the Lead

A key element of ASM is its ability to provide real-time, comprehensive visibility. However, historically, ASM hasn’t been as good as providing the ability to do anything meaningful and actionable with the results we tell our customers. Suppose we leverage a huge amount of technology built natively within Xpanse and our company’s broader portfolio of security solutions. In that case, we can tell our customers that they can know not just about all their digital assets but especially where attacks are taking place—or are likely to occur—and how to find and fix the problem.

This integrates data, AI, and workflows that give our Xpanse platform the power and performance CISOs need. It also enables the integrated technologies to come together in powerful ways to make ASM more intuitive, actionable, and successful at spotting and blocking threats. And, as important as it is to remediate the impact of threats, we need to focus on preventing exploits. Attackers have gotten so good at using AI and other tools to infiltrate and exploit our systems that we don’t have nearly enough time to respond to threats before an incident occurs. 

In some ways, this is a new, important personification of the “shift left” mentality that has taken the software development lifecycle by storm, and for good reason. However, there is an important distinction between software development and AI. For instance, software is a fairly static thing that gets updated periodically with new versions and patches; it exists close to its original form, doing similar things over time.

Conversely, AI is part of a dynamic process—especially when it’s done properly and appropriately. We call this a “data flywheel,” where in order to have really great AI that can help ASM do more and stay ahead of the attackers, it is part of a continual development process. Data comes in from customers, is understood and processed, and this is done in a way that is normalized with other data. If you’ve chosen your data correctly, even basic regressions of the right data can have a profound impact. 

Another important aspect of our work with the Cortex Xpanse platform is the use of what we call Precision AI. This unique combination of technology and processes from Palo Alto Networks enables Xpanse to detect and prevent attacks in real time. By combining machine learning, deep learning, and generative AI—all trained on the largest security data lake in the world among pure-play cybersecurity leaders—cybersecurity strategies like ASM are enhanced immeasurably. This happens by:

  • Stopping threat variants in real time, without signatures.
  • Understanding unstructured data and preventing leakage of sensitive information.
  • Continuously improving detection rates—and reducing false positives—by creating new attacks using GenAI.

These capabilities have been integrated into Cortex Xpanse to create a stronger, more intelligent, and more resilient ASM defensive framework. This is done by leveraging the most diverse and highest-quality data, a platform-based approach that makes data shareable and accessible, and the right AI and cybersecurity expertise to create the most accurate and actionable models.

Looking Ahead

It is important for CISOs and all cybersecurity practitioners to anticipate what attackers may try next. Fortunately, we have the benefit of looking back and learning that the attackers are truly committed to their mission and have the skills and tools to make it happen. It’s our job to ensure that we have the right tools, strategies, and processes to prevent that.

We must look beyond the innovative technology available to us and take a more strategic approach to anticipating and thwarting attacks. CISOs, working with their C-suite partners and boards of directors, must adopt a much more proactive mindset. We talked earlier about the “shift left” movement, but we need to think and act proactively. Remember that by the time an asset is breached, it may be too late to do any meaningful remediation. 

This is especially true if you’re talking about unmanaged assets, which unfortunately tend to be about 30% of all assets for Fortune 500 organizations. If you have an unmanaged asset that’s on the internet, you have no time to respond. You’re not likely to know when it has been exploited, and therefore, all the lateral movement that has happened since the time of the exploit now happens more quickly without being monitored. 

Of course, making the right financial and human resources investments is a given for proper ASM and efficient cybersecurity solutions, especially when it comes to spotting and dealing with a new breed of AI-based attacks. Given the mission-critical nature of the assets we must protect, this is a time for fresh thinking and creative solutions. 

We have the opportunity to get out ahead of the attackers and stay ahead of them. Let’s not let that opportunity pass us by.

Matt Kraning is the chief technology officer for Cortex Xpanse at Palo Alto Networks. He was previously the co-founder and CTO of Expanse, which was acquired by Palo Alto Networks in 2020.

Get the latest news, invites to events, and threat alerts

Popular Resources

Legal Notices

Popular Links

Report a Vulnerability