Application Security

Interview: How Application Relationship Management Helps Businesses Gain Visibility Of Their Attack Surface

Tim Eades, CEO at vArmour, discusses how application relationship management can help organizations to better understand their attack surface to improve security and ensure compliance.

Expert Insights Interview With Tim Eades Of vArmour

Applications talk. They’re like tin can telephones, connected with virtual strings that enable them to send data between one another so your employees can get their work done more easily, and your customers can seamlessly sign in to and use your services. But when you have lots of tin cans, it can be difficult to follow the strings to identify what’s connected to what—and the same goes for applications.

All too often, security teams don’t have the visibility they should into enterprise applications, which means they cannot set restrictions on which apps can communicate with one another. This leaves a tangled mess of unmonitored connections that an attacker could use to move laterally through your business, stealing data and destroying systems as they go.

To find out how businesses can untangle those strings, we spoke with Tim Eades, CEO at vArmour. vArmour is a critical security and resiliency platform that helps businesses to discover all of the assets on their network and understand how they communicate with one another. Application relationship management is a critical component of understanding the attack surface and can help businesses prevent the lateral spread of attacks such as ransomware throughout their environments.

In this interview, we discussed the importance of application relationship management and how attackers can exploit a lack of visibility into critical information asset (CIA) relationships. We also discussed the use of application relationship management to help prove compliance with today’s increasingly complex data protection standards.

Could you please introduce yourself and tell us a bit about your security background?

I’m the CEO at vArmour—I’ve been in security for about 20 years, and this is my third company. I’m also on the board of three others, I’m an investor in a whole range of enterprise cybersecurity companies, and I love it!

I think the mission that you pick up in life is really important. My mission is to try and secure enterprises across all countries globally, and I live that mission very passionately. That’s what I want to do, that’s what I want to be known for—and that’s the mission of our company.

Can you give us an overview of vArmour and how you’re carrying out your mission to secure today’s enterprises?

To understand what vArmour does, we need to talk about something called “exposure management”. Exposure management is divided into two parts: the external attack surface and the internal attack surface.

The external attack surface includes companies like Synack and CyCognito, which try to understand the external attack service of an organization. Gartner calls that “EASM”.

We sit within second half of exposure management, focusing on the internal attack surface, or “CAASM”. And the CAASM space is maturing, which is quite interesting. Two years ago, it was largely focused on managing unmanaged devices in the IT or OT environments. Now, we’re seeing it starting to mature and include applications. And those applications provide business context.

At vArmour, we look at applications and their dependencies, and map out their relationships. By understanding what application has a relationship with and what it has a dependency on, you can start to look at resiliency.

Over the last three years, for example, ransomware has become a really big deal. The Colonial Pipeline attack was a really great example of how the applications and the dependencies were not known, and infrastructure was compromised as a result. It was not resilient.

We go into an organization—whether it’s a large Telco, a bank, a healthcare company, a pharmaceutical company, or a largely regulated organization—and say, “Hey, do you know the relationships and dependencies of your critical information assets (CIAs)? Do you know your relationships and dependencies of these assets? What is serving these things? What is communicating with them, and what’s dependent on these things?”

Once you know what is happening, you can turn around and ask whether they should have a relationship. From that, you can take control and say that certain communications should be stopped. For example, should my payment gateway application have a relationship with a cafeteria? Probably not, so that should be stopped.

This allows you to take control and reduce your attack surface, so that it’s more managed and more understood. You need to understand the underbelly of an organization in order to actually secure it. And that starts with understanding relationships and dependencies.

vArmour helps organizations to continuously improve their cybersecurity posture, and to obtain a dynamic overview of their attack surface. Why is that visibility so important, and how can an attacker exploit that lack of understanding?

That lack of understanding creates fragility and exposure in the enterprise. But it’s difficult to achieve that understanding to begin with. We’re in 14 countries around the world, and in every company that we go into, nobody understands their internal attack surface as it relates to applications. I haven’t found a single one yet.

We deployed recently at a bank, for example, and they had a payment gateway called SWIFT. They had 150 different applications interacting with this SWIFT gateway, and they had no idea about that. And all it takes is a hacker to expose one of those and take advantage of it, and they could shut down that entire payment system and cause outages for millions of consumers.

Our product goes in as a cloud solution, a SaaS-delivered solution, and it allows you to discover those relationships and dependencies and understand them. Then you can identify where something shouldn’t be happening, and you can take control and lock it down.

It’s hard to do that because, if you take 150 application relationships down to 50 or 75 and get it wrong, it becomes a problem. But you have to do it. Otherwise, your exposure is crazy.

So, we’ve done that for six or seven years now, and we do it for organizations all around the world.

How can organizations go about improving their attack surface management to gain those insights?

That’s a great question. The first step starts with discovery—cyber asset discovery, discovering these applications and relationships.

One of our customers has 4,100 applications. Four years ago, they had 35 workloads per app, and now they have 65 workloads per app. Because what’s happening with digital transformation is a disaggregation of the workload from the app, and the workloads are getting more distributed. And because you have more workloads and they’re more distributed, your attack surface is growing in size and in volume.

So, with that in mind, you need to start with your high-value assets—whether those are payment gateways, databases, your 911 application if you’re a Telco—and start to understand them.

Five years ago, this was a complicated exercise. Now, the ability to do it via SaaS models allows it to be done a lot quicker, and it’s progressive. If they don’t use a solution like ours, organizations today will typically go around to their developers with a clipboard and they’ll say, “Okay, you’re the developer. Can you tell me how many relationships and how many dependencies your application has?” And they’ll walk around twice a year or send you a little spreadsheet to complete. There are two problems here: first, they’ll probably have no clue. And second, that’s a twice-a-year thing. But this needs to be continuous.

Drawing on that element of discovery, where should IT teams start?

If I were an IT team, I would start with building a resiliency program around my critical applications. You know, your payment gateways, your code databases, your critical information assets. Start there.

Some of the challenge is, if you look at it too broadly, you get too scared of the problem and you walk away from it. So, the right place to start is to focus on your CIAs, build a relationship and dependency map around that, then map that to policy and say, “Hey, should these things have a relationship and a dependency?” and then take control.

And when you start doing that, you will build footsteps in the snow that you can follow to go and build around other things. And then, as you start to roll up more information to regulators, to auditors, and to the board of directors for your organization, you can say, “This is how I’ve implemented a zero trust policy around my CIAs and reduced my attack surface.” And you can justify what you’re doing to reduce your attack surface and why you’re doing it, to the appropriate authorities.

As well as the threat of breach itself, security teams are also facing the challenge of complying with increasingly complex data protection regulations. How can application relationship management help with this?

Applications talk horizontally, right? Let’s say that you’re in Belgium, and you’re running a small data center or cloud instance—those applications are talking across different countries. They’re not dependent on the Nutanix environment or the AWS environment, for example—their communications aren’t confined to a certain parameter, because they have to serve the business and the business is global. The business is horizontal, and it’s dependent on these applications to provide service to the customers.

Once you understand that as a reality, then you have to turn around and put policies around these things that say, “Control this thing so it can’t just talk anywhere, it can only talk to places where GDPR, for example, allows it.” Application relationship management can actually help you with that.

We rolled out at a bank recently that has seven data centers around the world. That bank is highly regulated—they have over 100 regulators that they have to be responsible for. And understanding their application communications and relationships so that they can meet different regulatory standards around the world is a big part of that.

It all starts with those three steps: number one, discover what is happening in your environment; two, look at what should be happening against policy and against regulations; and three, do something about it to lock it down.

What is your final advice to organizations looking to identify and manage cyber risk more efficiently?

To look at cyber risk and how it’s going to evolve in the coming years, I think you have to look at the journey that we’ve been on over the last few years.

Five to seven years ago, you would look at application security. Then, over the last three to five years, we moved to a period of looking at workload security. And I think, over the next decade or so, we’re going to look at data security.

Data is more distributed than ever before. It’s in Snowflake, it’s in AWS, and it’s in Hadoop, and so on. Data security is going to be the frontier that people are going to fight for the next decade; securing it, controlling it, understanding it, classifying it, cataloguing it, and then allowing appropriate access to it—from an application perspective as well as a user. That’s going to be the frontier.

But like in AuthN security, you should start small on the most critical assets and critical use cases— things that really matter and things that are regulated—and build a programme around them, then replicate it.

Thank you to Tim Eades for taking part in this interview. You can find out more about vArmour’s attack surface and application relationship management platform via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.