Feature Spotlight: Attack Surface Inventory

As all cybersecurity defenders know, visibility into the network is the key to understanding what is really happening at your organization. In order to protect a corporate network, cybersecurity teams must be aware of the complete attack surface. In order to achieve this, Clear NDR u40 has introduced a new feature: the Attack Surface Inventory. This new feature makes it incredibly easy for a security team to quickly see and understand exactly where an attack could happen. 

What is Attack Surface Inventory?

As Clear NDR probes capture traffic in key parts of the network, they are able to see all the hosts actively communicating over, and thus create a list of all active servers and endpoints on the network. Prior to Clear NDR u40, only the hosts that had a detection method trigger were listed on the “Host” page. Now, as of the release of u40, all active hosts communicating over the network are listed, providing users with a complete attack surface inventory. 

Clear NDR is able to capture a broad range of data points which are made available in the inventory, such as:

• Host role
• Which part of the network the host is in (assuming network definitions have been set up)
• Active services on the host
• Hostname and IP
• Last logged in users
• HTTP and TLS agent
• Last seen and first seen on the network

The information above is then displayed in a user friendly and easily readable way:

Clear NDR probes capture traffic in real time. As a result, they are capable of updating the attack surface inventory host data points in real time. This mechanism allows Clear NDR users to always have the most current information possible about the hosts in the network they are protecting. 

Benefits of Attack Surface Inventory

The Attack Surface Inventory feature is crucial for cybersecurity defenders as it allows them to have a complete view of the network, thus enabling them to:

• Reduce blind spots: Avoid the possibility of an attacker exploiting an unmonitored or unknown part of the network.
• Identify and control the list of assets in the network: Monitor for shadow IT and have a complete list of active assets on the network.
• Improve incident response: If an attack occurs, having the complete list of assets will allow incident responders to quickly identify compromised assets and contain them.
• Enable proactive threat prevention and response: By providing the list of active services, TLS, and HTTP agent information, Clear NDR enables defenders to quickly identify misconfigured and potentially compromised assets.

How to Get Started with Attack Surface Inventory

The Attack Surface Inventory is a native feature to Clear NDR u40. All new customers will automatically benefit from it and see the Inventory option in their sidebar. For existing customers, upgrading from your current release to u40 is the only way to benefit from the Attack Surface Inventory. After installing Clear NDR or upgrading from a previous version, you can navigate to the Inventory page to see the list of all actively communicating assets in your network: 

Conclusion

The more you can see, the more you will know. The more you know, the more you can do. The Attack Surface Inventory gives security teams a clear picture of the assets communicating on their network, in turn allowing them to have greater visibility, improved incident response, and proactively identify possible weaknesses. If you have not yet upgraded to Clear NDR U40, then we strongly encourage you to do so to get the most out of the new features. 

To stay updated with new blog posts from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.