Accenture forges own path to improve attack surface management

Accenture’s award-winning attack surface management program strengthens the company’s resiliency and security posture.

As a global consulting and technology company, Accenture understands how quickly an attack surface can grow and become vulnerable to cyber threats.

“We’ve always had a strong security posture, but as we’ve been growing, we noticed that we had weaknesses in our defenses,” says Kristian Burkhardt, Accenture CISO. 

To achieve complete visibility of its IP estate, Accenture merged various technologies into a custom ASM (attack surface management) program. Burkhardt describes the program as “integrating a set of tools into a process” that combines penetration testing, customized scans, and attack simulations with human creativity and teamwork.

The need for complete attack surface visibility

In order to build an attack surface management framework, says Burkhardt, an organization must first have:

• Tech hygiene — making sure your infrastructure, cloud objects, and workstations are configured, patched, and hardened against attacks. 
• Strong asset management — knowing all the assets you own, where they are located, and ensuring they are under proper governance.

“If your tech hygiene and asset management are not in a good place, it will get in the way of ASM,” says Burkhardt. “They were in a good place at Accenture, but that doesn’t always protect you against edge cases and unique attack scenarios.”

Like most organizations, Accenture has standard defenses to detect and prevent largely autonomous attacks: endpoint protection, firewalls, email filtering, multi-factor authentication, patching and configuration management, and URL blocking.

While Accenture successfully protected upwards of 99% of its assets from threats, with an expanding attack surface from acquisitions, 99% wasn’t good enough.

Burkhardt and his team first noticed gaps in their security posture when doing crowdsourced penetration testing. The tests flagged small incidents that exploited vulnerabilities that conventional tools do not scan for, such as default passwords in Apache or a weak configuration of GitLab or WordPress, Burkhardt explains.

“Penetration testing opened our eyes that there were ways into our network that commercial vulnerability scanners were never going to find,” he says. “We knew we needed to do better.”

A melting pot of ASM technologies and teamwork

In mid 2023 the company’s information security team began developing its own tools and performing custom activities as part of an initiative that became its attack surface management program.

The program combines in-house tools with third-party tools that Accenture purchased and customized to scan for specific vulnerabilities. 

“We created all the process, rigor, and discipline that goes into the ASM program to make sure the security team is remediating what it is supposed to remediate,” says Burkhardt.

Technologies and processes that make up Accenture’s ASM program include:

• Crowdsourced penetration testing for critical apps. Tests provide vulnerability specialists to find Accenture’s weaknesses before the bad actors do. The security team analyzes the tests’ findings, fixes them, and prevents new similar findings.
• Threat intelligence response. An emergency response capability that allows Accenture to quickly find new vulnerabilities in its environment so the team can target remediation.
• Custom-built advanced detection and complex hunt capabilities. These are created within software configurations that off-the-shelf products don’t find. For example, these tools spot third-party platforms using default passwords, creating a vulnerability.
• Monitoring Accenture’s internet footprint to make sure the company’s IP estate is identified and inventoried. This includes Accenture domains and IPs as well as the IP inventory of newly acquired companies.
• Management of Accenture’s external reputation. Third-party reputation vendors eliminate false positives and validate that Accenture’s security detection tools and processes are working as intended.
• Breach and attack simulation. This tool is designed to constantly detect, and protect against, known threats. If an attacker has a foothold on one of Accenture’s services, the tool will test how far attackers actually get and track them if they move around.

“We’ve definitely improved both of those areas,” he says. “We now have visibility of that last 1% of our IP space. The proof is that we haven’t been caught off guard by an attacker getting access to a system we didn’t know we had. That hasn’t happened in over a year.”

Burkhardt describes a real-life scenario where Accenture’s rapid response process discovered and blocked a vulnerability triggered by a newly acquired company.

“One of the controls companies must implement to finalize an acquisition is that all of their remote access must be two-factor authentication enabled,” he says. 

“This particular company complied and signed the deal, but when we scanned their IP address space with our tool, we found instances of a non-commercial remote access tool that was vulnerable to attacks. The company didn’t even know they were using this tool. We were able to shut it off before an attacker found it, saving us an attack down the road.” 

For its custom ASM program, Accenture earned a 2024 CSO Award, which honors security projects that demonstrate outstanding thought leadership and business value.

Looking ahead: Injecting AI into attack surface management

Between the threat intelligence feeds scouring for vulnerabilities and penetration testers simulating attacks against Accenture, the ASM program has created what Burkhardt refers to as a “virtuous circle” that continually hardens its attack surface and keeps the security team informed. 

Going forward, Burkhardt is working on how to integrate artificial intelligence into the ASM program.

“The AI could learn how to analyze our threat intelligence and penetration testing results to perform more advanced and faster attacks against us,” says Burkhardt.

Unfortunately, he adds, threat actors know this and are using AI, too. 

“There’s an AI arms race going on, and threat actors probably have the upper hand,” he says. “Defenders like us need to catch up.”