October 12, 2023 By Mark Stone 4 min read

As the threat landscape multiplies in sophistication and complexity, new roles in cybersecurity are presenting themselves more frequently than ever before. For example, attack surface management.

These cybersecurity professionals are responsible for identifying, mapping and securing all external digital assets an organization owns or is connected to. This includes servers, domains, cloud assets and any other digital points that could be exploited by cyber criminals. Their role involves continuously monitoring these assets for vulnerabilities, misconfigurations or other potential security risks and implementing measures to mitigate these risks. They also work to reduce the organization’s overall attack surface by eliminating unnecessary access points and ensuring that all remaining ones are properly secured.

In this exclusive and informative Q&A, we spoke with Sara Lipala, lead technologist, attack surface management for Booz Allen Hamilton. Lipala is an accomplished cybersecurity professional with over five years of experience in the manufacturing and consulting industries, with a focus on vulnerability management, patch management and comprehensive attack surface management.

Did you go to college? What did you go to school for? If not, what certifications did you obtain?

I attended Montclair State University, where I completed a Bachelor of Science in Information Technology with a Computer Science minor. On top of my university education, I’ve obtained industry certifications, including the GIAC Enterprise Vulnerability Assessor Certification (GEVA), Harvard’s Managing Risk in the Information Age, ITILv3 Foundations Certificate and vendor-specific certifications including Qualys: VMDR, Scanning Strategies and Best Practices, Vulnerability Management, Web Application Scanning and Container Security.

What was your first role in IT? If it wasn’t in security, what pushed you to pursue security?

My first role in IT was at my university’s IT Service Desk, where I provided tech support to students and staff. My next role was an IT Operations Analyst Intern, where I primarily focused on change management activities. It was within this role that I had the opportunity to shadow and work directly with the cybersecurity team, which really sparked my interest in the field. I was excited by how rapidly things change and the prospect of building a strong defense for an organization, which then led to further excitement about how much information there was to learn!

A blue team defensive role requires a strong understanding of a variety of topics in order to ensure you’re approaching cybersecurity risks from a holistic view while being aware of where exactly the vulnerability lies and how to manage it. I found myself enjoying the challenge of staying ahead of attackers. I completed my internship and then transitioned to working on the cyber team full-time post-graduation.

Explore IBM Randori ASM solutions

What is the most valuable skill you learned in your role?

The most valuable skill I’ve learned in my role is risk prioritization. It’s easy to become overwhelmed by the attack surface of an organization — there’s data coming from a multitude of sources that all have “top priority” findings. Due to resource restraints, it’s often impossible to address all top-priority findings at once. Prioritizing vulnerabilities means that you focus on the most critical findings based on risk likelihood and the potential impact of exploitation.

For example, a high-severity internet-facing vulnerability carries a much greater remediation urgency over a high-severity vulnerability on a well-protected sandbox server on the internal network.

Risk prioritization also adds meaningful and impactful context to a vulnerability report. This allows the audience to understand what the vulnerability findings actually mean in terms of risk to the organization rather than a solely quantitative metrics report. Prioritizing security risk also provides visibility to leadership for the effective allocation of resources to mitigate and/or remediate the findings. Developing this skill helps create clarity out of chaos.

What soft skills do you think make a person successful in cybersecurity, and specifically in attack surface management?

A few soft skills I believe are required for success in cybersecurity are determination, organization, levelheadedness, attention to detail and the ability to communicate clearly and confidently.

Cybersecurity, by nature, can present stressful situations in response to threats or attacks. In those circumstances, it’s important to be able to seek out and review a lot of information, summarize it and then deliver findings in a comprehensive, polished way.

Specific to attack surface management, I’d elaborate on the ability to effectively communicate to a variety of teams and levels within the organization. Vulnerability findings may point you to a less technical application owner within the business, and it’s imperative to convey the security risk and next steps in a digestible format. Other times, you’ll need to deliver metric reports to business leaders with a different focus and set of requirements.

Additionally, attack surface management requires working with various remediation teams to address specific findings. You’re also regularly working with different teams within cybersecurity, such as incident response, security architecture and GRC. It’s helpful to learn who’s responsible for specific areas of the business in order to effectively work with appropriate teams.

Any parting thoughts or final advice to someone interested in your type of role?

Attack surface management utilizes a lot of open-source intelligence data that is readily available online. I’d recommend checking out Zero Day Initiative, Internet Storm Center, CISA’s Known Exploited Vulnerabilities Catalog, the OWASP Risk Rating Methodology and the NIST Cybersecurity Framework to learn more about what goes into the role. There are also community editions available from tools like Qualys and Tenable, in addition to forums and online training certificate courses, all for free! It’s crucial to stay on top of industry innovations and cybersecurity news.

I’d also advise someone to not be overwhelmed by the breadth of topics related to attack surface management. Operational knowledge across multiple domains such as cloud computing, penetration testing, security architecture, security compliance, networking, operating system and application level patching and web application security is all very useful, but you don’t need to be an expert in every area when starting out.

I’ve learned a lot from mentors and coworkers on different teams, in addition to seeking out information on my own. Every time you come across something new, there’s an opportunity to learn even more. Don’t be afraid to ask questions or admit that you need additional information to gain a better understanding. We’ve all been there! I’d also advise women to not get discouraged by being the only female at the table, in the room or on the team. The gender disparity in cybersecurity is improving but still very much exists, and it’s important that we continue to challenge it together.

More from Security Services

Pentesting vs. Pentesting as a Service: Which is better?

5 min read - In today's quickly evolving cybersecurity landscape, organizations constantly seek the most effective ways to secure their digital assets. Penetration testing (pentesting) has emerged as a leading solution for identifying potential system vulnerabilities while closing security gaps that can lead to an attack. At the same time, a newer entrant into the security arena is Pentesting as a Service (PTaaS). Although PTaaS shares some similarities with pentesting, distinct differences make them two separate solutions. This article will discuss how these methodologies…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

How I got started: SIEM engineer

3 min read - As careers in cybersecurity become increasingly more specialized, Security Information and Event Management (SIEM) engineers are playing a more prominent role. These professionals are like forensic specialists but are also on the front lines protecting sensitive information from the relentless onslaught of cyber threats. SIEM engineers meticulously monitor, analyze and manage security events and incidents within an organization. They leverage SIEM tools to aggregate and correlate data, enabling them to detect anomalies, identify potential threats and respond swiftly to security…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today