What Is Attack Surface Management?

5 min. read

Attack Surface Management (ASM) is the process of continuously identifying, monitoring and managing all internal and external internet-connected assets for potential attack vectors and exposures.

What Is an Attack Surface?

An attack surface is the total number of entry points, vulnerabilities and weaknesses an adversary can exploit to gain unauthorized access to a system or network—the more entry points in a system or network, the larger its attack surface. The ultimate goal in attack surface management is to increase attack surface visibility and reduce risk.

Known Assets

Known digital assets are devices, systems and applications that an organization's security teams are aware of and have authorized to connect to its network. These assets are included in an organization's inventory and are subject to regular security assessments and monitoring.

Unknown Assets

Unknown digital assets are the opposite: Devices, systems and applications that an organization and its security teams are unaware of and have not authorized in the network. These can include shadow IT, unauthorized devices, ransomware or unmanaged applications. Unknown assets pose a significant risk to an organization's security as they can provide potential weaknesses in cybersecurity.

Rogue Assets

Like unknown digital assets, rogue digital assets are connected to a network without authorization. However, rogue assets refer to known assets that are unauthorized or pose a security risk.

In contrast, unknown assets are unidentified or undiscovered assets within a network or system that may have been authorized but forgotten. They are typically used to gain unauthorized access to an organization's network or data. Rogue assets can be challenging to detect and manage as they are not included in an organization's inventory or security controls.

Vendors

Vendors can pose a significant risk to an organization's security as they may introduce vulnerabilities or weaknesses into an organization's network or data. Organizations must carefully manage and monitor their relationships with vendors to minimize the risk of cyberattacks. Management can include regular security assessments, contractual requirements for security, and ongoing monitoring and risk management. In the case of attack surface management, vendors can consist of software vendors, cloud service providers and other third-party service providers.

Why Is Attack Surface Management (ASM) Important?

You can’t secure what you don’t know. Attack surface management helps organizations gain visibility into and reduce risks on their attack surface. Internal and external attack surface management is both necessary due to the dynamic nature of organizations pursuing a move to the cloud.

Organizations can reduce the risk of cyberattacks and data breaches by minimizing the number of entry points and vulnerabilities in their systems and networks. Minimization ensures your organization has a comprehensive and continuously updated inventory of all internet-facing assets and associated risks.

Creating a complete system of record like this requires a new line of thinking because network perimeters are a thing of the past, so the traditional view of an organization’s attack surface no longer applies. A modern attack surface comprises any internet-facing asset in the cloud, on-premises or colocated in multiple places.

Between multi, private, and public clouds, inheriting assets via mergers and acquisitions (M&A), and access from supply chain partners and remote workers, it’s impossible for IT experts to keep track of all assets and the people responsible for them via manual methods.

Traditionally, asset inventories have been generated with slow, manual, and infrequent processes, including red team exercises or penetration tests. Unfortunately, modern infrastructure, especially in the cloud, can change instantly. All it takes for a new cloud instance to be created outside of security processes is an employee with a credit card. This is one of the most common ways an attack surface grows.

Additionally, the quality of data in an asset inventory directly impacts the efficacy of all security processes. Vulnerability scanners that only check known assets mean unknown assets cannot be secured. These unknown assets are a direct threat and let control slip from the hands of security teams.

An MIT Technology Review Insights survey found that 50% of organizations had experienced a cyberattack on an unknown or unmanaged asset, and another 19% expected an imminent incident.

The Speed and Scale of the Internet

Malicious actors will find and target unknown assets because they are simply looking for easy targets. Attackers have undergone their own digital transformation and can scan the entire internet for vulnerable systems in less than an hour. This means a defender’s mean time to inventory (MTTI) of all assets on their attack surface needs to be faster than an attacker can stumble on them.

According to research by Cortex Xpanse, threat actors scan to inventory vulnerable internet-facing internal assets once per hour and even more frequently—in 15 minutes or less—following CVE disclosures. Meanwhile, on average, global enterprises need 12 hours, to find vulnerable systems, assuming the enterprise knows about all assets on its network.

Attack surface management considers all of this to provide a continuously updated and complete inventory of all assets—including IP addresses, domains, certificates, cloud infrastructure and physical systems—connected to an organization’s network and maps, which in the organization is responsible for each asset.

ASM must work at the speed and scale of the ever-growing IoT to continuously discover, identify, and mitigate risks across all public-facing assets, whether on-premises, in the cloud, or operated by subsidiaries and critical suppliers. It must also scan from outside-in and not rely on asset inventories or logs from other security products because those may need to be completed. Externally scanning ensures all known and unknown assets are accounted for, and this data can inform security processes.

In its 2021 Hype Cycle for Security Operations, Gartner discussed how looking at exposure through the lens of external attack surface management can provide “better enrichment for organizations to decide what matters to them—without having to look at the threat landscape in a more general way and wonder if they are affected.”

How Does Attack Surface Management Protect from Cyberattacks?

Attack surface management protects against cyberattacks by providing organizations with comprehensive views of their internal and external attack surface, including all entry points, vulnerabilities and potential attack vectors. This allows organizations to identify and address security weaknesses before attackers can exploit them. Attack surface management includes several core functions, including asset discovery, vulnerability assessment, threat modeling and risk management:

  • Asset discovery involves identifying all the devices and systems connected to an organization's network.
  • Vulnerability assessment involves identifying known vulnerabilities or weaknesses in these devices and systems.
  • Threat prioritization involves identifying potentially exposed systems and devices and developing mitigation strategies.

Core Functions of Attack Surface Management (ASM)

An attack surface management solution should utilize five core functions to protect against vulnerabilities. By performing these core functions, organizations can gain a comprehensive view of their attack surface, identify vulnerabilities and weaknesses, prioritize their efforts, and reduce the risk of cyberattacks and data breaches.

Discovery

During discovery, the organization and its security teams conduct scans, review logs, and use other tools to discover both known and unknown assets. The goal is to identify all the assets, systems, applications and entry points within an organization's network.

Mapping

Once all of the assets have been identified, the next step is to ensure that assets are automatically mapped to individual business units and subsidiaries and integrated with existing SOC tools for faster owner identification and enrichment to resolve incidents.

Context

Contextualizing helps organizations prioritize and focus their resources on the greatest risk and impact areas. The discovered assets and vulnerabilities must have context for effective attack surface management. This involves analyzing the assets and vulnerabilities in the context of an organization's specific risk profile, compliance requirements and business objectives.

Prioritization

The vulnerabilities and assets must be prioritized in order of importance based on their risk and potential impact, including factors such as the likelihood of exploitation, the potential impact of an attack, and the difficulty of remediation. This helps organizations and security teams focus their resources on addressing the most critical vulnerabilities first.

Remediation

Once vulnerabilities or weaknesses in an organization's network, systems or applications have been identified, they must be fixed. The goal of remediation is to reduce or eliminate the risk of potential cyberattacks or data breaches that may exploit these vulnerabilities.

Depending on the nature and severity of the vulnerability, remediation can happen in a few different ways. It may involve patching or updating software, configuring firewalls or other security controls, restricting access to certain assets, or decommissioning obsolete systems or applications. Remediation must be ongoing to ensure the vulnerability doesn’t reoccur or is reintroduced.

How to Mitigate Attack Surface Risks?

Organizations, and specifically CISOs, should utilize internal and external attack surface management solutions to mitigate risks. This includes taking steps to:

  • Reduce the number of entry points into their systems and networks.
  • Identify and patch vulnerabilities in their systems and applications.
  • Implement strong authentication and access controls to limit sensitive data and systems access.
  • Monitor their systems and networks for unusual activity or suspicious behavior.
  • Regularly review and update their security policies and procedures to ensure they are up to date with the latest threats and best practices.

Attack Surface Management (ASM) FAQs

This depends on several factors, including the size of the organization, the complexity of the attack surface, and the level of risk. Ideally, attack surface management should be performed continuously rather than seasonally.
Prioritizing vulnerabilities for remediation depends on the organization's attack surface, the level of risk, and exploitability. Organizations should consider prioritizing according to severity rating, the chance of exploitability, impact on business, and which assets are most critical to the organization if compromised.
Organizations can do this in several ways:
  • Evaluate the percentage of vulnerabilities remediated over a given period to track the progress of the program.
  • Determine the time it takes to remediate vulnerabilities to identify areas for improvement in the remediation process.
  • Calculate the reduction in risk associated with the attack surface to demonstrate the program's impact on reducing the risk of cyberattacks.
  • Assess the organization's compliance with relevant industry standards and regulations to ensure that the program is meeting the required standards.
Organizations must take a proactive and continuous approach to asset discovery and management, as discussed above. By implementing a proactive approach, organizations can effectively manage the risks associated with unknown and unmanaged digital assets in their attack surface.