What is Attack Surface Management ?

5 min. read

Attack Surface Management (ASM) is the process of continuously identifying, monitoring and managing all internet-connected assets, both internal and external, for potential attack vectors, exposures and risks.

Attack Surface Management is based on the understanding that you cannot secure what you don’t know about. As such, the key is to ensure your organization has a comprehensive and continuously updated inventory of all internet-facing assets and the risks associated with them.

Being able to create a complete system of record like this requires a new line of thinking, because network perimeters are a thing of the past, so the traditional view of an organization’s attack surface no longer applies. A modern attack surface is made up of any internet-facing asset whether in the cloud, on premises, or co-located in multiple places.

Between multi-cloud, private and public clouds, inheriting assets via mergers and acquisitions (M&A), and access from supply chain partners and remote workers, it’s impossible for IT experts to keep track of all assets and the people responsible for them via manual methods.

Traditionally, asset inventories have been generated with slow, manual, and infrequent processes, including red team exercises or penetration tests. Unfortunately, modern infrastructure, especially that in the cloud, can change in an instant. All it takes for a new cloud instance to be created outside of security processes is an employee with a credit card.

Additionally, the quality of data in an asset inventory directly impacts the efficacy of all security processes. Vulnerability scanners that are only checking known assets means unknown assets cannot be secured. These unknown assets are a direct threat.

A recent MIT Technology Review Insights survey found that 50% of organizations had experienced a cyberattack on an unknown or unmanaged asset, and another 19% expected to.

The Speed and Scale of the Internet

Unknown assets will be found and targeted by malicious actors because they are simply looking for easy targets. Attackers have undergone their own digital transformation and can scan the entire internet for vulnerable systems in less than an hour. This means a defender’s mean time to inventory (MTTI) all assets on their attack surface needs to be fast.

According to research by Cortex Xpanse, threat actors scan to inventory vulnerable internet assets once per hour and even more frequently—in 15 minutes or less—following CVE disclosures. Meanwhile, global enterprises need 12 hours, on average, to find vulnerable systems, and that assumes the enterprise knows about all assets on its network.

Attack Surface Management takes all of this into account to provide a continuously updated and complete inventory of all assets—including IP addresses, domains, certificates, cloud infrastructure and physical systems—connected to an organization’s network and maps who in the organization is responsible for each asset.

ASM must work at the speed and scale of the internet to continuously discover, identify and mitigate risks across all public-facing assets, whether they are on-prem, in the cloud or operated by subsidiaries and critical suppliers. It must also scan from the outside-in and not rely on asset inventories or logs from other security products because those may also be incomplete. Externally scanning ensures all assets known and unknown are accounted for and this data can inform security processes.

In its 2021 Hype Cycle for Security Operations, Gartner discussed how looking at exposure through the lens of external Attack Surface Management can provide “better enrichment for organizations to decide what really matters to them -- without having to look at the threat landscape in a more general way and wonder if they are affected.”

Cortex Xpanse from Palo Alto Networks

Enterprises have no way to fully map their external attack surface--yet this is exactly where attackers explore to execute cyber attack campaigns. External attack surface vulnerabilities and exposures multiply due to the evolution of modern IT infrastructure with digital transformation, remote work, and increased cloud assets.

Xpanse is an automated Attack Surface Management platform that provides a complete and accurate inventory of an organization’s global internet-facing assets and misconfigurations to continuously discover, evaluate, and mitigate attack surface risks, flag risky communications, evaluate supplier risk, or assess the security of acquired companies.

Xpanse helps customers identify RDP, Telnet, shadow IT, asset sprawl, stale IP records, asset expiration, cryptographic weakness in certificates, dangling DNS, co-located cloud assets, vulnerable devices, and exposures in the consumer IT space due to remote/mobile employees.

This data can be used in conjunction with many other security products, including the wider Palo Alto Networks suite. With Cortex Xpanse and Prisma Cloud, all unmanaged cloud assets discovered by Xpanse can be brought under control with Prisma Cloud. Additionally, with Cortex Xpanse and XSOAR, all newly discovered assets or changes to assets can trigger automated processes vis XSOAR to ensure speedy remediation.