What is Attack Surface Management?

Attack Surface Management (ASM) is one of those concepts in IT and cybersecurity that most of us understand intuitively but might have trouble accurately explaining. ASM refers to an area of practice, realized by specialized toolsets, that focuses on identifying where an organization is vulnerable to cyber threats—its attack surfaces—and then working to minimize the resulting risk exposure. This article fleshes out this definition and offers insights into why ASM is an important practice to adopt.  

What is an attack surface?

Understanding ASM requires first being conversant with the idea of an attack surface. The general definition, “a place where you can get attacked,” is a helpful start, but a better way to understand attack surfaces is to see them as networks of digital assets that a hacker can leverage to mount a successful cyberattack. For example, an organization’s on-premises servers comprise an attack surface. A malicious actor can probe the servers until he finds a vulnerable spot, such as an unpatched operating system, and exploit it to breach the server—and anything connected to it. 

ASM is a metaphor, the physicalizing of a virtual space. ASM turns the server operating systems, which are disembodied bits of code, into the image of a physical surface that can be cracked open. Cloud-hosted digital assets, shared networks, software-as-a-service (SaaS) applications, and more all should be included in your survey of your attack surface. Endpoints should also be accounted for in terms of your attack surface. If a hacker can take over an endpoint, he can usually jump from there into the network.

What is attack surface management (ASM)?

Attack surface management refers to a set of processes, typically enabled by a dedicated solution, that has the goal of reducing the vulnerabilities of an organization’s attack surfaces. Specifically, ASM involves continuous discovery of attack surface weaknesses, monitoring threat vectors, evaluating potential attack surface risks, and remediating these risks. ASM starts with IT asset discovery solutions and “IT hygiene” practices, but ASM differs in that it typically approaches the issue from the point of view of the attacker, not the defender.

How ASM works

There are typically four core ASM processes: Discovery of assets, classification and prioritization of exposed assets, remediation, and monitoring. Attack surfaces are constantly changing, so it is a best practice to run these processes continuously. To be efficient in achieving this goal, one should ideally automate as many of them as possible. 

• Discover assets—This process involves automated scanning of infrastructure and the identifying of digital assets that can be part of an attack surface. This might mean internet-facing software or hardware, as well as cloud assets, any one of which could be the place where an attacker successfully breaches the organization’s defenses. The discovery process should span known and unknown assets. Indeed, some of the most serious attack surface risks emerge from assets that are not previously known, e.g., an old endpoint that no one realized was still connected to the network. The process should also be thorough, encompassing PCs and mobile devices, user directory, databases, and so forth. In addition, it is a good practice to scan third-party assets, such as vendor application programming interfaces (APIs) that allow access to users from outside the organization.
• Classify, evaluate, and prioritize assets—ASM needs to classify digital assets and point out vulnerabilities that expose the organization to risk. This should then be followed by an evaluation of the risk and a prioritization of its remediation. For instance, if an application contains open-source code that’s been exploited for “supply chain” attacks elsewhere, that application should be given a high priority for remediation, especially if it’s connected to sensitive data. Successful evaluation and prioritization therefore depend on awareness of threats, which might come from integration with a threat intelligence resource, as well as knowledge of connectivity between digital assets. 
• Remediate vulnerabilities—The process of remediation depends on the nature of the vulnerability. Some organizations assume breach while others address the breach possibility. For example, if data is vulnerable to breach, then encryption might be the remediation. In some cases, remediation might just involve retiring an asset that’s no longer needed, or applying security controls, such as endpoint hardening. 
• Monitor assets—ASM never stops, or at least it shouldn’t. As IT requirements shift, causing new assets to come online and others to become obsolete, and new configurations take hold, it is essential to monitor attack surfaces on a continuous basis—always looking for new problems that can expose the organization to attack. 

Why is attack surface management important?

ASM deserves attention and investment because it helps build a stronger overall security posture. In contrast to point solutions, which may do well in a specific area but miss the bigger picture of vulnerability, ASM enables organizations to monitor their attack surfaces using fully up to date inventories of assets and then prioritize remediation to achieve the highest level of risk mitigation.

A 2022 industry analyst report, sponsored by the ASM vendor, Randori, backs up this contention. According to the research, 70% of organizations suffered an attack on a surface that contained an unknown, unmanaged, or poorly managed asset in the previous year. Even so, the analysts discovered that the average organization takes more than 80 hours to get an accurate read on an attack surface. It was perhaps for these reasons that external attack surface management was the top investment priority for large enterprises last year, according to the report.

Benefits of attack surface management

Done right, ASM provides a range of benefits. The most compelling is an improvement in an organization’s level of cyber defense: Fewer attacks, fewer breaches, fewer alerts to manage, and so on. Automated discovery, analysis, and remediation deliver the further benefit of streamlining the entire security process. Security managers and their partners in IT get prioritized lists of problems that need attention, versus identifying issues for remediation on a piecemeal basis. The discovery process can also reveal previously undetected “shadow IT” efforts, which create risk exposure. 

Conclusion

Every organization has attack surfaces. Some are bigger than others, but no matter how extensive the exposure, there is risk to be mitigated across all attack surfaces. ASM offers an automated, effective way to accomplish this goal. By automatically scanning and inventorying digital assets that comprise attack surfaces, and then analyzing and prioritizing vulnerabilities, ASM gives security managers an organized, coherent way to reduce attack surface risks. With automated remediation, followed up by continuous monitoring, ASM gives security managers a way to stay on top of risks in constantly changing attack surfaces.