What is Attack Surface Management?
Attack surface management (ASM) is the continuous identification, assessment, and remediation of potential attack vectors that make up an organization’s attack surface.
Attack service management is performed from the perspective of a hacker. With attack surface management, asset risk is assessed based on the likelihood of attackability on the part of an attacker. ASM is often performed by “ethical hackers,” who are familiar with cyber tactics and can simulate an attack from the mindset of a hacker.
Why Organizations are Turning to Attack Surface Management
Cloud adoption, digital transformation, and the expansion of remote work have made the average company’s digital footprint and attack surface larger, more distributed, and more dynamic, with new assets connecting to the network daily.
Traditional attack management, risk assessment, and vulnerability management processes, which were developed when corporate networks were more stable and centralized, can‘t keep up with the speed at which new vulnerabilities and attack vectors arise in today’s networks.
Penetration testing, for example, can test for suspected vulnerabilities in known assets, but it can’t help security teams identify new cyber risks and vulnerabilities that arise daily.
But ASM‘s continuous workflow, built from a hacker’s perspective, enables security teams to establish a proactive security posture in the face of a constantly growing and morphing attack surface. ASM solutions provide real-time visibility into vulnerabilities and attack vectors as they emerge. They process information from traditional risk assessment and vulnerability management tools for greater context when analyzing and prioritizing vulnerabilities.
How Attack Surface Monitoring Works
ASM consists of four core processes:
- Asset discovery
- Classification and prioritization
- Remediation
- Monitoring
Again, because the size and shape of the digital attack surface change constantly, the processes are carried out continuously, and cyber attack surface management solutions automate these processes whenever possible. The goal is to ensure that the security team always has complete and current visibility and inventory of exposed assets and to facilitate response to the vulnerabilities and threats that present the greatest risk to the organization.
We’ll explain the four core processes below.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Asset Discovery
Cyber asset attack surface management tools continuously scan for and identify internet-facing hardware, software, and cloud assets that could act as entry points for a hacker or cybercriminal trying to attack an organization. These assets can include:
- Known Assets: All IT infrastructure and resources the organization is aware of and actively managing—routers, servers, company-issued or privately-owned devices, IoT devices, user directories, applications deployed on-premises and in the cloud, websites, and corporate databases.
- Unknown Assets: Unidentified assets using network resources without the IT or security team’s knowledge. Also known as Shadow IT, this category refers to hardware or software deployed on the network without official approval. This unfortunately very common asset category can take the form of a free font downloaded to a user‘s computer, personal websites, or cloud applications. Another important subcategory of this asset type is “Orphaned IT”. This refers to old software, websites, and devices no longer in use that has not been properly terminated.
- Third-party or Vendor Assets: Assets that are part of the digital supply chain or that are owned by third-party partners. These include software-as-a-service (SaaS) applications, APIs, public cloud assets, or third-party services used within the organization’s web site.
- Malicious or Rogue Assets: Assets that are unlawfully controlled by threat actors to attack the organization. This is the malicious infrastructure that includes typo-squatted domains, phishing websites, impersonated assets, and command and control servers.
Classification, Analysis, and Prioritization
Once assets are identified, they are classified, analyzed for vulnerabilities, and prioritized by “attackability.” Attackability refers to a measure of how likely hackers are to target a certain asset.
Assets are analyzed for any exposures that may put them at risk, the technical makeup of the exposures (e.g., misconfigurations, coding errors, missing patches), and the type of attacks hackers may be able to exploit by taking advantage of these exposures.
The next step is to prioritize which vulnerabilities should be remediated and in which order. Ris prioritization is essentially a risk assessment process, where each vulnerability is given a security rating or score based on various input factors.
Remediation
Vulnerabilities are remediated in order of priority. This can involve:
- Implementing appropriate security controls for vulnerable assets. This includes processes like updating software or applying operating system patches, debugging dirty code, and implementing stronger data protection policies.
- Setting security standards for Shadow IT, terminating already unused orphaned IT assets, and getting rid of rogue assets.
Remediation can also involve broader measures that address overall security and bolster vulnerable assets across the organization’s infrastructure. Implementing least-privileged access or multi-factor authentication would be an example of this type of vulnerability remediation.
Monitoring
Continuous attack surface monitoring means ongoing monitoring of an organization’s IT infrastructure and all digital assets. Because the attack surface is in a constant state of change, continuous monitoring helps you maintain control over vulnerability scanning, providing real-time visibility and feedback about the organization’s entire digital infrastructure. Timely alerts to security teams speed up the remediation process and minimize the attackability of your overall systems.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
