Attack Surface Management

What is Attack Surface Management?

Attack surface management (ASM) is the continuous identification, assessment, and remediation of potential attack vectors that make up an organization’s attack surface.

Attack service management is performed from the perspective of a hacker. With attack surface management, asset risk is assessed based on the likelihood of attackability on the part of an attacker. ASM is often performed by “ethical hackers,” who are familiar with cyber tactics and can simulate an attack from the mindset of a hacker. 

Why Organizations are Turning to Attack Surface Management

Cloud adoption, digital transformation, and the expansion of remote work have made the average company’s digital footprint and attack surface larger, more distributed, and more dynamic, with new assets connecting to the network daily.

Traditional attack management, risk assessment, and vulnerability management processes, which were developed when corporate networks were more stable and centralized, can‘t keep up with the speed at which new vulnerabilities and attack vectors arise in today’s networks.

Penetration testing, for example, can test for suspected vulnerabilities in known assets, but it can’t help security teams identify new cyber risks and vulnerabilities that arise daily.

But ASM‘s continuous workflow, built from a hacker’s perspective, enables security teams to establish a proactive security posture in the face of a constantly growing and morphing attack surface. ASM solutions provide real-time visibility into vulnerabilities and attack vectors as they emerge. They process information from traditional risk assessment and vulnerability management tools for greater context when analyzing and prioritizing vulnerabilities. 

Gartner’s Insights on Attack Surface Management

Gartner’s 2022 and 2023 research on cybersecurity trends sheds light on shifting trends that underscore the importance of effective attack surface monitoring in today’s digital landscape for two consecutive years.

1. Gartner’s Cybersecurity Trends for 2022

Trend #1: Attack Surface Expansion 

Gartner’s analysis for 2022 puts “attack surface expansion” on the top of its list of cybersecurity threats. This shift in today’s work practices is marked by a 60% presence of remote knowledge workers. The trend also accompanies a significant surge in cloud adoption, interconnected supply chains, and the integration of cyber-physical systems. While these changes boost productivity, they expose organizations to novel and formidable attack management surfaces concurrently. Using various devices and increased dependence on public cloud services create many potential entry points for cyber threats. Hence the increased need for cyber attack surface management.

2. Gartner’s Top Cybersecurity Trends 2023

Trend 1: Threat Exposure Management

In a 2023 report on cyber security trends, Gartner acknowledged the growing complexity of the threat exposure on an ever-growing attack surface and the resulting fatigue among security professionals. As a result, managing attack surfaces and threat exposure is advocated as a necessary approach to security. The report emphasizes moving beyond traditional approaches like patching and vulnerability management and instead focusing on evaluating technology vulnerabilities and broader risk factors across the attack surface.

How Attack Surface Monitoring Works

ASM consists of four core processes:

• Asset discovery
• Classification and prioritization
• Remediation
• Monitoring

Again, because the size and shape of the digital attack surface change constantly, the processes are carried out continuously, and cyber attack surface management solutions automate these processes whenever possible. The goal is to ensure that the security team always has complete and current visibility and inventory of exposed assets and to facilitate response to the vulnerabilities and threats that present the greatest risk to the organization.

We’ll explain the four core processes below.

Asset Discovery

Cyber asset attack surface management tools continuously scan for and identify internet-facing hardware, software, and cloud assets that could act as entry points for a hacker or cybercriminal trying to attack an organization. These assets can include:

• Known Assets: All IT infrastructure and resources the organization is aware of and actively managing—routers, servers, company-issued or privately-owned devices, IoT devices, user directories, applications deployed on-premises and in the cloud, websites, and corporate databases.
  
• Unknown Assets: Unidentified assets using network resources without the IT or security team’s knowledge. Also known as Shadow IT, this category refers to hardware or software deployed on the network without official approval. This unfortunately very common asset category can take the form of a free font downloaded to a user‘s computer, personal websites, or cloud applications. Another important subcategory of this asset type is “Orphaned IT”. This refers to old software, websites, and devices no longer in use that has not been properly terminated. 

• Third-party or Vendor Assets: Assets that are part of the digital supply chain or that are owned by third-party partners. These include software-as-a-service (SaaS) applications, APIs, public cloud assets, or third-party services used within the organization’s web site.
  
• Malicious or Rogue Assets: Assets that are unlawfully controlled by threat actors to attack the organization. This is the malicious infrastructure that includes typo-squatted domains, phishing websites, impersonated assets, and command and control servers.  

Classification, Analysis, and Prioritization

Once assets are identified, they are classified, analyzed for vulnerabilities, and prioritized by “attackability.” Attackability refers to a measure of how likely hackers are to target a certain asset.

Assets are analyzed for any exposures that may put them at risk, the technical makeup of the exposures (e.g., misconfigurations, coding errors, missing patches), and the type of attacks hackers may be able to exploit by taking advantage of these exposures.

The next step is to prioritize which vulnerabilities should be remediated and in which order. Ris prioritization is essentially a risk assessment process, where each vulnerability is given a security rating or score based on various input factors. 

Remediation

Vulnerabilities are remediated in order of priority. This can involve:

• Implementing appropriate security controls for vulnerable assets. This includes processes like updating software or applying operating system patches, debugging dirty code, and implementing stronger data protection policies.
  
• Setting security standards for Shadow IT, terminating already unused orphaned IT assets, and getting rid of rogue assets.

Remediation can also involve broader measures that address overall security and bolster vulnerable assets across the organization’s infrastructure. Implementing least-privileged access or multi-factor authentication would be an example of this type of vulnerability remediation.

Monitoring

Continuous attack surface monitoring means ongoing monitoring of an organization’s IT infrastructure and all digital assets. Because the attack surface is in a constant state of change, continuous monitoring helps you maintain control over vulnerability scanning, providing real-time visibility and feedback about the organization’s entire digital infrastructure. Timely alerts to security teams speed up the remediation process and minimize the attackability of your overall systems.