Guide to Attack Surface Management
What is an attack surface?
Before we dive into attack surface management, let’s first talk about what an attack surface is. According to NIST SP 800-160 Vol. 2 Rev. 1, the attack surface is "the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from." Understanding and managing your attack surface is crucial because it allows you to prioritize assets for vulnerability remediation, patching, and implementing additional security measures. Despite the term "boundary" in the NIST definition, the attack surface is not limited to the outer limits of your organization. It should encompass any asset that could be targeted by an attack, including insider threats and social engineering attacks.
What is attack surface management?
Forrester defines attack surface management (ASM) as “the process of continuously discovering, identifying, inventorying, and assessing the exposures of an entity’s IT asset estate.” ASM identifies and manages all potential points of entry (attack vectors) that attackers could exploit to breach an organization's cybersecurity defenses. This includes both internet-facing assets as well as internal assets.
ASM assesses your infrastructure for vulnerabilities and identifies points where your infrastructure is exposed across the entire attack surface, whether the cyberattack originates from inside or outside the organization. The goal is to reduce your overall attack surface by identifying and mitigating vulnerabilities, strengthening security controls, and minimizing potential avenues of attack. By doing so, ASM helps organizations proactively defend against cyber threats and enhance their overall cybersecurity posture.
I’ve also heard about external attack surface management. What is that?
According to Gartner, "external attack surface management (EASM) refers to the processes, technology, and managed services deployed to discover internet-facing enterprise assets and systems and associated exposures, which include misconfigured public cloud services and servers, exposed enterprise data such as credentials, and third-party partner software code vulnerabilities that could be exploited by adversaries." EASM provides valuable risk prioritization, context, and actionable information through regular or continuous monitoring and discovery of external-facing assets and systems.
EASM specifically focuses on the external-facing components of your organization's attack surface, focusing on assets and vulnerabilities accessible from outside the organization's network perimeter. EASM assesses and manages risks associated with external attack vectors, such as phishing attacks, web application vulnerabilities, exposed sensitive data, misconfigured cloud services, and other external-facing security issues. The goal is to reduce your external attack surface by identifying and mitigating vulnerabilities and points of exposure that external threat actors could exploit.
What is the difference between attack surface management and external attack surface management?
EASM and ASM might sound similar but they have distinct focuses and scopes. EASM explicitly focuses on the assets that comprise the outer layer of your organization’s attack surface, such as those exposed to the internet or otherwise externally accessible. EASM builds a map of an organization’s attack surface by scanning from the outside to identify which parts of the infrastructure are exposed.
In contrast, ASM takes a more holistic approach when assessing an organization’s attack surface. This includes not just external-facing assets, but the entirety of your organization’s infrastructure. ASM looks at possible attacks, identifies the assets those attacks would target, and incorporates them into the overall attack surface management strategy, thereby providing a more comprehensive view of the organization’s security posture.
For a deeper dive into the differences between ASM and EASM, refer to our article: The Difference Between Attack Surface Management and External Attack Surface Management.
What about cyber asset attack surface management? What’s that?
Gartner defines cyber asset attack surface management (CAASM) as “focused on enabling security teams to overcome asset visibility and exposure challenges. It enables organizations to see all assets (internal and external), primarily through API integrations with existing tools, query consolidated data, [and] identify the scope of vulnerabilities and gaps in security controls. These tools then continuously monitor and analyze detected vulnerabilities to drill down the most critical threats to the business and prioritize necessary remediation and mitigation actions for improved cyber security."
In short, CAASM tools are designed to identify, monitor, and manage the various points of vulnerability and exposure in an organization's infrastructure. It aims to reduce and mitigate these weaknesses in order to enhance your overall cybersecurity posture.
These solutions offer a comprehensive view of an organization's infrastructure, detecting vulnerabilities and mapping the digital landscape. They include tools for mapping the attack surface, monitoring assets, and identifying potential risks. The goal is to reduce the attack surface by identifying and mitigating vulnerabilities, managing risks associated with assets, and ensuring the security of your infrastructure.
Is attack surface management the same as cyber asset attack surface management?
The difference between CAASM and ASM depends on whom you ask, as the definitions are very similar and have been used interchangeably by vendors and in the broader market. However, a recent report by Gartner has stated their opinion that EASM and CAASM are both elements of ASM, along with a capability called digital risk protection services (DRPS). This categorization would explain the overlap of capabilities between ASM and CAASM. As the biggest analyst in the cybersecurity space, Gartner’s definition of ASM (which they want to rename attack surface assessment (ASA)) will likely be eventually adopted by the wider market, though how quickly remains to be seen.
Which Solution is Better ASM, EASM, or CAASM?
In the end, the division between ASM, EASM, and CAASM is academic, and many vendors are using the terms interchangeably, or in ways that don’t align with the ‘official’ definitions. Ultimately, you’ll need to decide which ASM-related capabilities you need and evaluate potential vendors using that criteria.
Advantages of attack surface management
Reduce risk
Knowing your attack surface lets you proactively reduce risk by prioritizing vulnerabilities and strengthening defenses in critical areas.
Compliance and regulatory alignment
Maintaining an accurate inventory of the attack surface helps you demonstrate effective risk management practices and security controls. This allows you to meet compliance requirements and align with cybersecurity regulations.
Detect and respond to changes
Attack surface management involves the continuous monitoring of your environment, ensuring that security teams can detect and respond to changes in real time, such as new assets or vulnerabilities.
Incident response preparedness
Knowing your attack surface allows you to proactively create incident response plans. It provides security teams with actionable insights into potential attack vectors and critical assets that may be targeted during cyber incidents.
Business continuity and resilience
By proactively managing and reducing the attack surface, you can enhance your overall cybersecurity resilience and ensure continuity of operations, even in the face of cyber threats and attacks.
Disadvantages of attack surface management
Complex and resource-intensive
Implementing and managing attack surface management solutions can be complex, requiring specialized skills and resources to configure, maintain, and interpret the data effectively. It requires significant resources, including time, personnel, and financial investment, to conduct thorough scans, analyze results, and implement remediation measures. Scanning activities can also disrupt normal business operations.
Alert fatigue
Attack surface management tools generate large volumes of data, which can overwhelm security teams and make it difficult to prioritize and address vulnerabilities effectively, leading to analysis paralysis or decision-making delays. Like any security tool, attack surface management solutions may generate false positives or false negatives, leading to wasted time and effort investigating non-existent threats or overlooking critical vulnerabilities.
Limited visibility and scalability issues
Attack surface management tools may not provide complete coverage of an organization's entire infrastructure, particularly in complex or rapidly changing environments, leading to blind spots and gaps in security. As your organization grows and expands its digital footprint, scalability can become an issue, leading to performance degradation or further limitations in coverage.
Integration challenges
Integrating attack surface management platforms with existing security infrastructure and workflows can be challenging, requiring coordination with other security tools and processes to ensure seamless operation and effectiveness.
Privacy Concerns
Conducting scans and collecting data for attack surface management may raise privacy concerns, particularly if sensitive information is inadvertently exposed.
How Redjack Improves Your ASM Solution
Using an ASM solution your organization can proactively reduce exposure to potential threats, strengthen security posture, and enhance overall resilience against cyberattacks. However, legacy ASM tools rely on API integrations with existing tools to create a map of your infrastructure, which can lead to a lack of visibility into large parts of your infrastructure. They also have a broad, generic focus that leaves cybersecurity teams struggling to prioritize their efforts effectively.
The Redjack cyber resilience platform uses software-based network sensors to collect communications data and discover and inventory all connected assets within your organization's network. Unlike legacy asset inventory solutions that rely on ingesting asset data from disparate sources, the Redjack platform provides a comprehensive view of your entire network, including assets that are often overlooked by traditional ASM solutions.
The Redjack cyber resilience platform also maps the dependencies between assets and critical business functions—the core activities essential for smooth operations and revenue generation. Using this data, the platform assigns criticality scores to assets, ranking them according to the risk they pose to business continuity if compromised. This additional context from Redjack allows you to prioritize your efforts and resources where they will have the greatest impact on your organization, enhancing your ASM solution’s capabilities.
Contact us to learn how Redjack has been helping the CISOs of the world's largest corporations and government agencies improve their cyber resilience.