Attack Surface Management: A Guide
What is Attack Surface Management?
Attack Surface Management (ASM) is the ongoing discovery, inventory, classification, prioritization, and security monitoring of an organization’s IT infrastructure. The attack surface is all of the entry points where an unauthorized user or attacker can pull data from. ASM includes external digital assets such as hardware, software, SaaS apps, and cloud assets — everything outside of the firewall that attackers can and will discover — as they search the threat landscape for vulnerable organizations.
ASM may seem similar to the concepts of asset discovery and asset management but this approach considers an attacker’s strategy as well. As far back as 2018, Gartner urged security leaders to start reducing, monitoring, and managing their attack surface as part of a holistic cybersecurity risk management program.
What are the key components of Attack Surface Management?
More specifically, attack surface management covers:
- Secure or insecure assets
- Known or unknown assets
- Shadow IT
- Active or inactive assets
- Managed and unmanaged devices
- Cloud assets and resources
- IoT devices
- Vendor-managed assets
Why do I need an Attack Surface Management strategy?
A strategy has become especially important for organizations of all sizes since the COVID-19 pandemic began and working from home increased the number of external assets security teams need to protect.
The ASM landscape continues to grow. And hackers continue to up their game, using more sophisticated and automated tools to examine external attack surfaces. For example, they use automated reconnaissance efforts that analyze an organization’s attack surface from the outside in. This gives attackers a leg up.
The only way to effectively defend against attacks is to take an ASM approach that provides the same continuous visibility so security teams can constantly monitor their infrastructure to find and remove security gaps before attackers can strike.
When you have an effective ASM approach, it becomes easier to detect misconfigurations in a firewall, operating system, or website settings. It also helps with discovering ransomware, viruses, weak passwords, outdated software, and hardware that are vulnerable to attack.
Be forewarned that discovering, classifying, and managing an organization’s entire asset portfolio is not a simple task. For that reason, most organizations don’t do it. In fact, only 9% believe they actively monitor their entire attack surface. The highest percentage (29%) reported actively monitoring between 75% and 89% of the attack surface while many monitor even less. Disturbingly, most organizations have lots of internet-facing assets they aren’t even aware of.
Discovery of the attack surface takes more than 80 hours at 43% of organizations, and most organizations perform ASM discovery either once a week, twice per month, or monthly. This leaves gaps due to moves, adds, and changes happening to support cloud-native applications, remote workers, and third-party connections.
Even when discovery efforts are put in place to gather the data, security professionals must still put in the time to analyze it, prioritize vulnerabilities, and work with IT operations on risk mitigation. That’s when the nitty-gritty ASM work begins.
The tactical way to approach Attack Surface Management
Because automation is likely to help attackers, it’s a good idea to limit your public facing surface through asset management, defensive boundaries, and intelligent patching. A good way to stay up-to-date with the most critical attack vectors involves a five-step approach:
- Asset discovery. You can’t manage something if you don’t know it exists. Unlike legacy tools and processes, a more modern approach to attack surface management requires using the same reconnaissance techniques attackers use.
- Continuous testing. It’s not enough to test the attack surface one time since organizations are constantly adding devices, users, workloads, and services. This is increasing the potential for risks as well and makes it important to test continuously for all possible attack vectors.
- Gain context. Having information such as IP address, device type, whether it is currently in use, what its purpose is, who the owner is, what are its connections to other assets, and possible vulnerabilities contained within it, are the ingredients of an effective attack surface management approach.
- Prioritize. Once all potential attack vectors have been identified, security teams can then figure out where to focus their efforts. To do this, they should consider how easily something can be discovered and exploited and how difficult it will be to remediate, as well as the business context. This will help rank and address the most urgent risks.
- Remediate. Once the attack surface has been fully mapped and prioritized, remediation teams can start using tools to help eliminate threats.
What type of tools assist with Attack Surface Management?
Often, security teams uncover pieces of information using a number of different tools and this helps trigger the ASM process. ESG research indicates that 41% of organizations use threat intelligence sources, 40% rely on IT asset management systems, 33% leverage cloud security monitoring solutions, and 29% rely on vulnerability management. This involves having someone to gather this data, correlate it, and try to make sense of it.
Some ASM systems search the dark web for credentials exposed in third-party data breaches and enable other security tools to be integrated via APIs. Other ASM tools evaluate how effectiveness existing security controls are by combining threat ratings with business value and impact. This will help with prioritization. There may be other valuable features within these tools to help security teams monitor changes in the attack surface and gain enhanced security from remediating a single risk or multiple risks.
A number of factors make a compelling case for why attack surface management needs to be a top investment priority in 2022: the rise in working from home and the increased usage of cloud applications, coupled with expanding attack surfaces and so many organizations experiencing compromises.
A solid ASM strategy also requires that security teams maintain fully updated asset inventories. Organizations need to fight back and that requires systems that provide visibility while automating, centralizing, and accurately monitoring external assets.