What is attack surface management and why is it necessary?
Attack surface management approaches security from the attacker's perspective. Learn how ASM can help better secure your organization's assets and resources.
Attack surface management is the continuous discovery, inventory, classification and monitoring of an organization's IT infrastructure.
The term might sound similar to asset discovery and asset management, but ASM approaches these and other security tasks from an attacker's perspective. This ensures security covers all attacker-exposed IT assets accessible from within an organization, assets exposed to the internet and assets in suppliers' infrastructures.
ASM encompasses the following:
- Secure or insecure assets.
- Known or unknown assets.
- Shadow IT.
- Active or inactive assets.
- Managed and unmanaged devices.
- Hardware.
- Software.
- SaaS.
- Cloud assets and resources.
- IoT devices.
- Vendor-managed assets.
Why organizations need attack surface management
The attack surface is a sprawling landscape -- even for smaller organizations -- so ensuring its security is paramount. However, attack surfaces constantly change, especially as many assets today are distributed across the cloud. The COVID-19 pandemic and work-from-home wave also increased the number of external assets and targets security teams must protect. Not to mention, hackers are automating their reconnaissance tools to probe and analyze external attack surfaces -- an evaluation many security teams never fully complete.
To counter these challenges, organizations must achieve complete visibility and continuous monitoring to remove or manage vulnerabilities and other cyber-risks before threat actors find them. Attack surface management can help organizations do this.
How ASM works
ASM works by identifying all the assets connected to an organization's IT infrastructure and analyzing how they are interconnected and whether those connections provide an entry point that could be exploited to gain access to key resources on the network. Mitigations are then deployed to protect vulnerable assets and connections. The four key processes are as follows:
- Asset discovery. Scans for and identifies internet-facing hardware, software and cloud assets that could act as entry points for cybercriminals wanting to attack an organization, creating an asset inventory for the security team.
- Asset prioritization. Assets are prioritized based on how likely hackers are to target them, the potential impact were they to be compromised and whether this could lead to the compromise of other assets. The results direct the next process: remediation.
- Remediation. This process not only includes applying missing security controls such as updates, patches or stronger encryption, but removing rogue and orphaned assets, applying security policies to previously unknown assets, and ensuring subsidiary and third-party assets meet the organization's cybersecurity standards and policies.
- Monitoring. It's essential to detect and assess new security vulnerabilities and attack vectors in real time and know when assets change so security teams can be alerted if necessary.
Due to the constant changes that occur in modern IT environments, ASM offerings try to automate and visualize all these processes as much as possible so they can be run continuously to ensure security teams always have a complete and up-to-date inventory of exposed assets.
How ASM defeats attackers
ASM realigns security thinking from that of a defender to that of an attacker. This puts security teams in a better position to prioritize areas of the attack surface.
Penetration testing and red teams provide insight into an attacker's viewpoint, but reconnaissance and attacks are normally launched in a controlled environment or against a specific aspect of the IT environment. While still worthwhile, the changing and expanding nature of most environments lets vulnerabilities go unnoticed and assets to remain untested.
Shadow IT, for example, has been viewed as a major security risk for more than five years. Eliminating these unknown assets is essential to mitigating threats.
Security teams must move faster than attackers when vulnerabilities and exploits are disclosed. This is only possible if the attack surface is mapped out on a continuous basis. With ASM, enterprises can quickly shut down shadow IT assets, unknown and orphaned apps, exposed databases and APIs, and other potential entry points to mitigate any vulnerabilities that arise.
Security strategies have always centered around the protection, classification and identification of digital assets. ASM automates these activities and covers assets outside the scope of traditional mapping, firewall and endpoint protection controls. ASM tools provide real-time attack surface analysis and vulnerability management to prevent security control failures and reduce the risk of data breaches. The objective is to find high-risk assets and check for possible attack vectors, including the following:
- Weak passwords.
- Outdated, unknown or unpatched software.
- Encryption issues.
- Misconfigurations.
The difference between ASM and vulnerability management
The goal of attack surface management is to discover all of an organization's digital assets and services and map how they are interconnected so their exposure to attack can be minimized, thus reducing the overall attack surface. Vulnerability management is far more limited in scope, using automated tools to identify, prioritize and remediate known vulnerabilities in a specific application or network service, such as a web app or a mission-critical business process. ASM is more infrastructure based covering both hardware and software -- known and unknown asset discovery is a crucial step in reducing the ways in which a system can be attacked.
Understanding how assets connect can reveal unforeseen attack paths and entry points. Closing down these paths might require major changes to the design and configuration of various aspects of the IT environment, whereas the results of vulnerability scans and a vulnerability assessment will usually only necessitate a round of software updates or patches.
ASM and vulnerability management should be used together to improve the overall security posture of an organization's IT infrastructure: ASM to minimize and harden the attack surface, and vulnerability management to identify and mitigate the vulnerabilities within it.
Features of ASM tools
Attack surface management offerings include SaaS, and cloud-based and managed systems. These products and services automatically discover the external assets attackers can see and evaluate them against commercial, open source and proprietary threat intelligence feeds to generate security ratings and risk scoring for an organization's overall security posture. ASM reports are useful for nontechnical stakeholders, senior management, potential partners and clients.
The continuous monitoring features of ASM tools generate real-time information on the organization's overall risk profile, as well as individual risks within the infrastructure. Some ASM systems search the dark web for credentials exposed in third-party data breaches and enable other security tools to be integrated via APIs. Other ASM tools combine threat ratings with business value and impact to evaluate the effectiveness of existing security controls to help prioritize vulnerabilities and assets for remediation. ASM tools might offer additional useful features that let security teams monitor changes in the attack surface and see potential improvements in security from remediating a risk or set of risks.
Security teams today require constant funding to ensure they have the skills and resources to prevent and reduce risks. Enterprises have vast attack surfaces. As such, ASM is becoming popular with CIOs, CTOs, chief information security officers and security professionals as it lets them monitor and reduce their attack surface. No wonder Gartner has cited continuous attack surface management as a top strategic technology trend for 2024.
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry.