A critical part of an organization’s overall cybersecurity strategy, Attack Surface Management (ASM) helps organizations to:
- Proactively manage vulnerabilities of IT assets
- Reduce the risks of cyberattacks
This article describes ASM is, including why it is needed and how it works. At the end, I’ll discuss how software solutions can automate attack surface management.
What is an attack surface?
An organization’s attack surface is the overall exposure of all the digital, physical and external IT assets, shared networks and other entry points to cyberattacks. This can include:
- Physical assets such as hardware on-premises, like interconnected workstations, servers, and network devices like routers, switches, and mobile devices. Physical assets include any exploitable device employees use to do their jobs.
- Digital assets are assets in cloud environments like cloud-hosted applications and databases, cloud servers and workloads, etc.
- External assets include applications and services provided by an external vendor who collects and processes their data.
- Shared networks are networks shared by other companies.
- Social media which provides potential entry points exposed to social engineering attacks like phishing and scams.
An organization’s attack surface is dynamic, evolving with time. For example, your organization may keep adding new devices and networks according to the business requirements — or you may switch to cloud services entirely. All these movements change the your attack surface organization, often expanding the “surface” that is attackable and complicating it, too. You also have to pay attention to emerging technologies. Have you considered what ChatGPT means for the security of your organization?
Organizations must continuously monitor all IT assets and asses if any vulnerabilities exist within them that allow cybercriminals to execute attacks.
(Explore threat hunting and threat detection, more cyber approaches.)
What is Attack Surface Management (ASM)?
Attack surface management (ASM) is continuous monitoring and analysis of an organization's attack surface for potential vulnerabilities and attack vectors, taking remedial measures to address them.
ASM is a unique approach to enhancing an organization's security posture because it involves seeing things from an attacker's perspective rather than your own. Therefore, it uses similar techniques, tools, and technologies attackers use. Because of that, organizations may hire ethical hackers who are aware of and have the skills to mimic hackers' behaviors to design and develop ASM tasks.
ASM includes regularly monitoring and evaluating organizations' IT assets to check for vulnerabilities that let cyber attackers invade your networks and systems. Examples include:
- Traditional penetration testing by ethical hackers
- Regular vulnerability scans
- Ongoing monitoring of IT infrastructure
- Routine threat modeling to discover and analyze potential security threats or attacks to an application, network or system
ASM helps ensure that an organization's security measures remain effective in the face of developing cyber threats. So, we can say that ASM is a proactive approach to strengthening an organization's cyber resilience.
The 4-step lifecycle of Attack Surface Management
ASM includes four key steps: Asset Discovery, Analysis, Risk Prioritization, and Remediation. Let’s understand in detail what each step involves.
1. Asset discovery
Asset discovery is Identifying all the IT assets an organization uses and operates. As described above, this includes mapping all digital, physical and external IT assets, shared networks, and social media entry points. The asset also includes unknown assets or assets not in an inventory, such as software and hardware devices in the organization being used without official approval, personal mobile devices used for business communication, and orphaned assets or software and devices not being used but not discarded properly.
This core step helps to provide real-time visibility into their devices, networks and systems. Modern ASM solutions automate the discovery of IT assets so that you can always maintain an up-to-date list.
(See how CMDBs support asset discovery.)
2. Vulnerability analysis
Once the relevant IT assets have been identified, the next step is creating an inventory of those assets categorizing and identifying information. Examples include:
- The owner information
- IP addresses
- The purpose of and where the asset is in use
- The connection with other devices
- Installed software
Collecting such data helps organizations assess the severity of the cyber risks these assets can introduce to the business. These data keep changing. For example, the ownership of the asset can be changed frequently. Therefore, this phase typically involves continuously monitoring assets and testing the attack surface to keep this inventory updated.
Then, the next step is analyzing them to discover their potential vulnerabilities or attack vectors. Examples are:
- Open network ports which are vulnerable to cyberattacks, such as RDP ports
- Misconfigurations that would allow malicious traffic to enter a network
- Missing software patches
- Exposed passwords like database credentials written in plaintext in configuration files
- Coding errors that can lead to cyber-attacks and incorrect validations
Finally, you can analyze these vulnerabilities to identify what kind of attacks might be possible by exploiting them — random attacks, DDOS attacks, phishing attacks, etc.
(Read our vulnerability management explainer.)
3. Risk prioritization
The next task of ASM is prioritizing remediation efforts for those vulnerabilities. Not all security vulnerabilities have the same business priority — or can be fixed immediately. So, it’s vital to decide the most important risks the security team must address first and what can be addressed later.
In addition to traditional risks assessment methods like penetration testing, modern ASM solutions use several important factors to determine this priority order, such as:
- The ease or complexity in remediating a given vulnerability.
- The attacker’s priority. Attackers exploit vulnerabilities that help them gain the maximum benefits.
- How easy it is to exploit. Some vulnerabilities may need special and expensive tactics to exploit it, narrowing the field.
- Whether the asset has been exploited previously. If it has been exploited in a previous incident, remediation measures can be figured out quickly.
Based on these facts, ASM calculates security and risk scores for the identified vulnerabilities to determine the priority order.
Once the ASM solution has prioritized the risks posed to the organization, remedial measures will be implemented to fix the issues. A complete ASM system has ways of handing over this information to security operations teams so that they can work on addressing them on time. With adequate and essential information in hand, the process will be easier.
Benefits of Attack Surface Management
Now that we understand how ASM works, step by step, we can see the significance it offers organizations practicing it.
Reduce risks associated with rapidly expanding attack surfaces
With the expansion of remote working, organizations’ attack surfaces have widened to a larger extent introducing more devices, networks and connections — new opportunities for cyber attackers to design more sophisticated attacks.
IT researchers, including Gartner, have identified attack surface expansion as one of the top priorities in 2022 — and we’re sure it isn’t going away just yet. Traditional cyber risk management approaches like penetration testing are inadequate to deal with the vulnerabilities of today’s continuously changing attack surfaces.
Help mitigate risks associated with cloud assets
Companies increasingly adopt cloud services, moving their infrastructure and data to cloud environments. Poor management of internet-facing assets and inadequate security mechanisms can introduce severe cybersecurity risks to organizations.
Proactively identify and eliminate new cyber threats
Since ASM harnesses the attacker perspective, organizations can discover even the most sophisticated threat that could go undetected by the most advanced security measures. This is a proactive approach rather than reactive, which remediates security incidents after they occur. This level of security helps companies build a good reputation and trust among their clients and employees.
Accelerate threat detection and response
Organizations use ASM tools that provide a complete overview and visibility of organizational IT assets with continuous monitoring. ASM software tools automate ASM tasks like asset discovery, vulnerability identification and remediation. These capabilities enable security teams to detect threats faster and act as fast as possible to remediate them.
Helps reduce known vulnerabilities
ASM allows security teams to:
- Quickly identify outdated or unused devices.
- Discard them promptly before they become a reason for security incidents.
Automation also helps automatically fix other known vulnerabilities like misconfigurations and unpatched software.
ASM software solutions
Speaking of automation, let’s now look at what makes for strong ASM software. Software for attack surface management is specifically designed to automate ASM tasks like asset monitoring, asset discovery and inventory formulation, vulnerability identification, risk scoring and security ratings, and remediation.
Today there are many ASM software solutions available. Knowing their capabilities helps you to evaluate and choose the right software that suits your organizational needs. Some key capabilities of modern ASM software solutions include the following:
- Providing a 360-degree view of the organizational attack surface. This also includes visibility across hybrid and multi-cloud environments like AWS, GCP and Microsoft Azure.
- Generating AI-driven reports and insights into organizations’ overall security posture.
- Tracking vulnerabilities of software purchased by third parties or vendors and providing Insights into their security policies and practices
- Automating asset discovery and monitoring solutions, including vulnerable shadow IT assets.
- Compliance monitoring helps organizations comply with applicable data privacy and security regulations by identifying compliance issues. Some software also provides alert configurations to notify whenever a breach occurs.
- Integrating with other security software to provide a comprehensive cybersecurity solution.
(See how Splunk offers end-to-end visibility & security solutions for attack surface management.)
No security without knowing the attack surface
With near constant changes to attack surfaces of organizations, ASM is a must-have cybersecurity strategy to identify known and unknown vulnerabilities of IT assets — and promptly eliminate them. ASM identifies an organization's assets and maintains an inventory of them, including critical information. Then, an analysis will be done to identify any attack vectors and prioritize them to identify the most important cyber risks organizations should immediately address.
ASM is important for organizations in many ways, such as to defend against threats in today's expanding attack surfaces, reduce risks of internet-facing cloud assets, identify sophisticated cyber threats and improve organizations’ overall security posture.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.