Attack surface management (ASM) is the discovery, assessment, and mitigation of threats to an organization’s IT ecosystem.
Attack surface management (ASM) is a cybersecurity approach that aims to help organizations become stronger in defending their data and systems by making threats more visible. It’s about knowing where risks exist, understanding their relative severity, and taking action to close security gaps related to people, processes, and technology.
ASM is a traditional cybersecurity approach that includes asset discovery and monitoring. It looks at potential threats the way an attacker would see them: as opportunities to breach an organization’s defenses and inflict financial, operational, or reputational harm.
What is the attack surface?
The attack surface is the sum total of all ways an attacker might gain access to an organization’s network, data, or IT resources. It has three parts:
- The digital attack surface is all hardware, software, and data that can be accessed externally, even if it’s protected by encryption, authentication protocols, firewalls, or other measures.
- The physical attack surface consists of all physical equipment and devices that can be stolen or interacted with physically to cause a compromise or breach.
- The social or human attack surface refers to all the people in an organization with access to systems and data who could be tricked, blackmailed, or otherwise manipulated (for example, by a social engineering scheme such as phishing) to cause a compromise or breach.
Attack surface management vs. cyber risk management
Attack surface management (ASM) is an essential element of cyber risk management, and together, they help organizations improve their cybersecurity situational awareness—proactively identifying, prioritizing, and mitigating threats.
Cyber risk management is an over-arching cybersecurity approach that goes beyond ASM, focusing on knowing and mitigating risks across their business. A good cyber risk management framework helps determine which risks are most relevant, supporting ‘risk-informed decision making’ to reduce overall threat exposure. That allows security teams to strengthen defenses, minimize vulnerabilities, and inform their organizations’ overall risk management and strategic planning processes.
Attack surface management vs. external attack surface management (EASM)
External attack surface management (EASM) focuses specifically on the vulnerabilities and risks associated with outward-facing devices and systems including those connected to the internet. The internal attack surface, which may include on-premises equipment and partitioned resources, is not covered by EASM.
Why does ASM matter?
ASM has become extremely important because enterprise IT environments are more dynamic and interconnected than ever before, making the attack surface larger and more varied. Traditional asset discovery and monitoring approaches and single-purpose cybersecurity ‘point’ solutions can’t provide the full visibility, intelligence, or protection required. ASM, on the other hand, allows security teams to reduce the number of pathways into the enterprise IT ecosystem and gain a real-time view of emerging vulnerabilities and attack vectors.
What does ASM protect against?
ASM helps organizations defend against a wide range of threats, also known as ‘attack vectors’. These include but are not limited to:
- Cyberattacks: Ransomware, viruses, and other malware can be injected into corporate systems, allowing attackers to access networks and resources, exfiltrate data, hijack devices, and damage assets and data.
- Coding issues and misconfigurations: Misconfigurations of network and cloud technologies such as ports, access points, protocols, and the like leave ‘doors’ open for attackers and are a common cause of breaches.
- Phishing schemes: These include scam emails, text messages, voice messages (and even, today, with AI-generated deepfakes, video calls) that deceive users and prompt them to take actions that compromise cybersecurity. That may be sharing sensitive information, clicking on links that lead to malware, releasing funds that shouldn’t be paid out, and more. AI has helped make phishing harder to detect and more targeted.
- Out-of-date technologies and applications: Software, firmware, and device operating systems need to be coded correctly and patched against known vulnerabilities and threats, otherwise they can provide attackers with a way to breach an organization. Old devices that are still part of the IT environment but aren’t maintained or actively used can also provide convenient access points for attackers, since they are often not monitored.
- Weak passwords and encryption: Easy-to-guess passwords—either because they’re obvious, too simple, or reused for multiple accounts—can give bad actors access to an organization’s digital resources. Stolen credentials are also in high demand among cybercriminals for similar reasons. Encryption is meant to disguise information so that only authorized people can read it. If it’s not strong enough, hackers can extract data they can then use to launch larger-scale attacks.
- Shadow IT: Tools used by an organization’s employees that are not part of the known or sanctioned IT environment are considered ‘shadow IT’ and can create vulnerabilities precisely because the cybersecurity team doesn’t know about them. These include apps, portable storage devices, personal phones and tablets, and the like.
How does ASM work?
ASM has three main phases: discovery, assessment, and mitigation. Because the attack surface is always changing, all three must be carried out continuously.
Discovery
The discovery phase defines the attack surface and all the assets that comprise it. The goal of discovery is to identify all known and unknown devices, software, systems, and access points that make up the attack surface—even including shadow IT apps, connected third-party technologies, and technologies that haven’t been part of previous inventories. While many solutions offer discovery as part of their ASM solution, you need to be discerning. Looking for a solution that integrates compliance and cyber risk quantification to ensure you are getting the complete risk picture beyond asset discovery to show true exposure. A continuous discovery process helps reveal how the attack surface may be changing over time.
Assessment
After discovery, security teams assess each asset for potential vulnerabilities—everything from misconfigurations and coding errors to social/human factors such as susceptibility to phishing schemes or business email compromise (BEC) attacks. Each risk is scored, allowing security teams to prioritize the ones that need to be addressed most urgently.
Risk scoring is generally based on level of risk, likelihood of attack, potential harms, and difficulty of remediation. It ideally will also account for global threat intelligence on which vulnerabilities are being exploited most often and most easily.
Example: If a piece of software gives access to sensitive data, is connected to the internet, and has a known vulnerability that’s already been exploited by real-world attackers, patching it will likely be a top priority.
Once all risks are scored, the total is tallied to provide an overall enterprise risk score. That allows the organization to benchmark and monitor its risk profile over time.
Mitigation
Mitigation is about taking action to deal with the vulnerabilities that have been discovered. That might mean running software updates or installing patches, setting up security controls and hardware, or implementing protective frameworks such as zero trust. It could also include getting rid of old systems and software. Either way, it is critical that you have the right solution to help you tackle mitigation in a scalable way.
What are the benefits of ASM?
Good attack surface management provides a wide range of benefits for organizations, starting with strengthening the overall security posture by bringing more visibility to the entire IT environment and attack surface. That in turn helps reduce risk, supported by ongoing monitoring and reassessment to keep risk levels down.
This is giving peace of mind to the security team, all well offering significant benefits to the overall business. Having visibility of the attack surface allows for greater transparency and control over assets, reducing the risk of cyberattacks and increasing cost savings. When security teams are able to act faster and more effectively, organizations can be better positioned to ensure business continuity. Because when attacks are identified and mitigated sooner, there’s less risk of significant disruption.
How can we implement ASM?
ASM requires a cyber risk exposure management solution that is integrated with a cybersecurity platform that takes a proactive approach to carry out the phases of discovery, assessment, and mitigation.
Choosing a platform with strong security operation capabilities such as security information and event management (SIEM), endpoint detection and response (EDR), and extended detection and response (XDR) is especially important. XDR in particular provides essential data and analytics on how current attack surface protections are performing. Those insights help make the risk assessment phase more accurate.
Where can I get help with attack surface management?
Attack surface management isn’t enough in today’s demanding risk landscape. Organizations require cyber risk exposure management capabilities to proactively predict, uncover, assess, and mitigate risks to significantly reduce your cyber risk footprint.
Trend Vision One™ offers a Cyber Risk Exposure Management (CREM) solution that takes a revolutionary approach by combining key capabilities-like External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), Vulnerability Management, and Security Posture Management-across cloud, data, identity, APIs, Al, compliance, and SaaS applications into one powerful, easy-to-use solution.
Learn more about how Cyber Risk Exposure Management can help you with attack surface management and beyond.