What is ASM, sometimes called EASM? A simple definition of External Attack Surface Management (ASM or EASM) is the process of defining and securing your organization from the outside-in. Your organization’s attack surface is made up of all the assets belonging to your organization, all of your vendor-managed assets, Cloud and SaaS assets, and all of their external third-party, fourth-party, and Nth-party connections that are visible to an outsider. Attack surface management is the process of protecting this digital footprint end-to-end. Considering growth of every enterprise into cloud, proliferation of IT assets, and the addition of new vendors all the time, your choice of an ASM tool is critical. However, it’s difficult (at times) to understand the fine differences between ASM tools. In this article, we look at the key aspects of a great ASM tool. This will help you understand how ASM should be managed and enable you to pick the right vendor by looking for the most important attack surface management software features. 

What has changed in the ASM market? 

Organizations don’t operate on a digital island. Any organization that operates online has a vast and complex internet-facing attack surface and a tangled web of connections forming the digital supply chain. There are typically third, fourth, and fifth-party vendors and public infrastructure like email servers, cloud and NAS storage, network devices, domain names and SSL certificates and DNS that the organization’s operation relies on. With the many integrations, sprawling web of connections, and a vast digital footprint, organizations struggle to control their online exposure and the opportunities for attacks abound.  

Maximizing the opportunity for easy pickings, attackers use newer technologies like machine learning and AI to identify and exploit any risk possible. Particularly, the advent of ChatGPT has lowered the barrier to entry for cybercriminals. Anyone can become an attacker with ChatGPT by using it to build simple applications, analyze information, and power bots that automate hacking techniques. 

Given this backdrop, three trends have converged to create a perfect storm for cybersecurity. First, the attack surface has become complex, vast, ever-changing, and increasingly harder to cover. Second, attackers have more opportunities and tools at their disposal to capitalize on the expanding attack surface. Third, manual SecOps which is costly, slow, and ineffective is unable to keep pace. The result is an incomplete effort to secure the attack surface and eventual attacks that cost the organization dearly. 

What is REAL attack surface management? 

Traditionally, attack surface management vendors focused on discovery. The idea was that once you know all assets belonging to your own organization, you can secure them. Over time, the focus of ASM expanded as vendors and organizations understood that while discovering assets is critical, visibility is only the first step. 

The attack surface scope has also expanded. As we’ve discussed above, an organization’s exposure extends beyond what it owns to the external web of connections and dependencies. Given this, the best attack surface management solutions should broaden its asset discovery to include connected digital supply chain assets operated by third-party, fourth-party, and Nth-party vendors. Anything less leaves the organization unnecessarily exposed to risk. 

Beyond asset discovery, ASM platforms should also conduct risk assessments and provide a comprehensive framework for risk prioritization. As you can tell, this is all easier said than done. But read on and we’ll uncover a more comprehensive way to do ASM. 

Attack surface management is maturing 

As the attack surface becomes increasingly complicated and reliant on external vendors and cloud platforms, asset attribution becomes more complex. This requires attack surface discovery tools that are deeper but also smarter.  What’s needed is an integrated, evidence-based approach to asset discovery. This way, you can be sure to minimize false negative (blind spots) and false positive attribution mistakes. Furthermore, assets should be automatically attributed to the right organizational function, subsidiary, or business owner. This kind of analysis cannot be achieved manually and requires the power and scale of an attack surface management software. 

Discovery is just the start. In modern attack surface management tools, there’s a push for deeper contextual intelligence into ASM data. Organizations need to know who is responsible for an asset, how important it is to the organization, the technology stack, what risk is associated with it, and more. Richer context provides the groundwork for effective risk assessment, Risk prioritization, and response to emerging threats.  

In addition to asset context, a recent addition to the ASM toolbox is exposure validation – an approach that actively tests the exploitability of risks. Exposure validation simulates attacks on the target system to identify the real-world exposures that are most urgent for the organization to mitigate. 

Now, let’s look at the fundamentals of an attack surface management strategy. 

The 5 must-have pillars of ASM 

Any ASM strategy should include these five steps or pillars: 

1. Attack surface discovery: This step should employ multiple sources and methods to identify all of the organization’s internet-exposed assets and their connected digital supply chains. As the attack surface expands and becomes more complex, multi-factor asset attribution is needed to integrate the discovery evidence and correctly attribute assets to the organization and its subsidiaries.  

2. Cyber risk assessment: This step is about conducting granular, automated assessments of every asset in the attack surface and digital supply chain. All risks including vulnerabilities, misconfigurations, and security posture issues should be identified as part of a comprehensive risk assessment. 

3. Exposure validation: in this step, active exploitability tests are conducted on the target system in a non-intrusive way that doesn’t affect the system or its performance. The goal is to identify exposures so they can be prioritized and quickly remediated. 

4. Risk prioritization: Going beyond CVE scores, ASM requires a risk prioritization framework that takes into account exploitability, business impact, and threat intelligence information. 

5. Remediation: Effective remediation requires automated workflows that seamlessly integrate into core security systems including SIEM, SOAR, and ticketing platforms. In addition, security issues should be aggregated and translated into actionable remediation steps to reduce noise and improve collaboration with IT stakeholders. 

What differentiates a great ASM platform from a mediocre one? 

Here’s what you should be looking for when comparing attack surface management vendors:  

• Deep discovery of the attack surface:  

• Can the ASM platform discover and attribute all assets to the right entity?  
• Can it discover an organization’s assets including subsidiaries, brands, and sub-brands? 
• Can the tool prove with evidence if and why a particular asset belongs to an organization? 
• Does the ASM platform automatically map the digital supply chain? 
• Can it rank assets based on their value to the organization? 
• As the organization changes, can the ASM solution keep pace and automatically adapt coverage? 
• Does the ASM tool help you identify decommissioning targets to reduce attack surface size? 

• Assessment and Exposure validation: 

• Does the ASM platform identify all risks (vulnerabilities, misconfigurations and more) going well beyond CVEs? 
• Can it test risks to validate exploitability? 
• Does the ASM platform use risk scores or context to organize, classify, and prioritize risks according to the potential impact it can have on the organization? 
• Can the ASM tool use category-based assessment (DNS, Email, Web, cloud) to provide a granular assessment of risks?  
• Is the ASM solution security validation testing truly non-invasive so that it does not affect the performance of production systems in any way? (no database writes, no usage of unnecessary access) 

• Remediation and mitigation:  

• Does the ASM platform include external threat intelligence from the deep and dark web and correlate it with the organization’s attack surface? 
• Can the ASM solution automatically mitigate certain risks or only create alerts? 
• Does the ASM solution suppress false positives and surface only real threats that need attention? 
• Can the ASM tool integrate with all your existing security and operational tools such as ticketing systems, SOAR, SIEM, and APIs? 
• Can the ASM assign risks to appropriate stakeholders and notify them with instructions on how to respond? 
• Can the ASM tool adapt to the changing business tech landscape and protect against evolving threats such as zero-day vulnerabilities? 

The points here can serve as a checklist you can use to compare attack surface management platforms. They are what make all the difference when it comes to practicing ASM in the real world.  

Conclusion 

Times have changed, and the way organizations choose an ASM tool has also changed. The key aspects to look for in a modern ASM tool are deeper discovery of assets, exposure validation, and intelligent risk prioritization. In this article, we dove into the factors that can influence your choice of an ASM tool. Yet, this is only part 1, stay tuned for the next part where we go further to talk about what ASM looks like in practice. 

FAQs 

1. What are the top 3 characteristics of a good attack surface management tool? 

• The top 3 things to look for in an ASM solution are deep asset discovery, exposure validation, and automated remediation.  

2. How can ASM tools go beyond asset discovery? 

• ASM tools need to identify all risks to assets, validate these risks, prioritize them, and propose a set of remediation tasks. As you can tell, there is so much more to ASM than mere discovery of assets. 

3. How should an ASM tool prioritize risks? 

• ASM tools can prioritize risks based on the importance of the asset at risk, validated exploitability, and correlated threat intelligence information.