The Importance of
Attack Surface Management
Attack Surface Management (ASM) helps organizations discover assets, assess and prioritize risks, and remediate faster across their digital environments. As organization expand their digital footprint across cloud platforms, on premises infrastructure, SaaS, managed platforms and 3rd party services – their attack surface becomes increasingly complex to manage. It can take more than 80 hours just to discover the attack surface according to ESG. And that’s only the first step. Security teams still need to assess risks, prioritize actions, and remediate. To keep up with the evolving digital landscape, and maintain their security posture, attack surface management is more important than ever.
What is an attack surface?
An attack surface is defined as the total number of all possible entry points for unauthorized access, or attack vectors, into an organization’s systems, networks, and digital assets. The attack surface is also the entire area of an organization that is exposed to attackers, which is the reason for the term the “attacker’s point of view”.
But an attacker set on penetrating your organization doesn’t care whether they’re attacking your internet-facing asset directly, or exploiting a vulnerability from a third-party digital service that provides a toehold into your environment (e.g., a takeover of a dangling Azure blob called by an app referenced in a script on your website).
That’s why the real attack surface is bigger.
The real attack surface of an organization comprises all the exposed digital assets and connections and extends to their digital supply chain connections, which are propagated via HTML links, scripts, and chains of DNS records.
The Attack Surface is also:
Increasingly vulnerable.
More than three-quarters (76%) of organizations have experienced one or more cyber-attacks due to an unknown, unmanaged, or poorly managed internet-facing asset.
Ever-expanding.
Nearly two-thirds (62%) of organizations claim their attack surface has expanded over the past two years.
Extends beyond the organization’s assets.
The number one attack surface accelerant is increasing connections with third parties as we rely more and more on external vendors.
What is Attack Surface Management?
Attack surface management is the process of identifying, analyzing, and mitigating the potential vulnerabilities and attack vectors in a system or network. It involves understanding the scope and complexity of an organization’s attack surface and implementing controls to reduce the risk of successful attacks.
The Evolving Goals of Attack Surface Management
The attacker’s point of view: At the beginning external attack surface management was all about seeing things from the “attacker’s point of view”. This was a game changer. For the first time, organizations started to realize just how exposed they were.
The growing need for attack surface visibility: The COVID-19 pandemic forced companies to take a digital leap to stay in business. Work-from-home policies became the norm, and with that, their crown jewels became increasingly exposed as their attack surface expanded dramatically.
The challenge of attack surface visibility: Full attack surface visibility can be overwhelming, as the level of alert and noise keeps rising, organizations realized that without “noise reduction” – that is, reducing false positives and non-critical alerts – effective risk reduction is impossible.
Prioritized risk focus: So, the evolution of attack surface management has been a journey from visibility to context based prioritization, from seeing the attack surface from the attacker’s point of view to reducing the noise level, focusing on the most critical risks, and accelerating remediation.
The Key Functions of Attack Surface Management
- Continuous Attack Surface Monitoring: ongoing process of actively tracking and analyzing an organization’s attack surface changes and identify risks.
- Attack Surface Discovery: discover and map all known and unknown internet facing assets an organization has including web applications, servers, databases, cloud storage, SaaS platforms, and their digital supply chains.
- Risk Assessment: Scan and test each asset – based on its type – for vulnerabilities, misconfigurations and other security issues. Identify and assign a severity score to CVEs, outdated software, cloud misconfigurations, weak passwords, and more.
- Risk Prioritization: Prioritize using multiple factors including severity, exploitability, blast radius, and correlated threat intelligence data.
- Accelerate Remediation: Reduce the attack surface and the overall risk with clear remediation action items and integrated workflows with SIEM, SOAR, and ticketing systems.
Attack Surface Management Challenges
There are several challenges in Attack Surface Management that ASM platform are struggling to address. These fall under two key categories: breadth or coverage, which is the need to eliminate blind spots; and focus, which is the need to reduce noise, prioritize what’s urgent, and evaluate the potential blast radius.
Limited scope
ASM often overlooks a massive – and growing – source of risk. An organization’s attack surface doesn’t just consist of its assets that are exposed to the internet. It also consists of the digital supply chain assets that it is connected to – via HTML inclusions, chaining of scripts, and, with the advent of CDNs and cloud computing, via chains of DNS records.
False negatives
Many ASM platforms lack the technology depth needed to effectively discover internet facing assets leaving up to 50% of them in the dark.
False positives
ASM processes that rely on global internet indexing and public records struggle with attribution. Their customers pay for assets they don’t own and waste precious resource chasing false alerts.
Too many alerts
ASM providers often use a limited approach that relies only on vulnerability severity to prioritize risks. As a result, teams are dealing with a constant stream of noisy alerts.