Attack Surface Management 101
Benefits, best practices and solutions for managing a growing attack surface
With greater reliance on technology than ever before, attack surfaces continue to grow in both size and complexity. Inherently, more devices, applications, and data come with more opportunities for bad actors to exploit vulnerabilities. Enter: attack surface management 2.0, the next generation of managing complex environments.
Attack surface management (ASM) is the process by which organizations continuously detect, classify, and assess the security hygiene of all assets and entities within the cyber ecosystem.
While it’s virtually impossible for an organization to eliminate 100% of its vulnerabilities, ASM helps companies stay one step ahead of the attacker by thinking just as they do.
The ultimate goal of ASM is to help organizations understand how an attacker would perceive their attack surface, and then which areas to prioritize based on their level of criticality so they can then transition to a proactive approach to cybersecurity and risk management.
Before security teams can effectively manage an attack surface, they must first understand what it encompasses, and what they’re essentially responsible for. An attack surface consists of the potential infiltration points–or assets–that belong to a given organization.
The traditional IT management view of ‘assets’ has focused solely on compute devices and servers. Yet the applications, people, and processes associated with them provides just as much value to the organization and leaves you just as much at risk.
The modern, security-centric approach is that anything that an attacker can leverage to infiltrate your organization should be considered a part of your attack surface. Therefore, anything with cyber context–from IoT devices and IP addresses to URLs and users themselves–make up your attack surface.
Managing a growing attack surface is an overwhelming concept for any organization– never mind those with tens of thousands of employees, and hundreds and thousands of devices, applications, and programs. This increased risk has put more responsibility on security teams, who are being called upon to oversee and facilitate an evolution in ASM.
To effectively increase visibility and prioritize security workloads, attack surface management 2.0 should address the challenges that have come to light since its inception:
Organizations lack a mutual understanding of their attack surface
There are a handful of reasons as to why only 9% of organizations actively monitor 100% of their attack surface—starting with the fact that many security and risk teams lack a mutual understanding of what it is they’re responsible for in the first place.
In turn, organizations tend to overlook much of their attack surface because they fail to assess everything with context.
Shadow IT is on the rise
Shadow IT is the collection of applications, programs, software, and/or hardware that is deployed or managed without proper surveillance from the appropriate security team.
The number of system endpoints have been on the rise since even before the pandemic began. Add in the remote work revolution, and you’ve got yourself an endpoint security nightmare. As a result, 68% of organizations have experienced an attack from either an unknown, unmanaged, or poorly managed company asset.
In addition to the rise in number of devices security organizations need to keep track of, shadow IT is further complicated by the ease of which SaaS applications and cloud instances can be spun up by line-of-business teams, without knowledge or approval from an IT or security department. A recent study by Track Resources revealed 80% of workers admit to using SaaS applications at work without getting approval from IT.
Asset environments are constantly evolving
Having thousands of assets is one thing. Having thousands of assets in active hybrid environments is another. Most enterprises have a multi-cloud (92%) or hybrid cloud (80%) strategy, further adding to the complexities associated with fast-growing and changing attack surfaces.
In the past, asset management has required a lot of time and manual resources. Yet, by the time teams are done completing an asset inventory, their cybersecurity posture is likely completely different than what it was at the start.
Attackers are more agile than ever
Regardless of how compliant an organization is, attackers know how to find and take advantage of its weak spots—and those weak spots may not even be within that organization itself. In fact, over 60% of system intrusion incidents are caused by a third party. In fact, some of the most debilitating attacks stem from attacking weak links within the supply chain, such as SolarWinds and Log4j.
Humans make mistakes, and those mistakes can be costly
According to a Verizon study, 82% of breaches last year included some level of human responsibility—emphasizing how important it is to monitor assets beyond those that fall under the traditional IT umbrella.
IT, security and DevOps tools and teams tend to work in silos
A refined ASM strategy requires a lot of cross-departmental collaboration, which can be a challenge for teams with conflicting priorities. Adding to that, data from different tools often paints a different picture–making it almost impossible for teams to stay on the same page, despite having the same end goal.
Many tools promise to be the silver bullet when it comes to cybersecurity. Yet, the average organization uses 10 systems just for IT asset inventory alone. It’s no wonder as to why 40% of security professionals agree conflicting data is a key challenge in understanding their inventory.
Individual Cloud systems, Configuration Management Databases (CMDB), vulnerability scanners and EDR tooling offer different perspectives, but not the whole picture.
Compliance does not always equal security
Compliance is not only the individual’s duty to the organization, but also the organizations’ obligation to its community. Relevant programs have become a large part of how companies manage their reputation or conduct business with each other.
However, because of this, teams have inherited a dangerous tendency to be so concerned over checking the boxes that they neglect to consider the reason these programs were designed to begin with: to keep the organization and its community secure.
Security and risk teams are already stretched thin
Of the ramifications from the already well-documented cybersecurity skills gap, high burnout is a leading result. Given that the average IT asset inventory takes teams an average of 90 hours to complete—organizations simply cannot afford to run them over and over.
Discover more on the growing importance of attack surface management.
Provides continuous visibility across your entire asset infrastructure
In maintaining a continuous view of their entire attack surface, an efficient attack surface management program can record new assets, keep tabs on “disappeared” assets, and map the complex cyber relationships between them so that organizations always know what it is they’re defending.
Expedites time to detect and respond to vulnerabilities
Success in threat detection is measured by the time it takes teams to identify, block and remediate tasks. By keeping tabs on state changes as they arise, teams can significantly expedite the mean time to detect (MTTD) and mean time to respond (MTTR) to vulnerabilities, all while simultaneously reducing dwell time.
Fosters a cybersecurity-first culture
ASM encourages security and risk teams to go beyond the traditional scope of compliance frameworks and audits by putting them in the mind of a threat actor.
Reduces the impact and overall risk of a data breach
Not only does a mature ASM program reduce your attack surface to begin with, but it can also save you some serious cash in the event a breach does occur. According to IBM’s Cost of a Data Breach 2021, automation and security artificial intelligence offered the most cost savings when fully deployed, saving organizations up to $3.81 million in the event of an incident.
Increased threat volumes from more data sources likely creates an alert overload. ASM keeps teams focused on the most critical threats so that they don’t struggle and feel overwhelmed with a seemingly never-ending list of CVEs.
Keeps teams accountable and in-sync
ASM is designed to be a centralized program in which an organization’s cybersecurity decisions are made, and responsibility and accountability can be distributed amongst security, risk, DevOps and IT teams.
Drives operational efficacy
When combined, the benefits outlined above empower teams to break the cycle of burdensome legacy attack surface monitoring and incident response efforts. At the same time, it enables organizations to maximize the security investments they’ve already made by bringing them all together.
To reap the full benefits of attack surface management, you must ensure it is approached properly.
The overall objective of ASM is to transition to a “left-of-boom”, or proactive cybersecurity approach. For that to be possible, the following elements must be included in your ASM journey:
If you aren’t aware a potential access point is there in the first place, you can’t possibly defend against today’s threats. Gathering a consolidated view and understanding of everything that lies within the attack surface is the first step in managing it.
At a high-level an attack surface analysis includes:
When it comes to ASM, identifying the different ways in which an organization can be attacked by observing previous incidents is extremely helpful in developing a comprehensive plan to prevent them.
According to the 2022 Verizon Data Breach Investigations report, there were four prevalent gateways which led to the infiltration of organizations’ estates last year:
Not all assets are created equal—and threat actors are always looking to maximize their return on as minimal of an investment (or effort) as possible. Common vulnerability scoring system (CVSS) scores alone do not provide the context necessary to make strategic, timely decisions based on business criticality.
With that in mind, an attack surface management plan should always acknowledge the lateral relationships between machines, networks, users, vulnerabilities, etc. Once you understand how your attack surface is perceived by a threat actor, you can then prioritize your remediation efforts accordingly.
“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”
– John Lambert, Microsoft
Manual, time-intensive tasks are not only scalable—they’ve become impossible for teams that are already struggling with limited resources. Automate wherever possible to take your attack surface management strategy to the next level.
Understandably, you may want to start small with automated discovery and assessments, and eventually move on to automatic remediation of coverage gaps.
Security, risk, DevOps and IT teams all have the same overarching goals: maximize performance and minimize disruption. Yet even with organizational alignment, teams still have a long way to go when it comes to understanding their attack surface because most (73%) of organizations are still forced to rely on spreadsheets to connect the dots.
Fortunately, a new-and-improved ASM strategy doesn’t essentially require a rip-and-replace IT project. Attack surface assessment (ASA)—the set tools and services organization leverage for success in ASM—can significantly expedite the process.
As with any cybersecurity initiative of this magnitude, it’s not enough to manage an attack surface without first implementing the proper tools and processes. Gartner has defined Attack surface assessment (ASA) as the tools and services specifically designed to help organizations achieve success in ASM.
There is no bulletproof attack surface management platform. Although cloud monitoring agents, configuration management databases, traditional IT asset management systems, vulnerability scanners, and other endpoint and security tools each offer a certain level of visibility—individually, they fail to provide a holistic view into your continuously changing environment.
According to the Gartner Innovation Insight for Attack Surface Management report, “New ways of visualizing and prioritizing management of an organization’s attack surface are required as enterprise IT becomes more dispersed, owing to the expansion of public-facing digital assets and increased use of cloud infrastructure and applications.”
ASAs can help organizations understand their overall attack surface and identify specific areas that need to be addressed. They can also help organizations prioritize their efforts and allocate their resources more efficiently, alleviating much of the burden associated with today’s complexities.
Gartner has defined three ASA pillars: cyber asset attack surface management (CAASM), external attack surface management (EASM) and digital risk protection surface (DRPS).
CAASM integrates with existing data sources to provide organizations with a unified view of their entire attack surface, enabling organizations to truly understand their cyber asset landscape and prioritize action according to their relationships with each other.
EASM identifies an organization’s external-facing assets and systems from an “outside-in” perspective, equipping teams with the insights necessary to close the unknown pathways to their organization.
DRPS is a practice that improves an organization’s ability to identify, prioritize and address threats across their digital footprint, in order of priority according to how they would be perceived by a potential attacker.
While each subset of ASA supports a niched set of use cases, asset management and vulnerability prioritization are essential components of all three.
The most fundamental concept of ASM is that you can’t defend what you can’t see. Therefore, while there are unique use cases supported by each technology organizations will be prioritizing CAASM over the next few years to truly gain visibility into their entire digital estate.
“By 2026, 20% of companies will have more than 95% visibility of all their assets, which will be prioritized by risk and control coverage by implementing cyber asset attack surface management functionality, up from less than 1% in 2022.” – Gartner®, Innovation Insight for Attack Surface Management 2022
The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework is a grid of common threat actor behaviors as observed from previous security incidents. Since history tends to repeat itself when it comes to cybercrime, MITRE ATT&CK Enterprise should play a significant role in your cyber defense plan.
Similarly, the Open Web Application Security Project (OWASP) Top 10 is an ongoing report designed to bring awareness to the most prevalent security concerns among web applications. Most recently updated in 2021, the OWASP Top 10 encourages organizations to incorporate the findings into their vulnerability prioritization efforts.
Explore the value, benefits and supporting use cases of CAASM, EASM and DRPS, and evaluate each implementation process in Gartner’s Innovation Insight for Attack Surface Management.
Unlike compliance audits or vendor assessments, ASM is not a once-per-year exercise—it’s continuous. The threat landscape is constantly changing—and ASM is shifting along with it.
Therefore, there’s no “one-size-fits-all” approach to measuring the success of a program. Instead, focus on the set of variables that instill confidence in your organization’s security posture: