Attack surface management (ASM) is an aspect of cybersecurity that helps organizations identify and mitigate potential vulnerabilities in their digital infrastructure. ASM proactively identifies and addresses security risks by continuously monitoring and assessing the attack surface, which refers to all the points of entry that hackers can exploit.
Why is attack surface management important?
Cybercriminals are constantly looking for vulnerabilities to exploit, and new technologies and applications are being deployed regularly, expanding the attack surface. Attack surface management maintains a strong security posture by providing organizations with the visibility and control necessary to protect their digital assets.
Related: What is an attack surface?
The core processes of attack surface management
ASM consists of several core processes: asset discovery, classification and prioritization, remediation, and monitoring. These processes are carried out continuously to adapt to the changing digital attack surface. ASM solutions automate these processes whenever possible to ensure that the security team always has a complete and current inventory of exposed assets and can respond swiftly to vulnerabilities and threats.
Asset discovery
Asset discovery is the first step in attack surface management. It automatically and continuously scans for and identifies internet-facing hardware, software, and cloud assets that could serve as potential entry points for hackers or cybercriminals.
Known assets
Known assets are the IT infrastructure and resources that the organization is aware of and actively managing. These can include routers, servers, company-issued or privately-owned devices (PCs, laptops, mobile devices), IoT devices, user directories, applications deployed on-premises and in the cloud, websites, and proprietary databases.
Unknown assets
Unknown assets are unidentified assets that are using network resources without the knowledge of the IT or security team. Shadow IT, which refers to hardware or software deployed on the network without official administrative approval or oversight, is a common unknown asset.
Third-party or vendor assets
Third-party or vendor assets are assets the organization doesn't own but are part of its IT infrastructure or digital supply chain. These can include software-as-a-service (SaaS) applications, APIs, public cloud assets, or third-party services used within the organization's website.
Subsidiary assets
Subsidiary assets refer to known, unknown, or third-party assets belonging to networks of an organization's subsidiary companies. After a merger or acquisition, these assets may not immediately come to the attention of the IT and security teams of the parent organization.
Malicious or rogue assets
Malicious or rogue assets are created or stolen by threat actors to target the company. This can include phishing websites impersonating a company's brand or stealing sensitive data from a data breach being shared on the dark web.
Read also: What is a phishing attack?
Classification, analysis, and prioritization
Once identified, assets must be classified, analyzed for vulnerabilities, and prioritized based on their "attackability." Attackability is an objective measure of how likely hackers are to target specific assets.
Assets are inventoried based on their identity, IP address, ownership, and connections to other assets in the IT infrastructure. They are then analyzed for vulnerabilities, including misconfigurations, coding errors, and missing patches. The analysis also considers the potential attacks that hackers may carry out through these vulnerabilities, such as stealing sensitive data or spreading malware.
The next step is prioritizing the vulnerabilities for remediation. Prioritization is based on a risk assessment exercise, assigning a security rating or risk score to each vulnerability. This rating considers information gathered during classification and analysis, data from threat intelligence feeds, and the organization's own vulnerability management and security risk assessment activities.
Remediation
Vulnerabilities are typically remediated in order of priority. This involves applying appropriate security controls to the assets, such as software or operating system patches, debugging application code, or implementing stronger data encryption. Broader cross-asset measures, such as implementing least-privileged access or multi-factor authentication (MFA), can also be part of the remediation process.
Read more: What is MFA?
Monitoring
Continuous monitoring allows ASM to detect and assess new vulnerabilities and attack vectors in real-time. It also enables the security teams to receive immediate alerts for vulnerabilities that require immediate attention.
See also: HIPAA Compliant Email: The Definitive Guide
Farah Amod
