Attack surface management (ASM) is the discovery, assessment, and mitigation of threats to an organisation’s IT ecosystem.
Table of Contents
Attack surface management (ASM) is a cyber-security approach that aims to help organisations become stronger in defending their data and systems by making threats more visible. It’s about knowing where risks exist, understanding their relative severity, and taking action to close security gaps related to people, processes, and technology.
ASM is a traditional cyber-security approach that includes asset discovery and monitoring. It looks at potential threats the way an attacker would see them: as opportunities to breach an organisation’s defences and inflict financial, operational, or reputational harm.
In order to understand Attack Surface Management (ASM), it is first necessary to know what is meant by the term attack surface.
What is the attack surface?
The attack surface is the sum total of all ways an attacker might gain access to an organisation’s network, data, or IT resources. It has three parts:
- The digital attack surface is all hardware, software, and data that can be accessed externally, even if it’s protected by encryption, authentication protocols, firewalls, or other measures.
- The physical attack surface consists of all physical equipment and devices that can be stolen or interacted with physically to cause a compromise or breach.
- The social or human attack surface refers to all the people in an organisation with access to systems and data who could be tricked, blackmailed, or otherwise manipulated (for example, by a social engineering scheme such as phishing to cause a compromise or breach.
What does ASM protect against?
ASM helps organisations defend against a wide range of threats, also known as ‘attack vectors’. These include but are not limited to:
Cyberattacks
Ransomware, viruses, and other malware can be injected into corporate systems, allowing attackers to access networks and resources, exfiltrate data, hijack devices, and damage assets and data.
Coding issues and misconfigurations
Misconfigurations of network and cloud technologies such as ports, access points, protocols, and the like leave ‘doors’ open for attackers and are a common cause of breaches.
Phishing schemes
These include scam emails, text messages, voice messages (and even, today, with AI-generated deepfakes, video calls) that deceive users and prompt them to take actions that compromise cyber-security. That may be sharing sensitive information, clicking on links that lead to malware, releasing funds that shouldn’t be paid out, and more. AI has helped make phishing harder to detect and more targeted.
Out-of-date technologies and applications
Easy-to-guess passwords—either because they’re obvious, too simple, or reused for multiple accounts—can give bad actors access to an organisation’s digital resources. Stolen credentials are also in high demand among cybercriminals for similar reasons. Encryption is meant to disguise information so that only authorized people can read it. If it’s not strong enough, hackers can extract data they can then use to launch larger-scale attacks.
Shadow IT
Tools used by an organisation’s employees that are not part of the known or sanctioned IT environment are considered ‘shadow IT’ and can create vulnerabilities precisely because the cyber-security team doesn’t know about them. These include apps, portable storage devices, personal phones and tablets, and the like.
How does ASM work?
ASM has three main phases: discovery, assessment, and mitigation. Because the attack surface is always changing, all three must be carried out continuously.
Discovery
The discovery phase defines the attack surface and all the assets that comprise it. The goal of discovery is to identify all known and unknown devices, software, systems, and access points that make up the attack surface—even including shadow IT apps, connected third-party technologies, and technologies that haven’t been part of previous inventories. While many solutions offer discovery as part of their ASM solution, you need to be discerning. Looking for a solution that integrates compliance and cyber risk quantification to ensure you are getting the complete risk picture beyond asset discovery to show true exposure. A continuous discovery process helps reveal how the attack surface may be changing over time.
Assessment
After discovery, security teams assess each asset for potential vulnerabilities—everything from misconfigurations and coding errors to social/human factors such as susceptibility to phishing schemes or business email compromise (BEC) attacks. Each risk is scored, allowing security teams to prioritise the ones that need to be addressed most urgently.
Risk scoring is generally based on level of risk, likelihood of attack, potential harms, and difficulty of remediation. It ideally will also account for global threat intelligence on which vulnerabilities are being exploited most often and most easily.
Example: If a piece of software gives access to sensitive data, is connected to the internet, and has a known vulnerability that’s already been exploited by real-world attackers, patching it will likely be a top priority.
Once all risks are scored, the total is tallied to provide an overall enterprise risk score. That allows the organisation to benchmark and monitor its risk profile over time.
Mitigation
Mitigation is about taking action to deal with the vulnerabilities that have been discovered. That might mean running software updates or installing patches, setting up security controls and hardware, or implementing protective frameworks such as zero trust. It could also include getting rid of old systems and software. Either way, it is critical that you have the right solution to help you tackle mitigation in a scalable way.
Attack surface management vs. external attack surface management (EASM)
External attack surface management (EASM) focuses specifically on the vulnerabilities and risks associated with outward-facing devices and systems including those connected to the internet. The internal attack surface, which may include on-premises equipment and partitioned resources, is not covered by EASM.
Why does ASM matter?
ASM has become extremely important because enterprise IT environments are more dynamic and interconnected than ever before, making the attack surface larger and more varied. Traditional asset discovery and monitoring approaches and single-purpose cybersecurity ‘point’ solutions can’t provide the full visibility, intelligence, or protection required. ASM, on the other hand, allows security teams to reduce the number of pathways into the enterprise IT ecosystem and gain a real-time view of emerging vulnerabilities and attack vectors.
What does ASM protect against?
ASM helps organisations defend against a wide range of threats, also known as ‘attack vectors’. These include but are not limited to:
- Cyberattacks: Ransomware, viruses, and other malware can be injected into corporate systems, allowing attackers to access networks and resources, exfiltrate data, hijack devices, and damage assets and data.
- Coding issues and misconfigurations: Misconfigurations of network and cloud technologies such as ports, access points, protocols, and the like leave ‘doors’ open for attackers and are a common cause of breaches.
- Phishing schemes: These include scam emails, text messages, voice messages (and even, today, with AI-generated deepfakes, video calls) that deceive users and prompt them to take actions that compromise cybersecurity. That may be sharing sensitive information, clicking on links that lead to malware, releasing funds that shouldn’t be paid out, and more. AI has helped make phishing harder to detect and more targeted.
- Out-of-date technologies and applications: Software, firmware, and device operating systems need to be coded correctly and patched against known vulnerabilities and threats, otherwise they can provide attackers with a way to breach an organisation. Old devices that are still part of the IT environment but aren’t maintained or actively used can also provide convenient access points for attackers, since they are often not monitored.
- Weak passwords and encryption: Easy-to-guess passwords—either because they’re obvious, too simple, or reused for multiple accounts—can give bad actors access to an organisation’s digital resources. Stolen credentials are also in high demand among cybercriminals for similar reasons. Encryption is meant to disguise information so that only authorised people can read it. If it’s not strong enough, hackers can extract data they can then use to launch larger-scale attacks.
- Shadow IT: Tools used by an organisation’s employees that are not part of the known or sanctioned IT environment are considered ‘shadow IT’ and can create vulnerabilities precisely because the cybersecurity team doesn’t know about them. These include apps, portable storage devices, personal phones and tablets, and the like.
Types of Attack Surface Management
Attack Surface Management (ASM) is categorized into distinct types that address different facets of an organisation’s digital environment. These include External ASM , Internal ASM, Cyber Asset ASM, and Open Source ASM. Each type plays a crucial role in monitoring and mitigating risks, providing organisations with a comprehensive approach to protecting their digital assets.
External Attack Surface Management
External ASM focuses on internal business assets that are exposed to the public internet, such as web applications, cloud-based resources, IP addresses and domain names that could be exploited by attackers. These public-internet facing services are often targeted by attackers looking to exploit vulnerabilities or misconfigurations.
Internal Attack Surface Management
Internal ASM addresses risks within an organisation’s private network, including devices, applications, and systems that are not publicly accessible but could be exploited if attackers gain access. It is particularly relevant for combating advanced persistent threats (APTs) and insider threats, which often involve lateral movement and privilege escalation within the network. Legacy systems or poorly secured internal servers may serve as vulnerabilities attackers exploit once inside the network.
Cyber Asset Attack Surface Management
Cyber Asset ASM focuses on managing and securing individual assets across an organisation, including endpoints, user accounts, cloud instances, and mobile devices. This is especially critical in today’s hybrid work environments, where assets are spread across on-premises and cloud-based infrastructures. Organisations operating in multi-cloud environments often have diverse assets, such as containers, virtual machines, and APIs.
Open Source Attack Surface Management
Open Source ASM focuses on managing risks associated with open-source technologies and publicly accessible information. While open-source software is widely used, it introduces vulnerabilities due to its transparency and reliance on community contributions. Additionally, attackers often exploit exposed data such as leaked credentials, API keys, or sensitive configuration files found in open repositories such as Github.
Attack Surface Management vs. Cyber Risk Management
Attack surface management (ASM) is an essential element of cyber risk management, and together, they help organisations improve their cyber-security situational awareness—proactively identifying, prioritizing, and mitigating threats.
Cyber risk management is an over-arching cyber-security approach that goes beyond ASM, focusing on knowing and mitigating risks across their business. A good cyber risk management framework helps determine which risks are most relevant, supporting ‘risk-informed decision making’ to reduce overall threat exposure. That allows security teams to strengthen defences, minimize vulnerabilities, and inform their organisations’ overall risk management and strategic planning processes.
What are the benefits of ASM?
Good attack surface management provides a wide range of benefits for organisations, starting with strengthening the overall security posture by bringing more visibility to the entire IT environment and attack surface. That in turn helps reduce risk, supported by ongoing monitoring and reassessment to keep risk levels down.
This is giving peace of mind to the security team, all well offering significant benefits to the overall business. Having visibility of the attack surface allows for greater transparency and control over assets, reducing the risk of cyberattacks and increasing cost savings. When security teams are able to act faster and more effectively, organisations can be better positioned to ensure business continuity. Because when attacks are identified and mitigated sooner, there’s less risk of significant disruption.
How can we implement ASM?
ASM requires a cyber risk exposure management solution that is integrated with a cyber-security platform that takes a proactive approach to carry out the phases of discovery, assessment, and mitigation.
Choosing a platform with strong security operation capabilities such as security information and event management (SIEM), endpoint detection and response (EDR), and extended detection and response (XDR) is especially important. XDR in particular provides essential data and analytics on how current attack surface protections are performing. Those insights help make the risk assessment phase more accurate.
ASM and Compliance
ASM plays an important role in meeting regulatory and compliance requirements eyond strengthening cyber-security defences. NIST Cyber-security Framework, ISO/IEC 27001, GDPR, HIPAA, and PCI DSS frameworks all emphasize the importance of asset visibility, vulnerability management, and continuous monitoring of core functions enabled by ASM. Identifying exposed assets and remediating potential vulnerabilities, ASM helps organisations to maintain compliance with key controls, reduce audit preparation time and avoid costly non-compliance penalties.
For businesses operating in regulated industries, ASM is not just a security enhancement; it’s a compliance enabler that supports both operational resilience and legal accountability.
Where can I get help with attack surface management?
Attack surface management isn’t enough in today’s demanding risk landscape. Organisations require cyber risk exposure management capabilities to proactively predict, uncover, assess, and mitigate risks to significantly reduce your cyber risk footprint.
Trend Vision One™ offers a Cyber Risk Exposure Management (CREM) solution that takes a revolutionary approach by combining key capabilities-like External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), Vulnerability Management, and Security Posture Management-across cloud, data, identity, APIs, Al, compliance, and SaaS applications into one powerful, easy-to-use solution.
Trend Vision One™ Cyber Risk Exposure Management (CREM) can help you with attack surface management and beyond.