Attack surface management (ASM) is the discovery, assessment, and mitigation of threats to an organization’s IT ecosystem.
Attack Surface Management Definition
Attack surface management (ASM) is a cybersecurity approach that aims to help organizations become stronger in defending their data and systems by making threats more visible. It’s about knowing where risks exist, understanding their relative severity, and taking action to close security gaps related to people, processes, and technology.
ASM is a traditional cybersecurity approach that includes asset discovery and monitoring. It looks at potential threats the way an attacker would see them: as opportunities to breach an organization’s defenses and inflict financial, operational, or reputational harm.
In order to understand Attack Surface Management (ASM), it is first necessary to know what is meant by the term attack surface.
The attack surface is the sum total of all ways an attacker might gain access to an organization’s network, data, or IT resources. It has three parts:
The digital attack surface is all hardware, software, and data that can be accessed externally, even if it’s protected by encryption, authentication protocols, firewalls, or other measures.
The physical attack surface consists of all physical equipment and devices that can be stolen or interacted with physically to cause a compromise or breach.
The social or human attack surface refers to all the people in an organization with access to systems and data who could be tricked, blackmailed, or otherwise manipulated (for example, by a social engineering scheme such as phishing to cause a compromise or breach.
What does ASM protect against?
ASM helps organizations defend against a wide range of threats, also known as ‘attack vectors’. These include but are not limited to:
Cyberattacks
Ransomware, viruses, and other malware can be injected into corporate systems, allowing attackers to access networks and resources, exfiltrate data, hijack devices, and damage assets and data.
Coding issues and misconfigurations
Misconfigurations of network and cloud technologies such as ports, access points, protocols, and the like leave ‘doors’ open for attackers and are a common cause of breaches.
Phishing schemes
These include scam emails, text messages, voice messages (and even, today, with AI-generated deepfakes, video calls) that deceive users and prompt them to take actions that compromise cybersecurity. That may be sharing sensitive information, clicking on links that lead to malware, releasing funds that shouldn’t be paid out, and more. AI has helped make phishing harder to detect and more targeted.
Out-of-date technologies and applications
Easy-to-guess passwords—either because they’re obvious, too simple, or reused for multiple accounts—can give bad actors access to an organization’s digital resources. Stolen credentials are also in high demand among cybercriminals for similar reasons. Encryption is meant to disguise information so that only authorized people can read it. If it’s not strong enough, hackers can extract data they can then use to launch larger-scale attacks.
Shadow IT
Tools used by an organization’s employees that are not part of the known or sanctioned IT environment are considered ‘shadow IT’ and can create vulnerabilities precisely because the cybersecurity team doesn’t know about them. These include apps, portable storage devices, personal phones and tablets, and the like.
How does ASM work?
ASM has three main phases: discovery, assessment, and mitigation. Because the attack surface is always changing, all three must be carried out continuously.
Discovery
The discovery phase defines the attack surface and all the assets that comprise it. The goal of discovery is to identify all known and unknown devices, software, systems, and access points that make up the attack surface—even including shadow IT apps, connected third-party technologies, and technologies that haven’t been part of previous inventories. While many solutions offer discovery as part of their ASM solution, you need to be discerning. Looking for a solution that integrates compliance and cyber risk quantification to ensure you are getting the complete risk picture beyond asset discovery to show true exposure. A continuous discovery process helps reveal how the attack surface may be changing over time.
Assessment
After discovery, security teams assess each asset for potential vulnerabilities—everything from misconfigurations and coding errors to social/human factors such as susceptibility to phishing schemes or business email compromise (BEC) attacks. Each risk is scored, allowing security teams to prioritize the ones that need to be addressed most urgently.
Risk scoring is generally based on level of risk, likelihood of attack, potential harms, and difficulty of remediation. It ideally will also account for global threat intelligence on which vulnerabilities are being exploited most often and most easily.
Example: If a piece of software gives access to sensitive data, is connected to the internet, and has a known vulnerability that’s already been exploited by real-world attackers, patching it will likely be a top priority.
Once all risks are scored, the total is tallied to provide an overall enterprise risk score. That allows the organization to benchmark and monitor its risk profile over time.
Mitigation
Mitigation is about taking action to deal with the vulnerabilities that have been discovered. That might mean running software updates or installing patches, setting up security controls and hardware, or implementing protective frameworks such as zero trust. It could also include getting rid of old systems and software. Either way, it is critical that you have the right solution to help you tackle mitigation in a scalable way.
Why ASM is Important?
There are two main reasons why Attack Surface Management is needed:
IT environment of organizations need to be protected
The digitization of all kinds of work is progressing rapidly in recent years due to changes in the business environment brought about by the promotion of digital transformation and changes in the way we work, such as remote working. As a result, the IT environment is becoming more complex than ever before due to the introduction of new technologies such as the use of VPN devices and cloud services, and the use of IoT devices.
On the other hand, many organizations are unable to keep up with the rapid changes and growing complexity of their own IT environments and the risks they pose, and security measures are being put on the back burner. As a result, from the perspective of cybercriminals, the number of targets for attacks is increasing
The sophistication of cyber attack methods
The methods used in cyber attacks and other crimes are becoming more sophisticated to increase the success rate of attacks. In the past, the main type of cyber attack was the ‘scatter-and-gather’ type, in which malicious programs were sent to a large number of unspecified recipients via email or other means. However, modern cyber attacks are becoming more sophisticated, with an increasing number of ‘targeted attacks’ that exploit the vulnerabilities of VPNs and RDPs, as well as stolen authentication information, to infiltrate the target organization's network and then carry out internal activities such as privilege escalation, lateral movement, and information theft.
As a result, organizations need to consider not only digital assets that are publicly available, but also digital assets within the organization itself, and implement security measures accordingly.
Types of Attack Surface Management
Attack Surface Management (ASM) is categorized into distinct types that address different facets of an organization’s digital environment. These include External ASM , Internal ASM, Cyber Asset ASM, and Open Source ASM. Each type plays a crucial role in monitoring and mitigating risks, providing organizations with a comprehensive approach to protecting their digital assets.
External Attack Surface Management
External ASM focuses on internal business assets that are exposed to the public internet, such as web applications, cloud-based resources, IP addresses and domain names that could be exploited by attackers. These public-internet facing services are often targeted by attackers looking to exploit vulnerabilities or misconfigurations.
Internal Attack Surface Management
Internal ASM addresses risks within an organization’s private network, including devices, applications, and systems that are not publicly accessible but could be exploited if attackers gain access. It is particularly relevant for combating advanced persistent threats (APTs) and insider threats, which often involve lateral movement and privilege escalation within the network. Legacy systems or poorly secured internal servers may serve as vulnerabilities attackers exploit once inside the network.
Cyber Asset Attack Surface Management
Cyber Asset ASM focuses on managing and securing individual assets across an organization, including endpoints, user accounts, cloud instances, and mobile devices. This is especially critical in today’s hybrid work environments, where assets are spread across on-premises and cloud-based infrastructures. Organizations operating in multi-cloud environments often have diverse assets, such as containers, virtual machines, and APIs.
Open Source Attack Surface Management
Open Source ASM focuses on managing risks associated with open-source technologies and publicly accessible information. While open-source software is widely used, it introduces vulnerabilities due to its transparency and reliance on community contributions. Additionally, attackers often exploit exposed data such as leaked credentials, API keys, or sensitive configuration files found in open repositories such as Github.
Attack Surface Management vs. Cyber Risk Management
Attack surface management (ASM) is an essential element of cyber risk management, and together, they help organizations improve their cybersecurity situational awareness—proactively identifying, prioritizing, and mitigating threats.
Cyber risk management is an over-arching cybersecurity approach that goes beyond ASM, focusing on knowing and mitigating risks across their business. A good cyber risk management framework helps determine which risks are most relevant, supporting ‘risk-informed decision making’ to reduce overall threat exposure. That allows security teams to strengthen defenses, minimize vulnerabilities, and inform their organizations’ overall risk management and strategic planning processes.
What are the benefits of ASM?
Good attack surface management provides a wide range of benefits for organizations, starting with strengthening the overall security posture by bringing more visibility to the entire IT environment and attack surface. That in turn helps reduce risk, supported by ongoing monitoring and reassessment to keep risk levels down.
This is giving peace of mind to the security team, all well offering significant benefits to the overall business. Having visibility of the attack surface allows for greater transparency and control over assets, reducing the risk of cyberattacks and increasing cost savings. When security teams are able to act faster and more effectively, organizations can be better positioned to ensure business continuity. Because when attacks are identified and mitigated sooner, there’s less risk of significant disruption.
How can we implement ASM?
ASM requires a cyber risk exposure management solution that is integrated with a cybersecurity platform that takes a proactive approach to carry out the phases of discovery, assessment, and mitigation.
Choosing a platform with strong security operation capabilities such as security information and event management (SIEM), endpoint detection and response (EDR), and extended detection and response (XDR) is especially important. XDR in particular provides essential data and analytics on how current attack surface protections are performing. Those insights help make the risk assessment phase more accurate
Where can I get help with attack surface management?
Attack surface management isn’t enough in today’s demanding risk landscape. Organizations require cyber risk exposure management capabilities to proactively predict, uncover, assess, and mitigate risks to significantly reduce your cyber risk footprint.
Trend Vision One™ offers a Cyber Risk Exposure Management (CREM) solution that takes a revolutionary approach by combining key capabilities-like External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), Vulnerability Management, and Security Posture Management-across cloud, data, identity, APIs, Al, compliance, and SaaS applications into one powerful, easy-to-use solution.
Trend Vision One™ Cyber Risk Exposure Management (CREM) can help you with attack surface management and beyond.