Free trial

Free trial

What is attack surface management?

What is attack surface management?

What is attack surface management?

It’s 2023, and by now it’s clear that nearly everything can be the object of a cyber attack. But knowing that doesn’t mean organizations are strategically managing and controlling their risks. In fact, a survey of over 6200 security decision makers from Trend Micro and Sapio Research found 73% described their attack surface as “constantly evolving and messy” while 43% said it’s simply “out of control.”

Enter attack surface management, a systematic way for companies to find, track and manage all potential internal and external areas of vulnerability. Done right, attack surface management, or ASM, is a way organizations can thwart bad actors and drastically decrease the risk of security breaches. 

ASM is a key piece of a company’s security posture, but it can be difficult to implement and maintain without the right tools. Here’s everything you need to know about the role ASM plays in improving the response to threats to security as well as best practices teams should follow in order to get the most out of it.

It’s 2023, and by now it’s clear that nearly everything can be the object of a cyber attack. But knowing that doesn’t mean organizations are strategically managing and controlling their risks. In fact, a survey of over 6200 security decision makers from Trend Micro and Sapio Research found 73% described their attack surface as “constantly evolving and messy” while 43% said it’s simply “out of control.”

Enter attack surface management, a systematic way for companies to find, track and manage all potential internal and external areas of vulnerability. Done right, attack surface management, or ASM, is a way organizations can thwart bad actors and drastically decrease the risk of security breaches. 

ASM is a key piece of a company’s security posture, but it can be difficult to implement and maintain without the right tools. Here’s everything you need to know about the role ASM plays in improving the response to threats to security as well as best practices teams should follow in order to get the most out of it.

It’s 2023, and by now it’s clear that nearly everything can be the object of a cyber attack. But knowing that doesn’t mean organizations are strategically managing and controlling their risks. In fact, a survey of over 6200 security decision makers from Trend Micro and Sapio Research found 73% described their attack surface as “constantly evolving and messy” while 43% said it’s simply “out of control.”

Enter attack surface management, a systematic way for companies to find, track and manage all potential internal and external areas of vulnerability. Done right, attack surface management, or ASM, is a way organizations can thwart bad actors and drastically decrease the risk of security breaches. 

ASM is a key piece of a company’s security posture, but it can be difficult to implement and maintain without the right tools. Here’s everything you need to know about the role ASM plays in improving the response to threats to security as well as best practices teams should follow in order to get the most out of it.

What is an attack surface?

According to the National Institute of Standards (NIST), an attack surface is:

The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.

To put it another way, an organization’s attack surface can be any of the following things: 

  • All assets, secure, insecure, identified or not identified, active or not, managed or not

  • Anything created via “shadow” IT

  • All hardware and software

  • Anything generated through or used by software-as-a-service

  • Anything in the cloud

  • Anything on the edge (IoT, 5G, etc.)

  • Anything managed by a third-party

  • Anything related to remote work

So an attack surface can be literally anything, which makes it *very* challenging to even know where to begin trying to track it all, let alone how to systematically say ahead.

If there’s one thing to remember about attack surfaces, it’s this: less is more.

How attack surface management works

To get to “less” attack surfaces, an organization needs to know what’s there - it’s impossible to eliminate what isn’t known about, and that’s what ASM is all about. Attack surface management should bring three key elements to an organization’s security efforts: automation, a hacker’s mindset, and a focus on uncovering the unknown.

Automate discovery

Even a small company is likely to be surprised by the vast number of assets created simply by doing business as usual. No team of human beings will be able to easily identify and track all of these potential surfaces, which is why creating an automated (and thus continuous) process of discovery and monitoring is a critical step in ASM. The best ASM automation efforts will also simplify collaboration and communication because as assets are discovered, stakeholders will be automatically looped in, so decisions on criticality can be made. In the end, an automated ASM loop will constantly be looking at what’s there, what’s just been added, and keeping everyone up to date about the state of the attack surface.

Think like an attacker

If automation is the engine of ASM, its guidance system is a hacker mentality. What distinguishes ASM from traditional threat detection and other security vulnerability efforts is the way hacker behaviors are literally codified into how a team approaches cyber security risks. 

To understand what that means in the real world, consider penetration testing, a key tool that periodically tests for known vulnerabilities. Pen testing might happen monthly, or quarterly, while hackers are busy scanning a target’s surfaces routinely, if not daily, and with a detail and an open mind that pen testing simply can’t provide. Pen testing helps understand potential risks, while hackers are looking everywhere for an opening. So ASM flips the script and makes it possible to see what the hacker sees. If you can see it, obviously it’s easier to defend against it. 

Uncover the unknown

ASM’s third secret weapon centers on one central belief: you don’t know what you don’t know. That’s the problem with looking from the inside out - organizations are only going to see what they expect to see because no one hunts for something they don’t expect to find. But that’s exactly what bad actors do - every. single. day. They’re searching for the leaked password, or open door, or quickly created one-time use website that still contains sensitive data. So without the right tools - and a wide-open mindset - it will be impossible to actually map an attack surface in its entirety. 

This is definitely a case of what you don’t know will hurt you.

How ASM helps existing security efforts

At a time when security pros are in short supply, it’s tempting to think ASM is the answer to all of an organization’s security needs, but don’t make the mistake of thinking it can replace Red teams, penetration testing, or other established security processes. Ideally ASM works *with* existing security efforts and, by providing a very detailed analysis of assets, should actually make it easier for other processes and teams to be more successful. Pen testing can be directed at  identified and suspected vulnerabilities. Red teams - often stretched way too thin - can stop aimless hunts and focus their expertise on issues that matter most to the organization.

How to sell ASM to the C-suite

For many organizations, security continues to be somewhat neglected and, on average in 2022, an enterprise devoted only 9.9% of its tech budget to security, according to data published in Venture Beat. But cybersecurity attacks increased 38% from 2021 to 2022, according to Security Magazine, so, clearly there’s a disconnect. 

And the disconnect is even more worrying when looking at a typical organization’s attack surface. A survey from the Massachusetts Institute of Technology found fully half of respondents experienced a security breach from assets that weren’t known about, managed, or dealt with correctly. Data from ESG Research indicated about one-third of organizations found highly “sensitive” data in areas they didn’t even know existed, while almost 30% found mystery SaaS applications running. And finally, the attack surface problem isn’t going to go away on its own. Randori’s 2022 State of Attack Surface Management found 67% of organizations expect their attack surfaces to expand over the next year.

At a time when hackers have never been more tech savvy or persistent, organizations can’t simply carry on in the typical way. ASM promises a fresh, automated and systematic way to find, deal with, and control assets, giving an organization a clear look into what attackers are seeing. If it’s findable, it’s fixable, and, bonus, ASM also takes the burden off the rest of the security team, making them more able to focus on the tasks that matter most.

ASM best practices

To get the most out of an ASM effort, there are a number of key principles to keep in mind.

  1. The best ASM solutions don’t just behave like hackers, they’re actually *used* by hackers. That’s more than a nice distinction - it’s actually an organization’s best bet to keep up with increasingly sophisticated bad actors (and the cool factor may also pique the interest of the C-suite.)

  2. Remember what matters most: the most important security metric is the time from disclosure to detection. ASM can help organizations drastically reduce this time by surfacing hidden assets.

  3. The most effective ASM is continuous, not weekly, monthly or quarterly.

  4. Automation is also a must-have, but it needs to easily integrate with existing systems. 

  5. Start with open source and avoid vendor lock-in.

  6. Decide, ahead of time, how to prioritize vulnerability remediation. Now that the team has a steady flow of attack surface data, don’t waste time making up rules on the fly. Go into the process completely prepared.

  7. Don’t forget the culture piece. There’s a lot of security lip service out there - and we get it. But ASM isn’t old school, top-down security. Attack surface management brings security data to everyone, enabling better communication and collaboration and actually helping existing security pros and processes to function more efficiently and effectively. So make clear everyone understands this is a fundamentally new and fresh approach to security that’s going to help and not hinder.

  8. Bring the auditors in. As an added bonus, ASM can help with compliance because it’s tracking all of the things. Be sure the compliance team is fully-briefed, and remind the C-suite that more documented data is always a good thing. 

  9. Build onto ASM success. Now that a company knows what’s out there, reach out for tools that can automatically scan, remediate, communicate and even double-check…leverage all this new information to truly achieve better security.

Tired of being hacked? ASM is the answer

In most organizations, security needs a fresh start. Attack surface management is exactly that - a wholly different way to discover the unknown, automate the process, and outhack the attackers by behaving like they do. ASM not only can help level the playing field but it can make existing security efforts more successful. ASM is a key step in the process of democratizing security, something ProjectDiscovery is passionate about.

Intrigued? Take a deeper dive into a brave new (and democratic) world of security.

Ready to get started?

ProjectDiscovery Cloud Platform

Use automation, integration, and continuous scanning to help defend the modern tech stack.

Free trial

Join our Community

Our diverse community spans members from full-time bug bounty hunters to Fortune 500 security engineers.

Ready to get started?

ProjectDiscovery Cloud Platform

Use automation, integration, and continuous scanning to help defend the modern tech stack.

Free trial

Join our Community

Our diverse community spans members from full-time bug bounty hunters to Fortune 500 security engineers.

Ready to get started?

ProjectDiscovery Cloud Platform

Use automation, integration, and continuous scanning to help defend the modern tech stack.

Free trial

Join our Community

Our diverse community spans members from full-time bug bounty hunters to Fortune 500 security engineers.