Attack surface management (ASM) refers to processes and technologies that take a hacker‘s view and approach to an organization’s attack surface—discovering and continuously monitoring the assets and vulnerabilities that hackers see and attempt to exploit when targeting the organization. ASM typically involves:
Continuous discovery, inventory, and monitoring of potentially vulnerable assets. Any ASM initiative begins with a complete and continuously updated inventory of an organization‘s internet-facing IT assets, including on-premises and cloud assets. Taking a hacker’s approach ensures discovery not only of known assets, but also shadow IT applications or devices. These applications or devices might have been abandoned but not deleted or deactivated (orphaned IT). Or assets that are planted by hackers or malware (rogue IT), and more—essentially any asset that can be exploited by a hacker or cyberthreat.
Once discovered, assets are monitored continuously, in real time, for changes that raise their risk as a potential attack vector.
Attack surface analysis, risk assessment and prioritization. ASM technologies score assets according to their vulnerabilities and security risks that they pose, and prioritize them for threat response or remediation.
Attack surface reduction and remediation. Security teams can apply their findings from attack surface analysis and red teaming to take various short-term actions to reduce the attack surface. These might include enforcing stronger passwords, deactivating applications and endpoint devices no longer in use, applying application and OS patches, training users to recognize phishing scams, instituting biometric access controls for office entry, or revising security controls and policies around software downloads and removable media.
Organizations might also take more structural or longer-term security measures to reduce their attack surface, either as part of or independent of an attack surface management initiative. For example, implementing two-factor authentication (2FA) or multifactor authentication can reduce or eliminate potential vulnerabilities that are associated with weak passwords or poor password hygiene.
On a broader scale, a zero trust security approach can significantly reduce an organization’s attack surface. A zero trust approach requires that all users, whether outside or already inside the network, be authenticated, authorized, and continuously validated to gain and maintain access to applications and data. Zero trusts principles and technologies—continuous validation, least-privileged access, continuous monitoring, network microsegmentation—can reduce or eliminate many attack vectors and provide valuable data for ongoing attack surface analysis.
