What is attack surface management?

profile

Sumeetha M

~ 6 mins read | October 19, 2021

log4j-banner-image

On March 2021, Gartner recognized External Attack Surface Management (EASM) as an emerging technology that can help organizations identify risks faced by their digital assets and chart their threat landscape. Following this, security leaders were urged to start managing their attack surfaces to stay ahead of emerging threats.

In this blog, Securin examines the various facets of Attack Surface Management (ASM) and highlights why it should be a top priority for CISOs, CTOs, CIOs and security teams.

What is an attack surface?

An attack surface is the sum of all digital assets owned by an organization, together with OS, applications, databases, and data.

Attack Surface Management is continuous discovery, classification, prioritization of exposures and security monitoring of digital assets used by an organization. This process helps security teams to manage exposures that exist in their digital assets and prioritize remediation based on the threat context and asset criticality unique to the organization.

Why is Attack Surface Management important?

Attack Surface management helps organizations act against threats proactively and prevent risks arising out of known, unknown, unpatched, legacy, and Shadow IT devices and applications. As businesses get agile, their reliance on Saas and Cloud exponentially increases. The attack surface has become highly dynamic and complex. It comprises of exposures within assets that are either unknown or overlooked, which act as gateways into an organization leading to a breach.

Organizations can reduce their cyber exposure significantly if they know their attack surface; and manage their unpatched assets, outdated legacy systems, public repositories, vendor-managed assets, lax access control measures. The prevalence of Shadow IT assets is another avenue of risk for organizations wherein hardware or software is purchased and used by the employees without the knowledge of their IT Department, resulting in serious security gaps.

Components of ASM

There are four essential components in a successful ASM program

asm-image
  1. Continuous Discovery

    To manage an attack surface effectively, assets need to be continuously discovered and mapped. By identifying and mapping organizational assets, security teams will gain visibility into their attack surface, including Shadow IT, which is unarguably the most dangerous menace to an organization's security posture.

    Insight Global, a vendor that offered COVID-19 contact tracing services for the Dept of Health (DOH) in Pennsylvania, suffered a data breach that exposed the health records of 70,000 residents. The exposure was caused due to employees using several unauthorized google accounts to share information. The debacle ended with the vendor losing their multi-million dollar contract with the DOH - Pennsylvania.

  2. Asset Categorization and Analysis

    Fingerprinting an asset for its attributes (type and position) in the organization's network is essential to gain a contextual view of an attack surface. This is followed by the connection and correlation of individual assets and their exposures (vulnerabilities, misconfigurations, expired certificates, hard-coded secrets, and more). At the end of this stage, each asset's exposure profile is complete, and the organization can see its attack surface from a hacker's perspective.

  3. Contextual Prioritization

    Not all assets & exposures are created equal. Each asset’s criticality to the organization and the severity of impact to business in case of a breach need to be evaluated. Parts of this complex asset discovery and exposure prioritization process are done manually even today, which is why organizations face difficulty securing their attack surface. ASM automates this process to prioritize exposures from a vast volume of asset data continuously. Contextual Prioritization will help security teams fix vulnerabilities that are critical for the organization before an attacker can exploit them.

  4. Remediate

    The insights derived from exposure prioritization can be used by security teams to remediate the high impact exposures and strengthen the enterprise network by implementing security best practices. The outcome of such remediation can take one of these forms:

    • Reducing attack surface - Removing vulnerable assets entirely or paring down extraneous assets.
    • Configuring your asset right - Fixing misconfigurations.
    • Improved patching cadence - Bringing down Mean Time To Remediate by keeping patches up to date.
    • Shadow IT reduction - identifying and removing shadow IT traces from the network.

In addition, latency metrics like Mean time to detect (MTTD), Mean time to remediate (MTTR) and Mean time of exposure (MToE) allow for continuous monitoring empowering enterprise security teams to track and improve exposure mitigation response. Such metrics also enable C-suite executives to make strategic data-driven decisions that lead to a robust cybersecurity strategy.

How can Securin help you?

Securin is a solution which provides comprehensive attack surface discovery and in-depth threat context for a wide asset range - cloud, active and passive, APIs, container, external and internal assets. It takes organizational context into account and prioritizes the right exposures to fix enabling faster remediation for organizations.

The added threat context and organizational asset context, along with the insights obtained by automating validation and exposure triaging, is what makes this solution unique for each organization.