Attack surface management (ASM) is the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface.
Unlike other cybersecurity disciplines, ASM is conducted entirely from a hacker’s perspective, rather than the perspective of the defender. It identifies targets and assesses risks based on the opportunities they present to a malicious attacker. ASM relies on many of the same methods and resources that hackers use, and many ASM tasks and technologies are devised and performed by ‘ethical hackers’ familiar with cybercriminals’ behaviors and skilled at duplicating their actions.
External attack surface management (EASM), a relatively new ASM technology, is sometimes used interchangeably with ASM. But EASM focuses specifically on the vulnerabilities and risks presented by an organization’s external or internet-facing IT assets (sometimes referred to as an organization’s digital attack surface). ASM also addresses vulnerabilities in an organization’s physical and social engineering attack surfaces, such as malicious insiders or inadequate end-user training against phishing scams.
Cloud adoption, digital transformation and the expansion of remote work--all accelerated by the COVID-19 pandemic--have made the average company’s digital footprint and attack surface larger, more distributed and more dynamic, with new assets connecting to the company network daily.
According to Randori’s State of Attack Surface Management 2022 (link resides outside ibm.com) report, 67 percent of organizations have seen their attack surfaces expand in the past 12 months, and 69 percent have been compromised by an unknown or poorly managed internet-facing asset in the past year. (Randori is a subsidiary of IBM Corp.) Industry analysts at Gartner (link resides outside ibm.com) named attack surface expansion a top security and risk management priority for CISOs in 2022.
Traditional asset discovery, risk assessment and vulnerability management processes, which were developed when corporate networks were more stable and centralized, can‘t keep up with the speed at which new vulnerabilities and attack vectors arise in today's networks. Penetration testing, for example, can test for suspected vulnerabilities in known assets, but it can’t help security teams identify new cyber risks and vulnerabilities that arise daily.
But ASM‘s continuous workflow and hacker’s perspective enable security teams and security operations centers (SOCs) to establish a proactive security posture in the face of a constantly growing and morphing attack surface. ASM solutions provide real-time visibility into vulnerabilities and attack vectors as they emerge. They can draw on information from traditional risk assessment and vulnerability management tools and processes for greater context when analyzing and prioritizing vulnerabilities. And they can integrate with threat detection and response technologies—including security information and event management (SIEM), endpoint detection and response (EDR) or extended detection and response (XDR)—to improve threat mitigation and accelerate threat response enterprise-wide.
ASM consists of four core processes: Asset discovery, classification and prioritization, remediation, and monitoring. Again, because the size and shape of the digital attack surface changes constantly, the processes are carried out continuously, and ASM solutions automate these processes whenever possible. The goal is to ensure that the security team always has complete and current inventory of exposed assets, and to accelerate response to the vulnerabilities and threats that present the greatest risk to the organization.
Asset discovery automatically and continuously scans for and identifies internet-facing hardware, software, and cloud assets that could act as entry points for a hacker or cybercriminal trying to attack an organization. These assets can include
Classification, analysis and prioritization
Once assets are identified, they are classified, analyzed for vulnerabilities, and prioritized by ‘attackability‘—essentially an objective measure of how likely hackers are to target them.
Assets are inventoried by identity, IP address, ownership, and connections to the other assets in the IT infrastructure. They’re analyzed for the exposures they might have, the causes of those exposures (e.g., misconfigurations, coding errors, missing patches), and the kinds of attacks hackers may carry out through these exposures (e.g., stealing sensitive data, spreading ransomware or other malware).
Next, the vulnerabilities are prioritized for remediation. Prioritization is a risk assessment exercise: Typically, each vulnerability is given security rating or risk score based on
Typically, vulnerabilities are remediated in order of priority. This can involve:
Remediation can also involve broader, cross-asset measures for addressing vulnerabilities, such as implementing least-privileged access or multi-factor authentication (MFA).
Because security risks in the organization's attack surface change any time new assets are deployed or existing assets are deployed in new ways, both the inventoried assets of the network and the network itself are continuously monitored and scanned for vulnerabilities. Continuous monitoring enables ASM to detect and assess new vulnerabilities and attack vectors in real time, and alert security teams to any new vulnerabilities that need immediate attention.
Manage the expansion of your digital footprint and get on target with fewer false positives to improve your organization's cyber resilience quickly.
Connect your tools, automate your security operations center (SOC), and free up time for what matters most.
Adopt a vulnerability management program that identifies, prioritizes and manages the remediation of flaws that could expose your most-critical assets
An organization’s attack surface is the sum of its cybersecurity vulnerabilities.
Insider threats occur when users with authorized access to a company's assets compromise those assets deliberately or accidentally.
A zero trust approach requires that all users, whether outside or already inside the network, be authenticated, authorized and continuously validated in order to gain and maintain access to applications and data
Malware is software code written to damage or destroy computers or networks, or to provide unauthorized access to computers, networks or data.
A guide to securing your cloud computing environment and workloads.
Data security is the practice of protecting digital information from theft, corruption. or unauthorized access throughout its lifecycle.
Organizations have done a good job of finding and fixing known vulnerabilities on managed organizational assets. But the rapid adoption of hybrid cloud models and the permanent support of a remote workforce have made it much more difficult for security teams to manage the expansion of the enterprise attack surface. IBM Security Randori Recon uses a continuous, accurate discovery process to uncover shadow IT, and gets you on target quickly with correlated, factual findings that are based on adversarial temptation. The streamlined workflows improve your overall resiliency through integrations with your existing security ecosystem.