The attack surface and importance of attack surface management

The rapid and continuous expansion of organizations’ attack surface and digital footprint has led to (external) attack surface management being one of the most important cybersecurity trends in 2022. 

Attack surface management (ASM) is hot. In fact, several factors are not only contributing to the expansion of organizations’ attack surfaces but simultaneously ensuring that attack surface monitoring and management will continue to grow strongly for several more years.

The increased complexity of environments and expansion beyond what used to be a defined perimeter has many searching for solutions that help security teams understand and manage their entire attack surface (Michelle Abraham, research director, Security and Trust at IDC)

Some of these factors have been in place for several years. Think, among others, of digital transformation, the changing IT vision and approach, digital ecosystems, decentralization, shadow IT, cloud, remote work and the future of work evolution, and the Internet of Things. This small list is far from exhaustive.

software code concept

Other factors driving the growth of organizations’ digital footprint, attack surface, and – as a result – need to manage it all are directly related to evolutions during the COVID-19 pandemic and/or to developments regarding cyberattacks and cybercrime with the increase of supply chain attacks being one.

The attack surface and what managing it means

We begin with a brief overview of the attack surface and why monitoring and managing it matters.

Next, we take a quick look at how ‘new’ cybersecurity technologies and terms such as External Attack Surface Management (EASM) and Cyber Asset Attack Surface Management (CAASM) fit in. We also very briefly explore their relationship with other security domains.

In terms of terminology, we need to distinguish between different cyber security vendors and analysts specialized in IT and security. For instance, only a few of the latter use the term external attack surface management, while others utilize attack surface management. Sometimes, you will see that synonyms are employed whereby not everyone is equally consistent, both for attack surface and attack surface management.

The term attack surface initially referred to the total of all vulnerabilities and access points of a system, application, or network accessible and usable by hackers. NIST defines the attack surface as follows: “The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.”

An attack surface is the total number of points/vectors through which an attacker could try to enter your IT environment (Brad LaPorte)

We often see that it depends heavily on individual IT and security practitioners which classes or categories of IT assets they do or do not include in the ‘notion’ or definition of the attack surface.

The IT assets that are considered part of the attack surface expanded as time went by, and we started using “new” types of connected assets, code, systems, and so forth. The IT world is very dynamic. So it is not only about who defines the term but when the definition you stumble upon was written that matters. The concept of the attack surface – whereby people initially often focused on the need to keep it as small as possible and the measurement of the surface – is not that new.

An example of assets that some today include under attack surface management are IoT devices that, for the time being, however, are less used and thus less top of mind as part of the enterprise attack surface, compared to, for example, assets and workloads in the cloud. But once you have an IoT (Internet of Things) project in production, it is already harder to overlook those devices as parts of your overall attack surface. So the term evolves, and not everyone understands it the same way.

We also see that everything related to third and even fourth parties (think of third-party risk management, supplier risk management, vendor risk management, and software supply chains) is increasingly included in the attack surface.

To summarize, the definitions and descriptions vary depending on the period in which they have been drafted, as the underlying reality is constantly evolving. Reality is dynamic, and digital business reality is even more so. Whatever the case may be, the enterprise attack surface is getting larger. And that, of course, is important to the aspect of management and certainly not just a matter of a wider pallet of asset types and the increase in internet-facing assets.

Research firm Gartner placed attack surface expansion at the forefront of its Top Security and Risk Management Trends list for 2022, which it announced in March 2022.

In this context of the expanding attack surface and the increasing importance of attack surface management, the company, among others, also pointed to the risks associated with more factors that have pushed organizations’ exposed surfaces beyond a set of controllable assets. Gartner, for instance, cites the use of cyber-physical systems (e.g., Industry 4.0) and IoT, open-source code, cloud applications, complex digital supply chains, and social media.

So many security and IT teams struggle to maintain much-needed visibility into an increasingly complex and distributed IT environment because so much of an organization’s estate is unknown or undiscovered due to shadow IT, M&A, and third party/partner activity (Jess Burn, Senior Analyst, Forrester)

EASM and CAASM

Gartner has introduced two new terms in attack surface management in recent years: the previously mentioned External Attack Surface Management (EASM) and Cyber Asset Attack Surface Management (CAASM), referring to new categories of products/solutions per Gartner. They also appear in the Gartner Hype Cycle for Security Operations at the beginning of the ‘innovation trigger’ stage.

Gartner calls EASM an essential new technology (category) in cybersecurity in its Hype Cycle for Security Operations 2021 report, which is offered for download by the EASM vendors mentioned in the report.

Gartner defines EASM as “an emerging product set that supports organizations in identifying risks coming from internet-facing assets and systems that they may be unaware of.”

External Attack Surface Management and Cyber Asset Attack Surface Management are in the innovation trigger stage of the Gartner Hype Cycle for Security Operations 2021 - source Picus Security and Gartner
External Attack Surface Management and Cyber Asset Attack Surface Management are in the innovation trigger stage of the Gartner Hype Cycle for Security Operations 2021 – source Picus Security and Gartner

Former Gartner research analyst Brad LaPorte describes in a blog post how attack surface management (without the ‘external’) was initially defined as “the processes, technology and professional services deployed to discover external-facing enterprise assets and systems that may present vulnerabilities. Examples include servers, credentials, public cloud service misconfigurations, and third-party partner software code vulnerabilities that malicious actors could exploit”.

External Attack Surface Management overlaps with other security domains, such as the already mentioned third-party risk assessment (TPRM), vulnerability assessment, and digital risk protection services.

In addition to overlapping markets, there are complimentary ones such as pentesting (penetration testing), cloud security posture management (CSPM), and more.

Other analysts, such as Forrester and ESG, talk about attack surface management (ASM) when they mean external attack surface management as well.

The external view in trying to manage the total attack surface

Forrester defines attack surface management as follows: “The process of continuously discovering, identifying, inventorying, and assessing the exposures of an entity’s IT asset estate.”

This is also the definition most often found by vendors. Some of the latter also use terms like digital footprint monitoring, digital risk monitoring, and external attack surface monitoring. In addition, monitoring’ and ‘management’ are often used interchangeably in the context of ASM and similar terms.

ASM is an approach to the security of your digital footprint from the perspective of threat actors.

By focusing on the ‘external’ aspect in EXTERNAL attack surface management, Gartner draws attention to the increase of external cyber threats across an ever-broadening landscape of all sorts of ecosystems and technology layers with complex supply chains. Therefore, it should not be surprising that we look more often from an outside-in perspective in a holistic cybersecurity approach, as is the case with (E)ASM.

Or, perhaps better, an external view. And one of the most often mentioned aspects regarding attack surface management is that it helps organizations see the entire attack surface thanks to this external view. And that typically includes assets companies didn’t even know they had in this increasingly complex digital world. It’s what nearly all vendors and their clients will tell you.

As IDC puts it, “attack surface management, with its external view of the organization, can surface vulnerabilities in systems the organization did not know existed.”

To quote Michelle Abraham, research director, Security and Trust at IDC: “The increased complexity of environments and expansion beyond what used to be a defined perimeter has many searching for solutions that help security teams understand and manage their entire attack surface.”

Attack surface assets

That’s what attack surface management is about to improve security and risk posture and, thus, as Michelle reminds us, improve trust.

One challenge is to have that full attack surface view (and the insights to improve it) by using the right tools. In that context, remember that the attack surface can encompass many elements but isn’t the same for everyone, which goes for the offering of vendors as well. Yet perhaps you don’t need everything; it all depends on choices, risks, and what is most important here and now first.