July 26, 2023 By Jonathan Reed 4 min read

Cloud adoption, digital transformation and the remote work explosion have widened nearly every company’s digital footprint and attack surface. Today’s enterprise is more distributed and more dynamic than ever — and new assets connect to a company’s network daily. According to one report, 67% of organizations have seen their attack surfaces expand in the preceding two years. To make things worse, 69% have been compromised by an unknown or poorly managed internet-facing asset in the past year.

For these reasons, Gartner named attack surface expansion a top security and risk management trend. More recently, GigaOm released an extensive report on attack surface management and leading vendors in the space.

What is attack surface management?

Attack surface management (ASM) is the continuous discovery, analysis, remediation and monitoring of security vulnerabilities and potential attack vectors that make up an organization’s attack surface. The attack surface is the sum of vulnerabilities, pathways or methods that adversaries can use to launch an attack, breach a network or access sensitive data.

Unlike other security methods, ASM is conducted entirely from a hacker’s perspective. This means ASM identifies targets and assesses risks based on the opportunities they present to a malicious actor. ASM works by mimicking methods and resources that hackers use. The techniques are executed by ‘ethical hackers’ who understand cyber criminal behaviors and are adept at copying malicious activity.

Given the vast number and variety of services, APIs, applications, IPs, infrastructure and host types (on-premises or cloud), an organization’s attack surface is in constant flux. Therefore, automated tracking of changes is a central part of any ASM solution. But simply defining all the components of the attack surface isn’t enough. Determining asset type and the level of risk involved is another key characteristic of ASM.

Explore IBM Security Randori solutions

ASM evaluation categories

ASM is relatively new as a cyber defensive tool, which means it continues to evolve. As more vendors enter this space, they must innovate to differentiate from one another. Security decision-makers should be aware that the full potential of ASM has yet to be realized.

The GigaOm report divided ASM solutions into two market segments:

  • Small enterprise: This category included solutions that meet the needs of organizations, from small businesses to medium-sized companies. Solutions in this category were evaluated for simplified cost structures which makes ASM achievable for small security budgets.
  • Mid-market and large enterprise: Here, offerings were assessed based on how they fit large and business-critical projects. The best solutions in this category focus on flexibility, performance, data services and features that improve security and data protection. The ability to deploy the same service in different environments (scalability) was also considered.

Furthermore, two deployment models were evaluated in the GigaOm report:

  • Software as a Service (SaaS): These are cloud-only solutions designed, deployed and managed by the service provider. SaaS ASM solutions are available only from a specific provider.
  • Hybrid: These solutions are cloud-based, similar to cloud-only solutions. But hybrid solutions also leverage a sensor, collector or agent as an additional telemetry source. This leads to a better understanding of the composition of a company’s technical environment.

The key criteria measured by the GigaOm report included:

  • Flexibility in asset discovery
  • Active assessment
  • Converged protections
  • Internal ASM
  • Risk scoring
  • Asset categorization.

Rounding out the analysis, evaluation metrics included:

  • Extensibility
  • Frequency of discovery
  • Licensing
  • User experience.

Top ASM performers

The GigaOm analysis can be summarized with its “Radar Report,” which is represented in graphic form below. The Radar consists of a series of concentric rings, with those set closer to the center judged to be of higher overall value.

Each vendor is represented by two axes — balancing Maturity versus Innovation and Feature Play versus Platform Play. Meanwhile, an arrow projects each solution’s evolution over the coming 12 to 18 months. The solution closest to the center was IBM Security Randori. It was also predicted to improve even more over the next year or so.

What makes a formidable ASM solution?

ASM consists of four core processes: asset discovery, classification and prioritization, remediation and monitoring. Again, since the contours of the digital attack surface change constantly, ASM processes must be continuous. The goal of ASM is to ensure that the security teams have a complete and current inventory of exposed assets. Also, ASM provides an accelerated response to vulnerabilities and threats that pose the greatest risk to the organization.

As an illustration, Randori Recon has robust passive and active scanning capabilities. For passive scanning, numerous public repositories (ARIN, Clearbit, Crunchbase, Zetalycis and WHOIS) are queried to build an organization’s profile. Active assessment executes interactive information gathering on assets, using techniques like running DirBuster on identified directories, attempting telnet and secure shell (SSH) to common ports and scraping when detections occur.

Another notable feature of Recon is its risk scoring called the “target temptation score.” This score uses common vulnerability information like CVE data and also considers other factors such as an asset’s unique characteristics and business value. A final score is then assessed to help security teams prioritize their limited remediation cycles. This capability is ultimately what all ASM tools strive to achieve, but many fall short.

Finally, Recon integrates well with other security tools. It includes native bi-directional integrations with many popular tools as well as an open API that can help develop bespoke integrations.

The times call for ASM

Traditional asset discovery, risk assessment and vulnerability management processes were developed when networks were more static, defined and centralized. Those solutions can’t keep up with today’s reality. With an ever-changing attack surface, new vulnerabilities and attack vectors arise continuously. Penetration testing works for suspected vulnerabilities in known assets but can’t help identify new cyber risks and vulnerabilities that arise daily.

ASM’s continuous workflow and hacker perspective enable security teams and security operations centers (SOCs) to establish a proactive security posture. In the face of a constantly expanding and variable attack surface, ASM solutions provide real-time visibility into vulnerabilities and attack vectors as they emerge.

Read the full GigaOm Radar for Attack Surface Management report here.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today