Cloud adoption, digital transformation and the remote work explosion have widened nearly every company’s digital footprint and attack surface. Today’s enterprise is more distributed and more dynamic than ever — and new assets connect to a company’s network daily. According to one report, 67% of organizations have seen their attack surfaces expand in the preceding two years. To make things worse, 69% have been compromised by an unknown or poorly managed internet-facing asset in the past year.

For these reasons, Gartner named attack surface expansion a top security and risk management trend. More recently, GigaOm released an extensive report on attack surface management and leading vendors in the space.

What is attack surface management?

Attack surface management (ASM) is the continuous discovery, analysis, remediation and monitoring of security vulnerabilities and potential attack vectors that make up an organization’s attack surface. The attack surface is the sum of vulnerabilities, pathways or methods that adversaries can use to launch an attack, breach a network or access sensitive data.

Unlike other security methods, ASM is conducted entirely from a hacker’s perspective. This means ASM identifies targets and assesses risks based on the opportunities they present to a malicious actor. ASM works by mimicking methods and resources that hackers use. The techniques are executed by ‘ethical hackers’ who understand cyber criminal behaviors and are adept at copying malicious activity.

Given the vast number and variety of services, APIs, applications, IPs, infrastructure and host types (on-premises or cloud), an organization’s attack surface is in constant flux. Therefore, automated tracking of changes is a central part of any ASM solution. But simply defining all the components of the attack surface isn’t enough. Determining asset type and the level of risk involved is another key characteristic of ASM.

ASM evaluation categories

ASM is relatively new as a cyber defensive tool, which means it continues to evolve. As more vendors enter this space, they must innovate to differentiate from one another. Security decision-makers should be aware that the full potential of ASM has yet to be realized.

The GigaOm report divided ASM solutions into two market segments:

• Small enterprise: This category included solutions that meet the needs of organizations, from small businesses to medium-sized companies. Solutions in this category were evaluated for simplified cost structures which makes ASM achievable for small security budgets.
• Mid-market and large enterprise: Here, offerings were assessed based on how they fit large and business-critical projects. The best solutions in this category focus on flexibility, performance, data services and features that improve security and data protection. The ability to deploy the same service in different environments (scalability) was also considered.

Furthermore, two deployment models were evaluated in the GigaOm report:

• Software as a Service (SaaS): These are cloud-only solutions designed, deployed and managed by the service provider. SaaS ASM solutions are available only from a specific provider.
• Hybrid: These solutions are cloud-based, similar to cloud-only solutions. But hybrid solutions also leverage a sensor, collector or agent as an additional telemetry source. This leads to a better understanding of the composition of a company’s technical environment.

The key criteria measured by the GigaOm report included:

• Flexibility in asset discovery
• Active assessment
• Converged protections
• Internal ASM
• Risk scoring
• Asset categorization.

Rounding out the analysis, evaluation metrics included:

• Extensibility
• Frequency of discovery
• Licensing
• User experience.

Top ASM performers

The GigaOm analysis can be summarized with its “Radar Report,” which is represented in graphic form below. The Radar consists of a series of concentric rings, with those set closer to the center judged to be of higher overall value.

Each vendor is represented by two axes — balancing Maturity versus Innovation and Feature Play versus Platform Play. Meanwhile, an arrow projects each solution’s evolution over the coming 12 to 18 months. The solution closest to the center was IBM Security Randori. It was also predicted to improve even more over the next year or so.

What makes a formidable ASM solution?

ASM consists of four core processes: asset discovery, classification and prioritization, remediation and monitoring. Again, since the contours of the digital attack surface change constantly, ASM processes must be continuous. The goal of ASM is to ensure that the security teams have a complete and current inventory of exposed assets. Also, ASM provides an accelerated response to vulnerabilities and threats that pose the greatest risk to the organization.

As an illustration, Randori Recon has robust passive and active scanning capabilities. For passive scanning, numerous public repositories (ARIN, Clearbit, Crunchbase, Zetalycis and WHOIS) are queried to build an organization’s profile. Active assessment executes interactive information gathering on assets, using techniques like running DirBuster on identified directories, attempting telnet and secure shell (SSH) to common ports and scraping when detections occur.

Another notable feature of Recon is its risk scoring called the “target temptation score.” This score uses common vulnerability information like CVE data and also considers other factors such as an asset’s unique characteristics and business value. A final score is then assessed to help security teams prioritize their limited remediation cycles. This capability is ultimately what all ASM tools strive to achieve, but many fall short.

Finally, Recon integrates well with other security tools. It includes native bi-directional integrations with many popular tools as well as an open API that can help develop bespoke integrations.

The times call for ASM

Traditional asset discovery, risk assessment and vulnerability management processes were developed when networks were more static, defined and centralized. Those solutions can’t keep up with today’s reality. With an ever-changing attack surface, new vulnerabilities and attack vectors arise continuously. Penetration testing works for suspected vulnerabilities in known assets but can’t help identify new cyber risks and vulnerabilities that arise daily.

ASM’s continuous workflow and hacker perspective enable security teams and security operations centers (SOCs) to establish a proactive security posture. In the face of a constantly expanding and variable attack surface, ASM solutions provide real-time visibility into vulnerabilities and attack vectors as they emerge.

Read the full GigaOm Radar for Attack Surface Management report here.