July 26, 2023 By Jonathan Reed 4 min read

Cloud adoption, digital transformation and the remote work explosion have widened nearly every company’s digital footprint and attack surface. Today’s enterprise is more distributed and more dynamic than ever — and new assets connect to a company’s network daily. According to one report, 67% of organizations have seen their attack surfaces expand in the preceding two years. To make things worse, 69% have been compromised by an unknown or poorly managed internet-facing asset in the past year.

For these reasons, Gartner named attack surface expansion a top security and risk management trend. More recently, GigaOm released an extensive report on attack surface management and leading vendors in the space.

What is attack surface management?

Attack surface management (ASM) is the continuous discovery, analysis, remediation and monitoring of security vulnerabilities and potential attack vectors that make up an organization’s attack surface. The attack surface is the sum of vulnerabilities, pathways or methods that adversaries can use to launch an attack, breach a network or access sensitive data.

Unlike other security methods, ASM is conducted entirely from a hacker’s perspective. This means ASM identifies targets and assesses risks based on the opportunities they present to a malicious actor. ASM works by mimicking methods and resources that hackers use. The techniques are executed by ‘ethical hackers’ who understand cyber criminal behaviors and are adept at copying malicious activity.

Given the vast number and variety of services, APIs, applications, IPs, infrastructure and host types (on-premises or cloud), an organization’s attack surface is in constant flux. Therefore, automated tracking of changes is a central part of any ASM solution. But simply defining all the components of the attack surface isn’t enough. Determining asset type and the level of risk involved is another key characteristic of ASM.

Explore IBM Security Randori solutions

ASM evaluation categories

ASM is relatively new as a cyber defensive tool, which means it continues to evolve. As more vendors enter this space, they must innovate to differentiate from one another. Security decision-makers should be aware that the full potential of ASM has yet to be realized.

The GigaOm report divided ASM solutions into two market segments:

  • Small enterprise: This category included solutions that meet the needs of organizations, from small businesses to medium-sized companies. Solutions in this category were evaluated for simplified cost structures which makes ASM achievable for small security budgets.
  • Mid-market and large enterprise: Here, offerings were assessed based on how they fit large and business-critical projects. The best solutions in this category focus on flexibility, performance, data services and features that improve security and data protection. The ability to deploy the same service in different environments (scalability) was also considered.

Furthermore, two deployment models were evaluated in the GigaOm report:

  • Software as a Service (SaaS): These are cloud-only solutions designed, deployed and managed by the service provider. SaaS ASM solutions are available only from a specific provider.
  • Hybrid: These solutions are cloud-based, similar to cloud-only solutions. But hybrid solutions also leverage a sensor, collector or agent as an additional telemetry source. This leads to a better understanding of the composition of a company’s technical environment.

The key criteria measured by the GigaOm report included:

  • Flexibility in asset discovery
  • Active assessment
  • Converged protections
  • Internal ASM
  • Risk scoring
  • Asset categorization.

Rounding out the analysis, evaluation metrics included:

  • Extensibility
  • Frequency of discovery
  • Licensing
  • User experience.

Top ASM performers

The GigaOm analysis can be summarized with its “Radar Report,” which is represented in graphic form below. The Radar consists of a series of concentric rings, with those set closer to the center judged to be of higher overall value.

Each vendor is represented by two axes — balancing Maturity versus Innovation and Feature Play versus Platform Play. Meanwhile, an arrow projects each solution’s evolution over the coming 12 to 18 months. The solution closest to the center was IBM Security Randori. It was also predicted to improve even more over the next year or so.

What makes a formidable ASM solution?

ASM consists of four core processes: asset discovery, classification and prioritization, remediation and monitoring. Again, since the contours of the digital attack surface change constantly, ASM processes must be continuous. The goal of ASM is to ensure that the security teams have a complete and current inventory of exposed assets. Also, ASM provides an accelerated response to vulnerabilities and threats that pose the greatest risk to the organization.

As an illustration, Randori Recon has robust passive and active scanning capabilities. For passive scanning, numerous public repositories (ARIN, Clearbit, Crunchbase, Zetalycis and WHOIS) are queried to build an organization’s profile. Active assessment executes interactive information gathering on assets, using techniques like running DirBuster on identified directories, attempting telnet and secure shell (SSH) to common ports and scraping when detections occur.

Another notable feature of Recon is its risk scoring called the “target temptation score.” This score uses common vulnerability information like CVE data and also considers other factors such as an asset’s unique characteristics and business value. A final score is then assessed to help security teams prioritize their limited remediation cycles. This capability is ultimately what all ASM tools strive to achieve, but many fall short.

Finally, Recon integrates well with other security tools. It includes native bi-directional integrations with many popular tools as well as an open API that can help develop bespoke integrations.

The times call for ASM

Traditional asset discovery, risk assessment and vulnerability management processes were developed when networks were more static, defined and centralized. Those solutions can’t keep up with today’s reality. With an ever-changing attack surface, new vulnerabilities and attack vectors arise continuously. Penetration testing works for suspected vulnerabilities in known assets but can’t help identify new cyber risks and vulnerabilities that arise daily.

ASM’s continuous workflow and hacker perspective enable security teams and security operations centers (SOCs) to establish a proactive security posture. In the face of a constantly expanding and variable attack surface, ASM solutions provide real-time visibility into vulnerabilities and attack vectors as they emerge.

Read the full GigaOm Radar for Attack Surface Management report here.

More from News

Recent developments and updates in Biden cyber policy

3 min read - The White House recently released its budget for the 2025 fiscal year, which supports the government’s commitment to cybersecurity. The cybersecurity funding allocations line up with the FY 2025 cybersecurity spending priorities released last year that included the following pillars: Defend critical infrastructure Disrupt and dismantle threat actors Shape market forces to drive security and resilience Invest in a resilient future Forge international partnerships to pursue shared goals. In 2023, the White House released a 35-page document detailing the new…

Change Healthcare cyberattack causes dire billing crisis

3 min read - Last month’s cyberattack on Change Healthcare, a sizable unit of UnitedHealth Group, brought new repercussions rarely seen in a cyberattack. As a result of the threat actor’s actions, healthcare systems and providers suffered cash flow issues, which resulted in providers being unable to pay their rent, owners dipping into their personal savings and patients being prevented from receiving important medications. Most importantly, patients are unable to get insurance approval for procedures, surgeries and prescriptions, which can affect their health outcomes.…

Can memory-safe programming languages kill 70% of security bugs?

3 min read - The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software." The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages. This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today