Cloud adoption, digital transformation and the remote work explosion have widened nearly every company’s digital footprint and attack surface. Today’s enterprise is more distributed and more dynamic than ever — and new assets connect to a company’s network daily. According to one report, 67% of organizations have seen their attack surfaces expand in the preceding two years. To make things worse, 69% have been compromised by an unknown or poorly managed internet-facing asset in the past year.

For these reasons, Gartner named attack surface expansion a top security and risk management trend. More recently, GigaOm released an extensive report on attack surface management and leading vendors in the space.

What is attack surface management?

Attack surface management (ASM) is the continuous discovery, analysis, remediation and monitoring of security vulnerabilities and potential attack vectors that make up an organization’s attack surface. The attack surface is the sum of vulnerabilities, pathways or methods that adversaries can use to launch an attack, breach a network or access sensitive data.

Unlike other security methods, ASM is conducted entirely from a hacker’s perspective. This means ASM identifies targets and assesses risks based on the opportunities they present to a malicious actor. ASM works by mimicking methods and resources that hackers use. The techniques are executed by ‘ethical hackers’ who understand cyber criminal behaviors and are adept at copying malicious activity.

Given the vast number and variety of services, APIs, applications, IPs, infrastructure and host types (on-premises or cloud), an organization’s attack surface is in constant flux. Therefore, automated tracking of changes is a central part of any ASM solution. But simply defining all the components of the attack surface isn’t enough. Determining asset type and the level of risk involved is another key characteristic of ASM.

Explore IBM Security Randori solutions

ASM evaluation categories

ASM is relatively new as a cyber defensive tool, which means it continues to evolve. As more vendors enter this space, they must innovate to differentiate from one another. Security decision-makers should be aware that the full potential of ASM has yet to be realized.

The GigaOm report divided ASM solutions into two market segments:

  • Small enterprise: This category included solutions that meet the needs of organizations, from small businesses to medium-sized companies. Solutions in this category were evaluated for simplified cost structures which makes ASM achievable for small security budgets.
  • Mid-market and large enterprise: Here, offerings were assessed based on how they fit large and business-critical projects. The best solutions in this category focus on flexibility, performance, data services and features that improve security and data protection. The ability to deploy the same service in different environments (scalability) was also considered.

Furthermore, two deployment models were evaluated in the GigaOm report:

  • Software as a Service (SaaS): These are cloud-only solutions designed, deployed and managed by the service provider. SaaS ASM solutions are available only from a specific provider.
  • Hybrid: These solutions are cloud-based, similar to cloud-only solutions. But hybrid solutions also leverage a sensor, collector or agent as an additional telemetry source. This leads to a better understanding of the composition of a company’s technical environment.

The key criteria measured by the GigaOm report included:

  • Flexibility in asset discovery
  • Active assessment
  • Converged protections
  • Internal ASM
  • Risk scoring
  • Asset categorization.

Rounding out the analysis, evaluation metrics included:

  • Extensibility
  • Frequency of discovery
  • Licensing
  • User experience.

Top ASM performers

The GigaOm analysis can be summarized with its “Radar Report,” which is represented in graphic form below. The Radar consists of a series of concentric rings, with those set closer to the center judged to be of higher overall value.

Each vendor is represented by two axes — balancing Maturity versus Innovation and Feature Play versus Platform Play. Meanwhile, an arrow projects each solution’s evolution over the coming 12 to 18 months. The solution closest to the center was IBM Security Randori. It was also predicted to improve even more over the next year or so.

What makes a formidable ASM solution?

ASM consists of four core processes: asset discovery, classification and prioritization, remediation and monitoring. Again, since the contours of the digital attack surface change constantly, ASM processes must be continuous. The goal of ASM is to ensure that the security teams have a complete and current inventory of exposed assets. Also, ASM provides an accelerated response to vulnerabilities and threats that pose the greatest risk to the organization.

As an illustration, Randori Recon has robust passive and active scanning capabilities. For passive scanning, numerous public repositories (ARIN, Clearbit, Crunchbase, Zetalycis and WHOIS) are queried to build an organization’s profile. Active assessment executes interactive information gathering on assets, using techniques like running DirBuster on identified directories, attempting telnet and secure shell (SSH) to common ports and scraping when detections occur.

Another notable feature of Recon is its risk scoring called the “target temptation score.” This score uses common vulnerability information like CVE data and also considers other factors such as an asset’s unique characteristics and business value. A final score is then assessed to help security teams prioritize their limited remediation cycles. This capability is ultimately what all ASM tools strive to achieve, but many fall short.

Finally, Recon integrates well with other security tools. It includes native bi-directional integrations with many popular tools as well as an open API that can help develop bespoke integrations.

The times call for ASM

Traditional asset discovery, risk assessment and vulnerability management processes were developed when networks were more static, defined and centralized. Those solutions can’t keep up with today’s reality. With an ever-changing attack surface, new vulnerabilities and attack vectors arise continuously. Penetration testing works for suspected vulnerabilities in known assets but can’t help identify new cyber risks and vulnerabilities that arise daily.

ASM’s continuous workflow and hacker perspective enable security teams and security operations centers (SOCs) to establish a proactive security posture. In the face of a constantly expanding and variable attack surface, ASM solutions provide real-time visibility into vulnerabilities and attack vectors as they emerge.

Read the full GigaOm Radar for Attack Surface Management report here.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…