July 26, 2023 By Jonathan Reed 4 min read

Cloud adoption, digital transformation and the remote work explosion have widened nearly every company’s digital footprint and attack surface. Today’s enterprise is more distributed and more dynamic than ever — and new assets connect to a company’s network daily. According to one report, 67% of organizations have seen their attack surfaces expand in the preceding two years. To make things worse, 69% have been compromised by an unknown or poorly managed internet-facing asset in the past year.

For these reasons, Gartner named attack surface expansion a top security and risk management trend. More recently, GigaOm released an extensive report on attack surface management and leading vendors in the space.

What is attack surface management?

Attack surface management (ASM) is the continuous discovery, analysis, remediation and monitoring of security vulnerabilities and potential attack vectors that make up an organization’s attack surface. The attack surface is the sum of vulnerabilities, pathways or methods that adversaries can use to launch an attack, breach a network or access sensitive data.

Unlike other security methods, ASM is conducted entirely from a hacker’s perspective. This means ASM identifies targets and assesses risks based on the opportunities they present to a malicious actor. ASM works by mimicking methods and resources that hackers use. The techniques are executed by ‘ethical hackers’ who understand cyber criminal behaviors and are adept at copying malicious activity.

Given the vast number and variety of services, APIs, applications, IPs, infrastructure and host types (on-premises or cloud), an organization’s attack surface is in constant flux. Therefore, automated tracking of changes is a central part of any ASM solution. But simply defining all the components of the attack surface isn’t enough. Determining asset type and the level of risk involved is another key characteristic of ASM.

Explore IBM Security Randori solutions

ASM evaluation categories

ASM is relatively new as a cyber defensive tool, which means it continues to evolve. As more vendors enter this space, they must innovate to differentiate from one another. Security decision-makers should be aware that the full potential of ASM has yet to be realized.

The GigaOm report divided ASM solutions into two market segments:

  • Small enterprise: This category included solutions that meet the needs of organizations, from small businesses to medium-sized companies. Solutions in this category were evaluated for simplified cost structures which makes ASM achievable for small security budgets.
  • Mid-market and large enterprise: Here, offerings were assessed based on how they fit large and business-critical projects. The best solutions in this category focus on flexibility, performance, data services and features that improve security and data protection. The ability to deploy the same service in different environments (scalability) was also considered.

Furthermore, two deployment models were evaluated in the GigaOm report:

  • Software as a Service (SaaS): These are cloud-only solutions designed, deployed and managed by the service provider. SaaS ASM solutions are available only from a specific provider.
  • Hybrid: These solutions are cloud-based, similar to cloud-only solutions. But hybrid solutions also leverage a sensor, collector or agent as an additional telemetry source. This leads to a better understanding of the composition of a company’s technical environment.

The key criteria measured by the GigaOm report included:

  • Flexibility in asset discovery
  • Active assessment
  • Converged protections
  • Internal ASM
  • Risk scoring
  • Asset categorization.

Rounding out the analysis, evaluation metrics included:

  • Extensibility
  • Frequency of discovery
  • Licensing
  • User experience.

Top ASM performers

The GigaOm analysis can be summarized with its “Radar Report,” which is represented in graphic form below. The Radar consists of a series of concentric rings, with those set closer to the center judged to be of higher overall value.

Each vendor is represented by two axes — balancing Maturity versus Innovation and Feature Play versus Platform Play. Meanwhile, an arrow projects each solution’s evolution over the coming 12 to 18 months. The solution closest to the center was IBM Security Randori. It was also predicted to improve even more over the next year or so.

What makes a formidable ASM solution?

ASM consists of four core processes: asset discovery, classification and prioritization, remediation and monitoring. Again, since the contours of the digital attack surface change constantly, ASM processes must be continuous. The goal of ASM is to ensure that the security teams have a complete and current inventory of exposed assets. Also, ASM provides an accelerated response to vulnerabilities and threats that pose the greatest risk to the organization.

As an illustration, Randori Recon has robust passive and active scanning capabilities. For passive scanning, numerous public repositories (ARIN, Clearbit, Crunchbase, Zetalycis and WHOIS) are queried to build an organization’s profile. Active assessment executes interactive information gathering on assets, using techniques like running DirBuster on identified directories, attempting telnet and secure shell (SSH) to common ports and scraping when detections occur.

Another notable feature of Recon is its risk scoring called the “target temptation score.” This score uses common vulnerability information like CVE data and also considers other factors such as an asset’s unique characteristics and business value. A final score is then assessed to help security teams prioritize their limited remediation cycles. This capability is ultimately what all ASM tools strive to achieve, but many fall short.

Finally, Recon integrates well with other security tools. It includes native bi-directional integrations with many popular tools as well as an open API that can help develop bespoke integrations.

The times call for ASM

Traditional asset discovery, risk assessment and vulnerability management processes were developed when networks were more static, defined and centralized. Those solutions can’t keep up with today’s reality. With an ever-changing attack surface, new vulnerabilities and attack vectors arise continuously. Penetration testing works for suspected vulnerabilities in known assets but can’t help identify new cyber risks and vulnerabilities that arise daily.

ASM’s continuous workflow and hacker perspective enable security teams and security operations centers (SOCs) to establish a proactive security posture. In the face of a constantly expanding and variable attack surface, ASM solutions provide real-time visibility into vulnerabilities and attack vectors as they emerge.

Read the full GigaOm Radar for Attack Surface Management report here.

More from News

CISA launches portal to simplify cyber incident reporting

2 min read - Information sharing just got more efficient. In August, the Cybersecurity and Infrastructure Security Agency (CISA) launched the CISA Services Portal. “The new CISA Services Portal improves the reporting process and offers more features for our voluntary reporters. We ask organizations reporting an incident to provide information on the impacted entity, contact information, description of the incident, technical indications and steps taken,” a CISA spokesperson said in an email statement. “Reported incidents enable CISA and our partners to help victims mitigate…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Are new gen AI tools putting your business at additional risk?

3 min read - If you're wondering whether new generative artificial intelligence (gen AI) tools are putting your business at risk, the answer is: Probably. Even more so with the increased use of AI tools in the workplace. A recent Deloitte study found more than 60% of knowledge workers use AI tools at work. While the tools bring many benefits, especially improved productivity, experts agree they add more risk. According to the NSA Cybersecurity Director Dave Luber, AI brings unprecedented opportunities while also presenting…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today