Intelligence & Analytics April 22, 2021
By Mike Elgan 3 min read

Attack surface management (ASM) has rightly become a major priority for business leaders and digital defenders alike. The number of connected things is growing, and that means attackers have far more entryways into your networks and systems. With ASM, you can respond proactively to threats to stop them before they start.

What is ASM?

So, what is attack surface management, exactly? And what is the attack surface, for that matter? An attack surface is simply the sum of potential digital doorways through which attacks may occur — all possible risks.

These could include email servers, Internet of things (IoT) devices, network devices, partners, hidden code from threat actors and many other online ‘things.’ A proactive cyber attack surface management program starts with knowing your specific case. What is contained in the full inventory of your attack surface? Within that assessment you’ll need to formally estimate your risk and note potential exposure for each asset.

How to Get Proactive With ASM

External attack surface management often involves cutting down on entry points, access and privilege, running code, internet facing apps, apps and services and more. But you can’t reduce until you know what’s there. First, you’ll need to thoroughly discover, inventory, classify and assign a risk score to all knowable assets.

That also includes assets owned by third-parties like contractors, suppliers, partners, cloud providers and others. The rise in remote work can complicate both IT asset inventory and the reduction in attack surface. But the rise in attacks that exploit remote work also shows the need for a renewed focus on ASM.

One of the great benefits of documenting and estimating the attack surface is that it enables a clearer, more realistic cost-benefit analysis of each asset. With unlimited staff, time and money, you could expand the attack surface forever and still stay safe. In the real world, none of those are infinite. Instead, you can improve defense by shrinking your attack surface, then applying your resources to the remaining surface.

And, it’s more than just shrinking the surface. It’s also about streamlining and optimizing.

1. You’ll want to simplify, segment your network and maintain control over endpoints.
2. Combine tools.
3. Remove needless access.
4. Place deadlines on access where possible.
5. Follow up with employee changes and exits to remove or change access as needed.
6. Focus on privileged accounts.

And, all this action must be prioritized with strong analytics. No part of this is a one-time event. Because assets are always in flux, ASM is ongoing — including discovery, inventory, risk analysis and all the rest. Real-time attack surface insight is everything, and ASM can help.

Working Within Best Practices

It’s worth noting that some of ASM is really just best practices in security — here, you’ll see familiar threat modeling, hunting and closing doors. The most exotic part is shrinking the attack surface. This involves some new thinking and exploring what can be removed, combined or changed. And the process by nature calls for working with outside managers, leaders and teams.

It also calls for being able to talk about ASM persuasively. It may not be easy to understand for every stakeholder. But they need to understand it, since they will be called upon to do things differently as the result of attack surface reduction.

How to Get Buy-In for Attack Surface Management

As part of this communication process, it helps that ASM is not just about security — a field that can seem abstract and remote to leaders in other departments — but also global and national standards. With people focused on their own urgent deadlines, the idea of changing how everyone works just in case an attack happens can present an uphill battle. However, more and more businesses need to remain compliant with regulations, since the lion’s share of that requires ongoing ASM.

The craft of ASM calls for people skills — getting buy-in from leaders and help from management. And, everyone involved must be organized. The constant inventory taking and analysis of thousands, hundreds of thousands or millions of assets calls for advanced tools and strong organizational systems.

The Attack Surface Management Mindset

Above all, ASM is a mindset, a part of workplace culture. And, so the attack surface management issue — so central to security experts but so abstract to others — needs to be part of training and everyday work. And this is even more true in the remote work era, where employees are largely managing their own networks and tools and making decisions every day, all day that impact the attack surface that touches their coworkers.

The growth in the tech world has transformed and enhanced business through the development of faster networks, hybrid cloud computing, the IoT and letting more employees work from home. But growth has also massively increased the attack surface. So, we need proactive management for this attack surface to keep pace.

 | 
Mike Elgan

More from Intelligence & Analytics
September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

August 8, 2023

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature