What Is Attack Surface Management?

Attack surface management refers to the process of identifying, assessing, and managing the potential vulnerabilities in an organization’s technology infrastructure. It involves analyzing and understanding all possible entry points that attackers could exploit, such as network devices, web applications, APIs, and user access points.

Attack surface management (ASM) is one of those concepts in IT and cybersecurity that most of us understand intuitively but might have trouble accurately explaining. ASM refers to an area of practice, realized by specialized toolsets, that focuses on identifying where an organization is vulnerable to cyberthreats‌ — ‌its attack surfaces‌ — ‌and then working to minimize the resulting risk exposure. This page fleshes out this definition and offers insights into why ASM is an important practice to adopt. 

Understanding ASM requires first being conversant with the idea of an attack surface. The general definition, “a place where you can get attacked,” is a helpful start, but a better way to understand attack surfaces is to see them as networks of digital assets that a hacker can leverage to mount a successful cyberattack. For example, an organization’s on-premises servers comprise an attack surface. A malicious actor can probe the servers until they find a vulnerable spot, such as an unpatched operating system, and exploit it to breach the server‌ — ‌and anything connected to it. 

ASM is a metaphor, the physicalizing of a virtual space. ASM turns the server operating systems, which are disembodied bits of code, into the image of a physical surface that can be cracked open. Cloud-hosted digital assets, shared networks, software as a service (SaaS) applications, and more should be all included in your survey of your attack surface. Endpoints should also be accounted for in terms of your attack surface. If a hacker can take over an endpoint, he can usually jump from there into the network.

Attack surface management refers to a set of processes, typically enabled by a dedicated solution, that have the goal of reducing the vulnerabilities of an organization’s attack surfaces. Specifically, ASM involves continuous discovery of attack surface weaknesses, monitoring threat vectors, evaluating potential attack surface risks, and remediating these risks. ASM starts with IT asset discovery solutions and “IT hygiene” practices, but ASM differs in that it typically approaches the issue from the point of view of the attacker, not the defender.

There are typically four core ASM processes: asset discovery, classification and prioritization of exposed assets, remediation, and monitoring. Attack surfaces are constantly changing, so it’s best practice to run these processes continuously. To be efficient in achieving this goal, one should ideally automate as many of them as possible.

• Discover assets‌. This process involves automated scanning of infrastructure and identifying digital assets that can be part of an attack surface. This might mean internet-facing software, or hardware, as well as cloud assets, any one of which could be the place where an attacker successfully breaches the organization’s defenses. The discovery process should span known and unknown assets. Indeed, some of the most serious attack surface risks emerge from assets that aren’t previously known, e.g., an old endpoint that no one realized was still connected to the network. The process should also be thorough, encompassing PCs and mobile devices, user directory, databases, and so forth. Also, it’s a good practice to scan third-party assets, such as vendor application programming interfaces (APIs) that allow access to users from outside the organization.
• Classify, evaluate, and prioritize assets‌. ASM needs to classify digital assets and point out vulnerabilities that expose the organization to risk. This should then be followed by an evaluation of the risk and a prioritization of its remediation. For instance, if an application contains open source code that’s been exploited for “supply chain” attacks elsewhere; that application should be given a high priority for remediation, especially if it’s connected to sensitive data. Successful evaluation and prioritization therefore depend on awareness of threats, which might come from integration with a threat intelligence resource, as well as knowledge of connectivity between digital assets. 
• Remediate vulnerabilities. The process of remediation depends on the vulnerability. Some organizations assume breach while others address the breach possibility. For example, if data is vulnerable to a breach, then encryption might be the remediation. In some cases, remediation might just involve retiring an asset that’s no longer needed, or applying security controls, such as endpoint hardening. 
• Monitor assets. ‌ASM never stops, or at least it shouldn’t. As IT requirements shift, causing new assets to come online and others to become obsolete, and new configurations take hold, it’s essential to monitor attack surfaces on a continuous basis‌ — ‌always looking for new problems that can expose the organization to attack.

ASM deserves attention and investment because it helps build a stronger overall security posture. In contrast to point solutions, which may do well in a specific area but miss the bigger picture of vulnerability, ASM enables organizations to monitor their attack surfaces using fully up-to-date inventories of assets and then prioritize remediation to achieve the highest level of risk mitigation.

A 2022 industry analyst report, sponsored by the ASM vendor Randori (now part of IBM), backs up this contention. According to the research, 70% of organizations suffered an attack on a surface that contained an unknown, unmanaged, or poorly managed asset in the previous year. Even so, the analysts discovered that the average organization takes more than 80 hours to get an accurate read on an attack surface. It was‌ for these reasons that external attack surface management was the top investment priority for large enterprises last year, according to the report.

Done right, ASM provides a range of benefits. The most compelling is an improvement in an organization’s level of cyber defense: fewer attacks, fewer breaches, fewer alerts to manage, and so on. Automated discovery, analysis, and remediation deliver the further benefit of streamlining the entire security process. Security managers and their partners in IT get prioritized lists of problems that need attention, versus identifying issues for remediation on a piecemeal basis. The discovery process can also reveal previously undetected “shadow IT” efforts, which create risk exposure.

Real-time monitoring is essential in attack surface management, as it allows security teams to track potential vulnerabilities across all internet-facing assets and IoT devices. Since the attack surface is constantly shifting, real-time insights enable organizations to detect misconfigurations or new threat vectors promptly. By utilizing automated tools, security teams can maintain continuous visibility over both internal and external assets. These solutions not only help identify risks but also prioritize remediation based on the severity of cyber risk, making it easier to manage the overall security posture.

With IoT becoming more prevalent, connected devices are often a prime target for threat actors. Integrating real-time monitoring solutions enables better asset inventory management and ensures that every endpoint, no matter how small, is properly accounted for and secured.

A comprehensive attack surface management solution plays a key role in cyber risk management by addressing potential vulnerabilities before threat actors can exploit them. Security teams benefit from using these solutions to scan, detect, and analyze the entire digital environment‌ — ‌ranging from cloud environments to on-premises systems. By leveraging tools that offer asset inventory and identify external and internal risks, organizations are better equipped to respond to potential threats efficiently.

These solutions are particularly valuable in detecting misconfigurations, which are among the most common reasons for cyberattacks. Identifying and remediating misconfigured assets, whether they are cloud-based services or legacy systems, reduces the potential attack surface significantly, ensuring a stronger defense.

Maintaining an organization’s security posture requires continuous improvement and adaptation to evolving threats. Attack surface management is a critical part of this process. Security teams can deploy advanced automation and machine learning tools to dynamically assess and adjust security controls across internet-facing assets and APIs. This includes real-time tracking of new endpoints, analyzing potential threats, and conducting continuous asset inventory audits to ensure no vulnerable points are left exposed.

Security teams also benefit from collaborating closely with cloud security posture management (CSPM) frameworks, ensuring compliance and protection against cloud-based threats. A robust security posture management strategy will align these activities with broader organizational risk management frameworks to provide a holistic view of potential cyber risks.

Every organization has attack surfaces. Some are bigger than others, but no matter how extensive the exposure, there’s risk to be mitigated across all attack surfaces. ASM offers an automated, effective way to accomplish this goal. By automatically scanning and inventorying digital assets that comprise attack surfaces, and then analyzing and prioritizing vulnerabilities, ASM gives security managers an organized, coherent way to reduce attack surface risks. With automated remediation, followed up by continuous monitoring, ASM gives security managers a way to stay on top of risks in constantly changing attack surfaces.