Attack surface management (ASM) is not limited to the surface
Another year of high-profile cyberattacks, another year of beating the cybersecurity drums. Clearly, we’re missing a few notes. Attack surface management (ASM) is a make or break for organizations, but before we get to the usual list of best practices, we need to accept that attack surface management is not limited to the surface. Only then can we identify and secure vulnerable assets against cyber risk.
The term “surface” is worth considering here. Given its literal definition, it’s only natural that organizations focus on the external elements of their business. But, in fact, attack surface refers to every asset that could be potentially exposed to and exploited in a cyberattack. This does include externally facing assets such as public clouds, desktop machines, but also everything else within the organization.
Defining the fundamentals of ASM
ASM falls under the larger umbrella of exposure management (EM), along with vulnerability management and validation management. With so many similar but distinct terms and acronyms crowding together, it’s no surprise there can be confusion about what’s what.
ASM is also commonly misrepresented as a specific solution or process, often by overenthusiastic vendor marketing. Rather than being any particular tool, ASM is an approach that should encompass several different solutions and activities.
There are three main components to an ASM strategy:
External attack surface management (EASM) – The area is often confused with ASM in general. This aspect of ASM focuses solely on public-facing assets like public clouds.
Digital risk protection services (DRPS) – Focused on visibility into threat intelligence from sources such as the deep web, social networks, and open data containers. This more advanced capability requires a high level of cyber maturity.
Cyber asset attack surface management (CAASM) – Considered the cornerstone of the ASM practice, CAASM is all about collating data relating to the organization’s vulnerabilities and managing it effectively.
Why is ASM critical today?
A solid ASM approach is essential for gaining a coherent view of the threats facing the organization and properly prioritizing remediation. Without this unified view, it’s hard to break out of responsive, knee-jerk security and think beyond tactics to the bigger strategic picture. It’s also difficult for CISOs to tie the value of their work to non-technical business leaders in this case. The board doesn’t want to hear about CVE 12345. They want to know its potential business impact and why fixing it is important.
Firms that have yet to adopt an ASM approach are still largely fixed on individual vulnerabilities rather than business risk. This makes it infinitely harder to effectively understand and prioritize security efforts without the wider business context.
Then there are the companies attempting to carry out ASM activities but without the right tools and processes. We encounter many firms still using Excel spreadsheets to track their internal and external risk management. This creates an unnecessarily manual workload for all involved, is highly inefficient, and makes it far more likely that critical risks go overlooked.
Finally, there are enterprises that have realized the need for a more organized approach to ASM and are in a position to start investing in tools and processes to achieve it.
What are the main challenges in getting started with ASM?
The first challenge is understanding the organization’s security needs around ASM and how it slots into place with similar but distinct practices like EM. Next up is communicating these differences to the board and securing their buy-in for the necessary investments. Again, simplicity is the goal, with an emphasis on the fact that ASM must identify and mitigate business risks and improve the enterprise’s overall security standing.
The next task is to overcome the IT siloes that divide the business. External and internal security and IT teams aren’t often even in the same book, much less on the same page. (Not to mention other IT security-adjacent departments such as the DevOps, cloud, and web teams.)
Each group has its own agenda, with its own distinct tools and processes. Even within the same team, there will likely be multiple, disconnected solutions – from vulnerability scanners to code configurations.
To build an effective, unified ASM approach, we need to replace these silo walls and establish a normalized view across all relevant business areas. All risk data should be flowing to the same point, visible at the same time, in the same format so the CISO has clear visibility of everything.
The larger and older the organization, the more untangling is required to align departments that have grown and evolved independently over the years. Smaller firms working with just a handful of people in IT and security meanwhile will have a much easier time uniting everything.
Unifying security under ASM
The right set of tools can go a long way in aggregating various threat and vulnerability data feeds and establishing a single pane of glass view for cyber risk.
The first step is aligning everyone and every team. (Easier said than done.) There must be a unified vision of risk and universal KPIs for mitigating vulnerabilities. This will allow risks to be prioritized across the entire organization from a single reference point.
With the siloes gone, it’s also possible to identify where processes, tools, and tasks are unnecessarily duplicated. Redundancies can be eliminated, and greater automation can be adopted to boost productivity across teams. As the internal ASM strategy matures, the firm can then broaden its scope to start implementing CAASM and take on more threat intelligence.
By moving beyond surface-level ASM, the organization will not only have a more unified and efficient approach to its security activity, but it will also be able to proactively identify potential threats from any source, and move quickly to shut them down.