What is External Attack Surface Management ?

Attack surface management (ASM) is a security management process that seeks to identify, assess, and mitigate security risks posed by an organization’s attack surface. ASM focuses on identifying and reducing an organization’s exposure to attacks by identifying and prioritizing potential attack vectors and determining the vulnerabilities that they exploit. ASM also includes developing and implementing mitigation strategies to reduce an organization’s risk.

What is Attack Surface ?

Several variables are not only increasing the attack surface of businesses, but also guaranteeing that this area of monitoring and management will see sustained growth for the foreseeable future.

Some of these conditions have persisted for a long time. Consider the following: the Internet of Things; decentralized IT; shadow IT; cloud computing; remote and hybrid work; the growth of the workplace in the future; and digital transformation, which refers to the shifts in IT’s vision and strategy. While perhaps helpful, this short list is by no means comprehensive.

As an example, the rise in software supply chain assaults is closely tied to advances during the COVID-19 pandemic and/or to advancements in cyberattacks and cybercrime.

What is External Attack Surface Management ?

First, we provide a high-level explanation of the attack surface and its significance in terms of both monitoring and management.

The next step is a brief discussion of the role of “new” cybersecurity technologies and concepts like External Attack Surface Management (EASM) and Cyber Asset Attack Surface Management (CAASM). Additionally, we briefly discuss how they connect to other areas of security.

Different cyber security companies and analysts with expertise in IT and security require distinct vocabularies. For instance, whereas many of the former make use of attack surface management, only a few of the later make use of the phrase external attack surface management. The terms “attack surface” and “attack surface management” are sometimes used interchangeably without uniformity.

In its original context, “attack surface” was the sum of a system’s, app’s, or network’s known vulnerabilities and points of entry. As defined by the National Institute of Standards and Technology (NIST), an attack surface is “the collection of places on the boundary of a system, a system element, or an environment where an attacker can try to access, create an impact on, or extract data from that system, system element, or environment.”

Our experience shows that the ‘notion’ or definition of the attack surface typically depends greatly on the individual IT and security practitioners who are tasked with creating and maintaining it.

As time went on and “new” sorts of linked assets, code, systems, and the like were used, the number of IT assets that are considered part of the attack surface grew. The field of information technology is one of the most rapidly evolving in modern society. Therefore, not only does it important who defines the phrase, but also when the definition was published. It’s not a new idea that people should try to minimize their attack surface by measuring and minimizing the areas they might potentially be exploited in.

Some organizations now classify Internet of Things (IoT) devices as ASM assets, despite the fact that these are currently less used and, therefore, less front-of-mind as part of the corporate attack surface than, say, cloud-based assets and workloads. Once an Internet of Things (IoT) project has entered production, it becomes more difficult to ignore the connected devices as potential entry points for attackers. This means that the meaning of the phrase changes with time and is not universally agreed upon.

We also notice that the attack surface is expanding to encompass anything having to do with third and even fourth parties (such as third-party risk management, supplier risk management, vendor risk management, and software supply chains).

In sum, the underlying reality is always changing, hence the definitions and descriptions change with time. Since the world is always evolving, so too must the realities of conducting business online. Whatever the situation may be, the attack surface against enterprises is growing. Not only does this mean a greater variety of assets and an uptick in internet-connected devices, but it also has significant implications for management.

When Gartner revealed its Top Security and Risk Management Trends for 2022 in March of that year, it ranked an increase in the attack surface as the most important of those trends.

The corporation, along with others, highlighted the hazards associated with additional elements that have pushed companies’ exposed surfaces beyond a set of controlled assets in this context of the expanding attack surface and the rising need of attack surface management. Cyber-physical systems (such as Industry 4.0) and IoT, open-source code, cloud applications, complicated digital supply chains, and social media are all examples of technologies that have been cited by Gartner.

Since much of an organization’s estate is unknown or undiscovered owing to shadow IT, M&A, and third party/partner activities, many security and IT teams struggle to retain much-needed visibility into an increasingly complex and dispersed IT environment (Jess Burn, Senior Analyst, Forrester)

There are two new words in attack surface management that have been coined by Gartner in recent years: external attack surface management (EASM) and cyber asset attack surface management (CAASM). In addition, they debut in the Gartner Hype Cycle for Security Operations at the ‘innovation trigger’ phase.

The Hype Cycle for Security Operations 2021 study from Gartner, which can be downloaded from the websites of the aforementioned EASM providers, identifies EASM as a key new technology (category) in cybersecurity.

“an emerging product set that aids businesses in recognizing threats emanating from internet-facing assets and systems that they may be unaware of,” as defined by Gartner.

According to the Gartner Hype Cycle for Security Operations 2021, both EASM (External Attack Surface Management) and CASAM (Cyber Asset Attack Surface Management) are in the early adoption phase of their respective innovation cycles. In the Gartner Hype Cycle for Security Operations 2021, both Picus Security and Gartner’s External Attack Surface Management and Cyber Asset Attack Surface Management may be found in the Innovation Trigger phase. Comparison between Picus Security and Gartner
Historically, attack surface management (without the ‘external’) was defined as “the processes, technology, and professional services deployed to discover external-facing enterprise assets and systems that may present vulnerabilities,” as described by former Gartner research analyst Brad LaPorte in a blog post. Servers, passwords, public cloud service misconfigurations, and software code vulnerabilities in third-party partners are just a few examples that might be exploited by bad actors.

Third-party risk assessment (TPRM), vulnerability assessment, and digital risk protection services are only some of the numerous security disciplines that interact with external attack surface management.

Complementary markets exist, such as pentesting (penetration testing), cloud security posture management (CSPM), and others.

Attack from Without While the security vendor community has a rapid understanding of the idea of Surface Management, end-user companies have a delayed adoption rate (Gartner)

One of the key findings of Gartner’s report is that external attack surface management (EASM) capabilities cross over into other existing security markets, such as digital risk protection services, as stated by the people of Sweepatic, named by Gartner on its 2021 Emerging Vendors list in the security category of external attack surface management, who posted the graphic here (DRPS).

Having that comprehensive perspective of the attack surface (and the insights to enhance it) by employing the appropriate tools is a problem. It’s important to keep in mind that the attack surface, which includes the pieces that may be attacked, might vary from one vendor to the next. But maybe you don’t need anything at all; it all depends on your priorities, risks, and the here and now.