What is attack surface management and how it makes the enterprise more secure

Attack surfaces used to be simple: you had an insider who could physically access the system, or you had to infiltrate via a modem over a 28k or 56k line. Watch the old movie starring Matthew Broderick titled WarGames to see an example. If you were an outsider, you had one route in. Amazingly, hacks happened due to the nascent state of cybersecurity.

Since those simpler times, attack surfaces have expanded. They are far more complex. There are so many avenues into IT systems — the cloud, the network, endless numbers of devices and endpoints, phishing, exploited vulnerabilities, misconfiguration, and more — that defense is far from easy.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

What is attack surface management?

This is where attack surface management (ASM) comes in. It combines functions such as asset discovery and management, including everything from inventorying, vulnerability scanning and patch management.

"The basic concept of ASM is that it encompasses the process of identifying your assets, understanding what they are, scanning them, and then doing something with what you find," said David Monnier, chief evangelist at Team Cymru, whose career spans the U.S. Marine Corps, Indiana University where he helped build powerful computational systems and leading efforts at Team Cymru to standardize and secure threat intelligence infrastructure.

He considers ASM to be more of an intelligence tool than a security tool. It is all about what you know about your assets — the intelligence application toward security.

Older versions of ASM tended to be reactive. Discover a vulnerability, create patches, issue them and deploy. But by that time, the vulnerability may have been exploited. A better way to do it is to watch command and control sources where they come from, who downloads malware, and to understand the "victimology" of botnets and other threats. This approach lets you discover all new assets automatically, know their vulnerabilities and spot any signs of compromise.  

"The question we asked was: if IT managers have a hard time identifying their own assets, how is it that bad guys always seem to find the unpatched or the unlocked down device?" said Monnier on the Cyber Work Podcast. "That enabled us to make a product of our own known as Pure Signal Orbit using the same type of methodologies to look and find stuff as the bad guys."

Vulnerability management failings

Vulnerability management tools tend to be limited by what is already known about assets. Asset discovery tools, too, tend to go by how many assets you have, usually determined by IP addresses. You may be able to scan all 256 of your IP addresses, but these tools will not find things like AWS instances spun up temporarily by developers. These elements of shadow IT are going to be missed — yet they are an element of a great many breaches.

That's one of the reasons for dissatisfaction with vulnerability management tools. They tend to focus on what you know (or should know) and aren't so good at pointing out shadow IT and other elements that fall outside the usual scanning horizon. What is needed is a way to extend beyond existing endpoints and network nodes. Open-source services such as Shodan, VirusTotal, and others can be used to find out where instances or mentions of your domain show up outside of its normal address space.

"Sometimes you might find a 300% increase in the number of assets you thought you had," said Monnier. "That kind of insight helps you better understand what the real threats you're facing look like."

Risk rather than security

He advises organizations to favor a risk-based approach rather than being focused on being secure, which is a nebulous concept. "Not every asset you have in your infrastructure is created equal," said Monnier. "Your primary Active Directory servers contain your authentication components, so they are probably 10 times more valuable than your website — yet most people think their website is more important as it represents the brand."

Someone defacing your website is certainly not a pleasant experience. But it doesn't compare in terms of damage to someone pretending to be your CFO and emptying all the money of your bank accounts. ASM tools, therefore, should be able to assess risk. For example, if you have a local instance of an AD server and a Dev instance that doesn't have any accounts on it, they might look the same as a traditional vulnerability scanner. Your tools should be able to differentiate their importance based on the level of threat they pose.

"But if your tool can't do that, it will alert you about problems on a system that are not important to you," said Monnier.

Cybersecurity career advice   

Monnier recommends that those working in cybersecurity work to achieve broad and specialized knowledge. He believes that possessing a wide base of experience and expertise is invaluable when delving into the details of solving problems in a more narrowly defined area.

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

"I benefited from not becoming an expert in anything in particular until I got way down my career path," said Monnier. "So don't spend all your time just being a programmer. Learn how systems work, why they work that way and become interested in other areas of IT and security."

For more, watch the Cyber Work Podcast episode, Attack surface managers and the state of attack surfaces.