It’s 2024, and by now it’s clear that nearly everything can be the object of a cyber attack. But knowing that doesn’t mean organizations are strategically managing and controlling their risks. In fact, a survey of over 6200 security decision makers from Trend Micro and Sapio Research found 73% described their attack surface as “constantly evolving and messy” while 43% said it’s simply “out of control.”

Enter attack surface management (ASM), a systematic way for companies to find, track, and manage all potential internal and external areas of vulnerability. Done right, attack surface management is a way organizations can thwart bad actors and drastically decrease the risk of security breaches. 

ASM is a key piece of a company’s security posture, but it can be difficult to implement and maintain without the right tools. Here’s everything you need to know about the role ASM plays in improving the response to threats to security as well as best practices teams should follow in order to get the most out of it.

What is an attack surface?

According to the National Institute of Standards (NIST), an attack surface is:

 The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.

To put it another way, an organization’s attack surface can be any of the following things: 

• All assets, secure, insecure, identified or not identified, active or not, managed or not
• Anything created via “shadow” IT
• All hardware and software
• Anything generated through or used by software-as-a-service
• Anything in the cloud
• Anything on the edge (IoT, 5G, etc.)
• Anything managed by a third-party
• Anything related to remote work

An attack surface can be comprised of so many things, which makes it *very* challenging to even know where to begin trying to track it all, let alone how to systematically stay ahead.

How attack surface management works

To get to “less” attack surfaces, an organization needs to know what’s there - it’s impossible to eliminate what isn’t known about, and that’s what ASM is all about. Attack surface management should bring three key elements to an organization’s security efforts: automation, using a hacker’s mindset to think like an attacker, and a focus on uncovering the unknown.

Automation and discovery

Even a small company is likely to be surprised by the vast number of assets created simply by doing business. No team of human beings will be able to easily identify and track all of these potential surfaces, which is why creating an automated (and continuous) process of discovery and monitoring is a critical step in ASM. The best ASM automation efforts will also simplify collaboration and communication because as assets are discovered, stakeholders will be automatically looped in, so decisions on criticality can be made. In the end, an automated ASM loop will constantly be looking at what’s there, what’s been added, and keeping everyone up to date about the state of the attack surface.

Think like an attacker

If automation is the engine of ASM, its guidance system is a hacker mentality. What distinguishes ASM from traditional threat detection and other security vulnerability efforts is the way hacker behaviors are literally codified into how a team approaches cybersecurity risks. 

To understand what that means in the real world, consider penetration testing, a key tool that periodically tests for known vulnerabilities. Pen testing might happen monthly, or quarterly, while hackers are busy scanning a target’s surfaces routinely, if not daily. Hackers will also be scanning targets with a greater level of detail and an open approach that pen testing simply can’t provide. Pen testing helps understand potential risks, while hackers are looking everywhere for an opening. ASM can help flip the script and makes it possible to see what the hacker sees. If you can see it, obviously it’s easier to defend against it.  

Uncover the unknown

ASM’s third secret weapon centers on one central belief: you don’t know what you don’t know. That’s the problem with looking from the inside out - organizations are only going to see what they expect to see because no one hunts for something they don’t expect to find. But that’s exactly what bad actors do - every. single. day. They’re searching for the leaked password, open door, unsecured assets, or quickly created one-time use website that still contains sensitive data. So without the right tools - and a wide-open mindset - it will be impossible to actually map an attack surface in its entirety. 

This is definitely a case of what you don’t know will hurt you.

How ASM helps existing security efforts

At a time when security pros are in short supply, it’s tempting to think ASM is the answer to all of an organization’s security needs, but don’t make the mistake of thinking it can replace Red teams, penetration testing, or other established security processes. Ideally, ASM works *with* existing security efforts and, by providing a very detailed analysis of assets, should actually make it easier for other processes and teams to be more successful. Pen testing can be directed at identified and suspected vulnerabilities. Red teams - often stretched way too thin - can stop aimless hunts and focus their expertise on issues that matter most to the organization.

How to sell ASM to the C-suite 

For many organizations, security continues to be somewhat neglected and, on average in 2022, an enterprise devoted only 9.9% of its tech budget to security, according to data published in Venture Beat. But cybersecurity attacks increased 38% from 2021 to 2022, according to Security Magazine, so, clearly there’s a disconnect. 

And the disconnect is even more worrying when looking at a typical organization’s attack surface. A survey from the Massachusetts Institute of Technology found fully half of respondents experienced a security breach from assets that weren’t known about, managed, or dealt with correctly. Data from ESG Research indicated about one-third of organizations found highly “sensitive” data in areas they didn’t even know existed, while almost 30% found mystery SaaS applications running. And finally, the attack surface problem isn’t going to go away on its own. Randori’s 2022 State of Attack Surface Management found 67% of organizations expect their attack surfaces to expand over the next year.

At a time when hackers have never been more tech savvy or persistent, organizations can’t simply carry on in the typical way. ASM promises a fresh, automated, and systematic way to find, deal with, and control assets, giving an organization a clear look into what attackers are seeing. If it’s findable, it’s fixable, and, bonus, ASM also takes the burden off the rest of the security team, making them more able to focus on the tasks that matter most.

ASM best practices

To get the most out of an ASM effort, there are a number of key principles to keep in mind.

1. The best ASM solutions don’t just behave like hackers, they’re actually *used* by hackers. That’s more than a nice distinction - it’s actually an organization’s best bet to keep up with increasingly sophisticated bad actors (and the alternative approach may also pique the interest of the C-suite.)
2. Remember what matters most: the most important security metric is the time from disclosure to detection. ASM can help organizations drastically reduce this time by surfacing hidden assets.
3. The most effective ASM is continuous, not weekly, monthly or quarterly.
4. Automation is also a must-have, but it needs to easily integrate with existing systems. 
5. Start with open source and avoid vendor lock-in.
6. Decide, ahead of time, how to prioritize vulnerability remediation. Now that the team has a steady flow of attack surface data, don’t waste time making up rules on the fly. Go into the process completely prepared.
7. Don’t forget the culture piece. There’s a lot of security lip service out there - and we get it. But ASM isn’t old school, top-down security. Attack surface management brings security data to everyone, enabling better communication and collaboration and helping existing security pros and processes to function more efficiently and effectively. Make it clear to your organization so everyone understands this is a fundamentally new and fresh approach to security that’s going to help and not hinder.
8. Bring the auditors in. As an added bonus, ASM can help with compliance because it’s tracking all of the things. Be sure the compliance team is fully-briefed, and remind the C-suite that more documented data is always a good thing. 
9. Build onto ASM success. Now that a company knows what’s out there, reach out for tools that can automatically scan, remediate, communicate and even double-check…leverage all this new information to truly achieve better security. 

Tired of being hacked? ASM is the answer

In most organizations, security needs a fresh start. Attack surface management is exactly that - a wholly different way to discover the unknown, automate the process, and outhack the attackers by behaving like they do. ASM not only can help level the playing field but it can make existing security efforts more successful. ASM is a key step in the process of democratizing security, something ProjectDiscovery is passionate about.

Intrigued? Take a deeper dive into a brave new (and democratic) world of security.