It’s often said that nothing is more powerful than an idea whose time has come. That time might be here for attack surface management (ASM), the subject of the 2022 Gartner® Innovation Insight for Attack Surface Management report.

ASM as a concept has a lengthy history in cybersecurity, but the solution class itself is relatively new. The first entrants into the market appeared within the last decade, and even today the market is still working to contextualize where attack surface management fits in the cybersecurity ecosystem.

The Time for Attack Surface Management is Here

In the report, Gartner places Attack Surface Management (ASM) within the larger context of a practice called “Exposure Management.” The report notes three pillars in this space: ASM, Vulnerability Management, and Validation.  Each pillar has distinct objectives and answers specific questions. For example, ASM focuses on surfacing the attacker’s perspective of your systems, while Vulnerability Management emphasizes understanding how your configuration might be susceptible to attack. Validation, meanwhile, involves knowing what would happen if an attacker breached your systems.

Understanding these pillars is key for placing ASM within its proper context of exposure management. The idea here being that managing the attack surface is a key component of limiting your vulnerability to a cyberattack. This is absolutely the case, as blue teams who know their own systems well, can’t always approach their architecture from an external perspective. ASM tools empower defenders to look at their systems from the outside in to get a better picture of the most likely points of entry.

The Technologies of Attack Surface Management

Effective attack surface management is as much about process as it is about technology. From a process perspective, security teams need to understand how to address attack surface risks once they’re uncovered. One component of this is adopting a risk-based approach to patching software vulnerabilities.

That isn’t the only methodology required to mitigate attack surface risks, however. Another option is implementing a zero-trust strategy or airgapping specific machines from the rest of the network. Airgapping could be particularly powerful for machines in energy companies and pharmaceuticals. Operational technology that runs on outdated operating systems can have their risk limited if they’re on segmented networks.

From a technology perspective, there are three classes of solutions that typically get included in Attack Surface Management, which Gartner outlines:

  • Cyber Asset Attack Surface Management (CAASM) focuses on enabling security teams to solve persistent asset visibility and vulnerability challenges. It enables organizations to see all assets (internal and external) through API integrations with existing tools, query against the consolidated data, identify the scope of vulnerabilities and gaps in security controls, and remediate issues.
  • External Attack Surface Management (EASM) uses processes, technologies and managed services deployed to discover internet-facing enterprise assets, systems and associated vulnerabilities, such as servers, credentials, public cloud service misconfigurations and third-party partner software code vulnerabilities that could be exploited by adversaries.
  • Digital Risk Protection Services (DRPS) are delivered via a combination of technology and services in order to protect critical digital assets and data from external threats. These solutions provide visibility into the open (surface) web, social media, the dark web and deep web sources to identify potential threats to critical assets and provide contextual information on threat actors, their tactics and processes for conducting malicious activity.”

The report further mentions that “There is, however, some confusion about these three, owing to the overlap in some of the use cases they support. EASM has a more technical and operational focus supporting security operations professionals engaged in activities such as VA, penetration testing and threat hunting. DRPS, by contrast, primarily supports more business-centric activities, such as enterprise digital risk assessment, compliance and brand protection. Another important distinction between EASM and DRPS is that the latter typically provides the service overlay, like takedowns. EASM focuses on external assets primarily (and scanning, actively), whereas CAASM focuses on internal assets. In addition, with CAASM, the discovery function works primarily through API integrations with existing tools (passively), whereas EASM uses a range of sources and methods to scan the internet. EASM also focuses on discovering externally facing assets — many of which may be unknown to the organization — whereas CAASM relies on other, already deployed technologies for context and enriches the data being pulled in from those technologies to provide a holistic view of an organization’s asset inventory. Moreover, CAASM can reconcile duplicates or inconsistent data, and automate remediation steps to update data, such as data from a configuration management database (CMDB). CAASM is never a source of record, but rather an aggregator of data from other sources. EASM is a source of record and feeds into CAASM for added visibility.” The report also mentions, “A good way to navigate the market is to understand that each technology was built to target certain core use cases primarily. Therefore, those core use cases are what each technology is best suited to support.”

We’ve talked about this before too. Earlier this year LookingGlass Cyber Chief Product Officer Cody Pierce spoke to CyberScoop about ASM. “I think that organizations are just starting to understand that when we talk about attack surface management for an organization, it’s not just the assets you may have, it also includes your assets both internally in the cloud, and externally connected to the internet, so that’s step 1. Step 2 is taking the threat component to your risk calculation which includes the industry that you’re in, the current threat landscape, and that then becomes information that you can overlay onto your specific digital footprint or attack surface.”

The Future of Attack Surface Management

Attack surface management is very clearly an idea whose time has come. Companies both large and small are starting to understand that they need to try something else; the world of EDRs and detection-based security hasn’t managed to reduce the risk of a breach. ASM and its inherent focus on building resilience to attack is an important step in any organization’s cyber hygiene.

Gartner recognizes this as well, and in the recent Innovation Insight for Attack Surface Management, they wrote that: “Organizations have to manage a growing attack surface as their technological environments become increasingly complex and dispersed, both on-premises and in the cloud, and involve containers, the Internet of Things (IoT), and cyber-physical systems. SaaS applications and supply chain touchpoints also present new attack surfaces.

For every organization, it is essential that any deficiencies of security hygiene are internally visible, so that a strong security posture can be established and maintained. Most organizations lack the capabilities required to validate control coverage and quantify digital and cyber risks effectively.

New ways of visualizing and prioritizing management of an organization’s attack surface are required as enterprise IT becomes more dispersed, owing to the expansion of public-facing digital assets and increased use of cloud infrastructure and applications. Security and risk management leaders can start by aggregating asset and risk context into a platform for visualization of their attack surface.”

Attack surface management shouldn’t replace your asset management tools, but it can be helpful to get the external view and see how well it matches your internal inventory. According to the report, “Gartner estimates that less than 10% of organizations have adopted one or more ASA technologies to address their attack surface. Many rely on partial or manual ASM processes to assess their assets and any associated exposure.”

To read the Gartner recommendations on how organizations can manage their growing attack surface, download a complimentary copy of “Innovation Insight for Attack Surface Management”, a report by Gartner®.

Gartner, Innovation Insight for Attack Surface Management, Mitchell Schneider, John Watts, Pete Shoard, 24 March 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About LookingGlass Cyber

Earlier this year, LookingGlass launched the LookingGlass Suite, which is comprised of best-in-class cyber threat intelligence and attack surface management solutions: scoutPRIME®, scoutINSPECT™, and scoutTHREAT™. Grounded in intelligence about an organization’s internet-facing infrastructure, third-party suppliers’ vulnerabilities and exposures, and active malicious threats, LookingGlass Suite enables organizations to identify relevant cybersecurity issues quickly and reduce the time to act. Learn more about the LookingGlass Suite >

Download the report