Attack surface management (ASM) is a somewhat confusing topic that starts with a fundamental question: What exactly is the attack surface? In reality, it’s everything—internal assets, external corporate assets, third-party assets, people, everything. That said, the emerging attack surface management category focuses on internet-facing assets alone. Hmm, just another day in the perplexing cybersecurity realm.
Now, just because attack surface management tools track only internet-facing assets doesn’t make ASM easy. Large organization often have thousands, tens of thousands, or more internet-facing assets, including websites, sensitive data, employee credentials, cloud workloads, S3 buckets, source code fragments, SSL certificates, and so on.
Yes, discovering, classifying, and managing all these assets is no day at the beach as evidenced by recent ESG research. For example:
- Only 9% of organizations believe they actively monitor 100% of their attack surface. The highest percentage (29%) say they actively monitor between 75% and 89% of the attack surface while many monitor even less. Aside from the obvious ‘blind spot’ problem here, most organizations have lots of internet-facing assets they don’t even know about. According to vendors in this space, organizations often discover somewhere in the range of 40% more assets when they use an automated scanner, meaning that even those that think they have things under control probably don’t.
- Attack surface discovery takes more than 80 hours at 43% of organizations, and most organizations perform ASM discovery periodically—once a week, twice per month, or monthly. This is completely out of synch with the moves, adds, and changes happening to support cloud-native applications, remote workers, third-party connections, etc. Now, these discovery efforts are simply in place to gather the data. Once organizations have the data, they still must put in the work to analyze it, prioritize vulnerabilities, and work with IT operations on risk mitigation—the ‘real’ work of ASM.
- When organizations do perform ASM discovery, they continually find a potpourri of exposed assets. For example, 31% of organizations found sensitive data in a previously unknown location, 30% spied websites with a direct or indirect path to their networks, 29% uncovered misconfigured employee credentials, 28% observed unknown SaaS applications, 27% discovered applications/systems with 0 users, 27% exposed misconfigured SSL certificates. It takes time and resources to proceed through change management processes with this diverse group of assets.
- Like other areas of cybersecurity, many organizations back into ASM by gathering snippets of information from a plethora of different existing tools. The research indicates that 41% of organizations use threat intelligence sources, 40% lean on IT asset management systems, 33% leverage cloud security monitoring solutions, and 29% rely on vulnerability management. Of course, someone must gather this data, correlate it, and try to make sense of it. Often, this is (still) done with spreadsheets.
Okay, so organizations are a bit behind here. What’s the danger? Well, while cyber-defenders muddle their way through ASM, attackers are using automated tools to discover assets, identify vulnerabilities, and launch attacks. Many of these attacks are successful too. The research reveals that 69% of organizations have experienced some type of cyberattack in which the attack itself started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset. These cyberattacks can be a big—think about the 2017 Equifax breach or last year’s Log4j fiasco.
We simply can’t protect our IT assets when we are playing checkers (poorly) while adversaries excel as chess masters. That’s one reason I believe that 2022 will be a big year for attack surface management technology that discovers internet-facing assets, classifies them, gives them a risk score, and may even provide some remediation recommendations.
Yup, I’m feeling like ASM will be hotter than the 4th of July this year, and I’m not alone in my belief. To bolster their security offerings, Mandiant acquired ASM specialist Intrigue last year, Microsoft grabbed RiskIQ, and Palo Alto Networks purchased Expanse Networks. These acquisitions turned a lot of enterprise security heads. Meanwhile, a bunch of innovative startups are gaining ASM momentum including Coalfire, CyCognito, and BAS vendors like AttackIQ, Cymulate, Randori, and SafeBreach.
ASM is too important and kludgy today and can’t keep up with enterprise requirements. That’s why I look for organizations to dedicate budgets, put out RFIs/ RFPs, test/pilot products, and deploy ASM in 2022.