Identifying and exploiting vulnerabilities has been part of the attackers' trade for thousands of years. Just think of Hagen von Tronje, for example, who snuck up behind Siegfried, took aim with his spear, and murdered the purportedly invulnerable hero. He knew about the weak point in Siegfried's protective armor. Literary historians talk about Siegfried's death as an intrigue or honor killing, but as security professionals know, it was yet another case of inadequate attack surface management. In this article, I shed light on what is important in terms of IT security when reducing the attack surface.

ASM

Security analysts and providers use the term "attack surface management" (ASM) to describe tools and software-as-a-service (SaaS) offerings that are intended to enable enterprises – large corporations in particular – to identify their attack surfaces more precisely and respond more quickly to changes in their risk situation (see the "Prevention and NIS2" box). In their Leadership Compass publications on ASM [1], analysts at KuppingerCole states that ASM has "emerged as a crucial discipline that enables proactive cybersecurity strategies, mitigating risks by reducing an organization's exposure to potential attacks."

KuppingerCole defines the attack surface as the "totality of all possible entry points within an organization, as well as the digital infrastructure of its subsidiaries and partners." In addition to hardware, software, storage devices, and networks on-site and in the cloud, the analysts also include identities (of users, accounts, and devices) that an attacker could exploit to block services, gain unauthorized access, carry out attacks, or compromise sensitive data. The problem is that the attack surface is constantly changing, if only because the components of an IT environment are constantly changing. According to KuppingerCole, due diligence therefore requires these attack surfaces to be monitored and evaluated 24/7.

Similarly, analysts at Forrester Research in 2022 described ASM as "the process of continuously discovering, identifying, inventorying, and assessing the exposures of an entity's IT asset estate" [2] and reported on success stories with ASM users praising the superior overview, the time savings, and the ability to prioritize risks.

Two ASM Variants

Market observers such as Gartner, Forrester, and KuppingerCole distinguish between two types of ASM: external (EASM) and cyber asset (CAASM). CAASM is designed to empower organizations to record all internal and external assets, primarily through API integration with existing tools such as inventory. The data collected and consolidated by CAASM is used to determine the type and extent of vulnerabilities, so they can be analyzed and continuously monitored. Gartner [3] includes Armis, Axonius, Balbix, JupiterOne, Lansweeper, OctoXLabs, runZero, and ThreatAware in its list of CAASM providers.

In times of ransomware and other cyberattacks, resources exposed to the Internet are particularly at risk, and IT teams nowadays sometimes only have hours instead of days to patch vulnerabilities. The second ASM variant, EASM, focuses on this particularly explosive defense case.

According to Gartner, the scope of EASM includes misconfigured public cloud services and servers, as well as exposed company data such as login credentials and vulnerabilities in third-party software code that an attacker could exploit – think of the SolarWinds compromise in 2020 or the recent attack on the open source XZ Utils toolbox, which Andres Freund discovered by chance.

The EASM market segment is home to various major players such as IBM (with the acquisition of Randori in 2022), Google Cloud (with the acquisition of Mandiant, also in 2022), and Microsoft. They are likely to be more concerned about getting their own attack surfaces under control. These major players are joined by numerous security specialists, including CrowdStrike, Group-IB, Palo Alto Networks, and Trend Micro.

KuppingerCole assumes that the two types of ASM will sooner or later merge into a holistic ASM. In the meanwhile, user companies will certainly not want to maintain and pay for separate tools, processes, or cloud services to monitor both ends of the same asset.

X Marks the Spot

King Gunther and his henchman Hagen trick Siegfried's wife Kriemhild into believing that war with the Saxons is imminent. In this way, Hagen is able to coax Siegfried's secret out of her: Under the pretext that he can then protect Siegfried all the better, he persuades Kriemhild to sew a cross onto Siegfried's robe at the critical point. Social engineering has always been one of the most effective weapons in the attacker's arsenal. Villains today have many different ways to dupe a victim, and loopholes can often be detected easily from a distance, because many companies expose vulnerabilities online with almost Kriemhild-like recklessness.

How does ASM prevent malicious actors from finding so many digital crosses that they can shamelessly exploit? First, you need to distinguish ASM from legacy vulnerability management, which relies on network-wide scans of the in-house IT inventory to compare the risk assessment results with the Common Vulnerability Scoring System (CVSS). Compared with the traditional approach, ASM tools and services enable faster and, above all, more precise prioritization. According to KuppingerCole, ASM allows organizations to take a risk-based approach and strategically focus their resources on the areas that are potentially most at risk.

This promise sounds pretty familiar. One suspicion involuntarily rears its head like an annoyed dragon. Could it be that resourceful marketeers have poured old vulnerability management wine into new ASM wineskins? Stefan Strobel [4], head of the security consultancy cirosec, pointed out that the basis of ASM is a vulnerability scanner (i.e., established technology). According to Strobel, though, ASM also covers companies with a decentralized organization that increasingly rely on cloud services and quickly lose track of their IP addresses in the process. You must first find out what you need to scan before scanning by asking questions such as: Which domains are in use? Who registered them? With which provider? On what subnet?

What might sound simple, at first, can quickly prove to be treacherous ground in large IT environments. By way of an example, when Forrester surveyed ASM users for its report, the security expert at a used car marketplace said that the ASM tool had found 50 percent more assets than they thought they had. Whereas dragonslayers of old only had to worry about a single weak spot, protecting attack surfaces in companies today is initially like looking for a needle in a haystack.