ASM, or Attack Surface Management,
is a relatively new entrant in the cybersecurity defensive arsenal,
which is leapt up the list of priorities for security teams.
But what is it, and why should you be considering it?
I'm Sam Hector from IBM Security,
and before we talk about ASM, let's first define what an attack surface is.
An organization's attack surface is the sum total of all potential routes an attacker
could attempt to use as a point of initial entry.
For example, an attack surface could be comprised of a log-in web form an attacker could attempt to brute force,
a misconfigured cloud bucket that's open to public access,
an unpatched Java application running on a dusty server you thought was decommissioned years ago,
and even systems in your partner supply chain, like an invoicing and accounting system that has access to your network.
These, plus every other potential point of entry exposed to an attacker,
go into forming the total Attack Surface of an organization
and in simplistic terms, shrinking the size of that attack surface reduces an organization's vulnerability to attack,
and the smaller the target, the easier it is to protect.
Organization's attack surfaces vary massively,
from brick and mortar small businesses that have very little digital infrastructure,
all the way to global energy and telecommunications companies
with thousands, if not millions, of IoT devices and sensors monitoring every aspect of their supply chain.
So now we understand what an attack surface is, let's look at what Attack Surface Management does.
For now, let's switch sides to the red team and look at how an attacker would understand an organization's attack surface.
Typically, they'd use an open source tool like Kali Linux to go away and crawl a company's online presence.
Or, in other words, use a computer to try the handle on every possible door,
one by one, until they find all of them.
Once that attack surface has been mapped,
typically they would then attempt to understand more about what software is runningthat may be out of date and vulnerable to known attacks
that they could then use to try and force the door open and gain entry to your organization.
So now we're back on the blue team.
How can we use this knowledge to better defend ourselves?
Well, many businesses are deploying Attack Surface Management solutions
to help them take an outside-in view on their security posture.
Because ASM Solutions scan your digital presence much like an attacker would,
often exposing those shadow IT resources we spoke about earlier -
like cloud services without an owner, and old servers running unpatched software.
This Venn diagram is all about awareness.
There will always be vulnerabilities and zero-day attacks that a business needs to address,
but they're only able to do that on the subsection of the IT estate that they're actively tracking and aware of.
Through robust vulnerability management practices,
businesses should always seek to minimize the number of systems they know about which are exposed to attack -
this "known and exposed" section in the middle.
By giving businesses an outside-in view on their attack surface,
ASM helps move items from the most risky, "unknown and exposed" category
over to the "known and exposed" category,
and then prioritize in what order to move those over to the "known and unexposed" category.
Or, in other words, it helps them take the fastest path to reduce their risk
by discovering unknown assets, then patching the systems which are at most risk first.
The best ASM systems, like IBM's acquisition Randori,
will be able to deliver this entirely from the cloud without any software to deploy,
and build an ethos of cyclical and ongoing improvement into the workflow,
much like sparring with an attacker, to improve and validate defenses on an iterative basis.
This is typically a four step process:
Firstly, discovering unknown attack surfaces.
Secondly, gaining insight and a deep understanding of them, finding out what that tool is actually doing.
Then prioritizing which of these targets are most tempting to attackers and iteratively improving the risk posture.
And finally, testing to validate the effectiveness of your actions.
Throughout this, Randori is continuously providing our clients an attackers point of view, with our dedicated team of white hat hackers that help our clients understand which are their most tempting targets.
To show a report for your company, all we need is your email address and your permission.