Attack surface management (ASM) is a continuous process of identifying, analyzing, and reducing vulnerabilities within an organizations digital assets and networks. It is conducted entirely from a hackers perspective, identifying targets and assessing risks based on the opportunities they present to a malicious attacker. ASM relies on many of the same methods and resources that hackers use, and many ASM tasks and technologies are devised and performed by ethical hackers familiar with cybercriminals behaviors and skilled at duplicating their actions.
The ultimate goal of ASM is to increase attack surface visibility and reduce risk. It considers all assets, including IP addresses, domains, certificates, cloud infrastructure, and physical systems, connected to an organizations network and maps, which in the organization is responsible for each asset. ASM protects against cyberattacks by providing organizations with comprehensive views of their internal and external attack surface, including all entry points, vulnerabilities, and potential attack vectors.
ASM includes several core functions, including asset discovery, vulnerability assessment, threat modeling, and risk management. An attack surface management solution should utilize these five core functions to protect against vulnerabilities:
- Asset discovery
- Vulnerability assessment
- Threat modeling
- Risk management
- Prioritization
External attack surface management (EASM) is a relatively new ASM technology that focuses specifically on the vulnerabilities and risks presented by an organizations external or internet-facing IT assets. EASM performs assets and exposure discovery on internet-facing assets, continuously assesses them for vulnerabilities, and generates and prioritizes issues for the security team to remediate.
ASM is important because it provides the visibility, context, and prioritization needed to address vulnerabilities before they can be exploited by attackers. It is critical for teams who want a deeper understanding of their key risk areas and aids in making IT, security personnel, and leadership aware of what areas are vulnerable to attack, so the organization can find ways of minimizing the risk.
