Operational resilience | Risk Management & Reporting

September 27, 2022

Sometimes new terms enter the lexicon that represent a genuinely new technique or approach to a problem; other times those similar sounding techniques can turn out to be solving a different problem. This linguistic dance of marketers and analysts ends up simply creating confusion in the mind of the prospective buyer.

This brings us to the topic of the blog, Attack Surface Management. It’s something that we’re all hearing more about and even executives are talking about it; but why is it so important? Basically, it’s about maintaining effective cyber posture in a changing IT risk environment. It’s intended to provide organisations with greater visibility of their IT assets, any emerging points of vulnerability between those assets (attack surface) and a measure of the deployed security controls that protect them.


Cyber posture is an assessment of the effectiveness of your cyber security controls or your overall security status. It’s always been an important consideration for security teams. It can change over time and so clear visibility of all your IT assets and the ability to identify and re-prioritise any emerging risks is an important and ongoing task, hence the need to actively manage your attack surface.

The transformation of digital architectures and changing threat landscapes has meant organisations are constantly exposed to changing attack surfaces or shifting points of potential unauthorised access. The increasing number and scale of ransomware and other attacks, the devastating stories from victims and the growing demands by insurers for companies to increase the levels of their security controls, has heightened awareness of the importance of cyber posture for both operations and senior executive teams.

The better managed the attack surface, the lower the level of unmanaged risk and so the better its cyber posture. These ongoing shifts in cyber risk have meant that security and risk teams need better information about their attack surface area or vulnerability to attack. Hence a new source of risk information – Attack Surface Management (ASM).

Some helpful Attack Surface Management definitions

There are a number of different ASM technologies emerging (see below), that can provide varying degrees of helpful risk information about changes to your IT asset vulnerabilities. What is so powerful about ASM is that it looks at your enterprise and its posture from the perspective of an attacker – looking for security gaps to exploit. Some of course will come from potential attacks against inadequately protected Internet facing assets. But, your internal IT assets (and attack surfaces) are also at risk. Vulnerabilities to APIs, phishing and malware attacks are just some of the internal attack vectors.

To gain the best information about your particular IT assets, their potential vulnerability and how ASM can help however, it’s important to understand that not all technologies are the same; nor do they provide the same information. It’s easier to consider ASM as a class of technologies comprising 3 different techniques:

  • Cyber Asset Attack Surface Management (CAASM): A technology that provides an accurate view of both internal and external IT assets to accurately measure and manage the effectiveness of security controls and prioritise any risk or vulnerability gaps requiring mitigation across the enterprise.
  • External Attack Surface Management (EASM): Technology and processes that provide an “outside-in” scan of the Internet to identify external internet-facing enterprise assets and systems that might be at risk from emerging Internet threats.
  • Digital Risk Protection Services (DRPS): Technology or services that offer visibility to external threat intelligence from the Internet, social media and even the dark web to contextualise potential threat actors and their tactics, techniques and procedures.

The difference between these techniques is the fidelity and utility of the information they collect.

Depending on the technology chosen, ASM can provide information for organisations to identify rogue or shadow IT assets and improve the management their cyber posture. The type of technology and the source of the information it provides will determine the timeliness and utility of that information.

Visibility and Measurement

The demand for improved visibility of assets and their associated risks – “observability” in some circles – has been driven by the ongoing increase in cyber attacks as discussed, as too has the emergence of cyber security risk as a corporate and regulatory agenda item. The visibility of the ongoing risks impacting your attack surface is of growing importance for all stakeholders.

So too is the need to be able to measure the relative adequacy of your controls, for prioritisation and risk management purposes. If it’s a critical vulnerability or affecting a high priority asset it’s important to be able to identify that fact and get onto it quickly. As you might expect, how the risk is measured is key to identifying its true priority for management. The more accurate the measurement, the more reliable the ASM process and ultimately your security risk decision making.

Gartner estimates that fewer than 10% of organisations have adopted an ASM technology with most still relying on less reliable manual processes. The demand for increasing rigour in risk management activities by regulators and directors will undoubtedly lead to broader adoption in the near future.

ASM is becoming an important element of effective cyber security posture management – better visibility and accurate assessment of your changing security controls are critical to the active management of your cyber posture.

CAASM or Cyber Security Posture

Directors, senior executives, and security and risk teams, each now with a degree of accountability for cyber security management, are seeking better answers to the question: “What is the risk?”. Evidence based ASM information is increasingly required to support the growing needs for risk management and oversight. Cyber insurers, for example, were finding that the use of externally sourced risk information only, did not provide them with an adequate risk picture. As you may be aware, they now demand that if organisations are seeking re-insurance they maintain much higher levels of security control.

Enter CAASM, a ASM technique that identifies and measures cyber security attack surfaces to provide an actionable ASM report. It systematically measures the quality and coverage of the cyber security controls across an organisation. Whether as a service, or increasingly as a stand-alone technology, CAASM solutions are predominantly used for rapid empirical IT risk auditing, accurate security control reporting and the prioritised management of vulnerability gaps. They inform both operations and senior executive teams of the health of the cyber safeguards protecting your data and IT systems.

With its speed, visibility and quantitative measurement, CAASM systems remove the reliance on subjective risk assessments that are sometimes the limitation of other ASM techniques. By replacing that anecdotal information with evidence-based metrics, CAASM systems provide reliable ASM information for both operational and senior executive teams responsible for cyber security risk decision making.

Positive outcomes from ASM

Huntsman Security’s CAASM solutions, use a systematic approach to group the risks associated with each security control and align them with the detection, containment and recovery phases of ransomware or malware attacks (in line with UK, Australian and US guidance) for ease of risk management.

Each solution provides a different level of attack surface intelligence. CAASMs show the state of the organisation’s attack surfaces for compliance monitoring or malware attack readiness reporting and provide a clear view of the overall security control effectiveness. They highlight what assets are protected and which remain exposed and need attention.

The upshot of all of this is that rising cyber threats, shifting vulnerabilities and their greater potential to impact business operations has hastened the need for ASM solutions (like Huntsman Security’s SmartCheck for Ransomware and Essential 8 Auditor) that provide timely, data-driven IT risk information and objective attack surface insights to all the stakeholders responsible for the management of cyber security risk. These newer CAASM technologies enable the more informed management of any changes in the attack surface and inevitably, enhance active posture management.


Related Cybersecurity Content


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.