Operational resilience | Risk Management & Reporting

June 19, 2023

Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external facing services and assets only; making the mistake that internal servers and endpoints are safe from compromise and attack.

Read this field guide to understand how to gain clear visibility of the security of both your internal and external assets and services.

The cyber security industry has a seemingly insatiable appetite for jargon and acronyms. It’s almost as if any security document can quickly descend into sets of clever 3 or 4-letter acronyms that really don’t add much to anyone’s understanding.

Some of these elaborate descriptors might be fine for security specialists but, for the layperson, the security and business benefits of these documents and terms can be limited. At a time when everyone is looking to maximise the value of their cyber security spend, matching technical requirements to solution functionality is critical.  Organisations can’t afford to waste their resources on duplicate or redundant technologies. So, getting to the bottom of some of these cyber security terms is important for all security stakeholders.

Audit and Controls Assurance

One of the areas where this practice has become unhelpful is in the field of cyber security audit or assessment. Maybe because it’s at the dynamic interface of the business and technology disciplines, or even that it’s just an unchecked explosion of IT analysts’ creativity. But whatever the reason, the names and capabilities of some of these technologies seem almost designed to confuse rather than explain their function.

By now most organisations have at least some security controls in place to mitigate security risks; but business stakeholders are seeking assurance, and in some cases evidence, that their assets are protected. Verifiable information is increasingly being sought to give confidence to customers, to inform insurers, to comply with the law and even satisfy their own fiduciary responsibilities as company officers.

Understanding the effectiveness or ROI of these controls requires a degree of objective measurement:

  • What coverage those controls have over systems and data;
  • How they are configured (and is this correct or optimal);
  • How effective they are;
  • What evidence of operation, or warnings about failures, they generate; and
  • How measurable and reportable is this operation.

Measurement techniques vary with more frequent audit and oversight (which can be expensive, intrusive and invariably imprecise) through to more technical solutions that add quantitative assessment to the risk management process – one such solution is “Attack Surface Management”.

Attack Surface Management (ASM)

Attack Surface Management, a relatively new term, is the genus of a number of different species; each with different capabilities, which can make selecting the best solution for your needs a bit tricky. A note of caution: not all ASMs are the same.

The full extent of an enterprise “surface” that is vulnerable to attack includes both internal and Internet facing (external) IT assets and services. Without mitigation efforts, these surfaces present security risks to the business and must be managed. Adding to the confusion, some vendors use ASM to describe external facing services and assets only; making the mistake that internal servers and endpoints are immune from becoming an attack vector. They can of course.

In short, systematically monitoring an attack surface to identify and mitigate any vulnerabilities will improve the level of cyber resilience and reduce the risk of attack for an organisation. ASM solutions that include both internal and external assets can obviously provide greater confidence about the risk assessment result. They also provide better visibility of the security of both your internal and external assets and services.

Asset management is something that companies often struggle with – accounting for all the IT assets and systems in place and how they are configured. In recent years this has become even harder; but identifying every asset and service on your network is important risk mitigation activity:

  • Many assets are not on a single corporate network;
  • Home working/hybrid working is now the norm;
  • Third parties often hold data and process information on organisations’ behalf;
  • The Internet of Things has resulted in a proliferation of devices everywhere;
  • Cloud systems that are known about & cloud systems that aren’t; and
  • Infrastructure AND applications can both contain vulnerabilities – and be delivered by various service providers.

Your choice of ASM solutions will determine what assets and services you can discover, analyse, remediate and monitor; and so, the cybersecurity vulnerabilities and potential attack vectors that make up the organisation’s attack surface.

Here’s a handy field guide to help you with ASM taxonomy in the wild. The species of the ASM genus are as follows:

  • EASM – External Attack Surface Management
  • SRS – Security Ratings Services
  • DRPS – Digital Risk Protection Services
  • AASM – Application / API Attack Surface Management
  • CAASM – Cyber Asset Attack Surface Management

External ASM (EASM)

This species is closely related to the types of external scanning of systems and networks sometimes undertaken by adversaries. It’s low cost, can be surreptitious and as a result is not particularly reliable. It identifies IP address ranges, accessible systems, gateways/VPNs, websites, cloud platforms and applications. Then it assesses security/asset exposure in user accounts/emails, gateway access points, web vulnerabilities/SSL certificates, cloud misconfigurations and other vulnerabilities.

EASM provides an easy way to discover the accessible external facing assets and systems – and this is its shortcoming. Systems are not always accessible for a number of reasons – they might be quite adequately protected by other controls (for example a web server), or they might just be disconnected (as in the case of a laptop).

Security Ratings Services (SRS)

These services are broad in their adoption but again, purely external in nature. Like credit ratings services they emerged as a business service to provide quick cyber assessments by gathering publicly available information:

  • Scanning or finger-printing OS/software versions;
  • Configuration checking of systems (e.g. SSL certs);
  • Inferring data from other sources (e.g. workstation browser versions based on information from advertisement providers);
  • Publicly revealed information on user-generated platforms (forum posts/email addresses/documents); and
  • Threat intelligence (dark web discussions, compromised accounts)

They remain totally external to the enterprise and unobtrusively gather information from the public domain to profile the security rating of organisations. The scan is a low-cost operation, and SRSs have been known to scan an unsuspecting target and making a report available to them, with an offer to correct any erroneous or inaccurate information for a fee.

The poor reliability and lack of evidential rigour, ensures that the quality of these reports remain contentious. So much so that early adopters of the service now place greater reliance on other risk assessment methods. For example, organisations seeking reinsurance often now have to certify that they have a mandatory set of controls.

Digital Risk Protection Services (DRPS)

This is really just a new name for familiar external threat intelligence services. These are companies that gather and collate threat intelligence about an organisation – more than just general indicators of comprise of rogue IP addresses and file hashes.

This “threat intelligence” about an organisation can be derived from external information, its employees or data from the Internet, web forums or social media. Elements of tradecraft are sometimes associated with the aggregation of this sort of material. The difficulty is that conclusions can often be very subjective and digital artefacts quite tangential to the risk level faced by the target organisation.

In this already confusing market, some EASM and SRS vendors also claim to offer some of these risk protection services – to help manage potential reputational risks.

Application / API ASM (AASM)

As businesses increase their use of on-premise applications deployments – be it SaaS, cloud applications or self-managed – it is important to understand how the attackers might choose to subvert them, and the underlying IT assets and systems.

An example might be a server application that provides an API. An end-customer may choose not to use the API, so pays little attention to its security or settings. They forget it is there, it’s active, and vulnerable to attack.

AASM applies ASM concepts specifically to discover these applications and APIs, as well as any vulnerabilities that an organisation might have unwittingly adopted.

This identification and vulnerability/threat understanding can be applied to:

  • Cloud applications;
  • APIs;
  • Websites;
  • SaaS services that are in use – both approved and “shadow IT”; and
  • Rogue APIs in software that have been deployed but not used.

Cyber Asset ASM (CAASM)

Finally, arguably the broadest and most interesting species of attack surface management, is Cyber Asset Attack Surface Management. At a stretch, it encompasses almost all other ASM types (although like for any other rule, there are exceptions).

CAASM (sometimes referred to “inside-out”) is viewed from the perspective of an organisation protecting itself against a dynamic threat environment – it is focussed on the vulnerability of all enterprise assets and services. That is, the IT assets and services that comprise the organisation – internal and external facing – across the enterprise network, the cloud providers and user workstations.

CAASM sets out to deliver unified visibility across all assets by identifying any vulnerabilities, subsequent mitigations and any ineffective security controls.

The combination of an asset management inventory and clarity around security vulnerabilities and misconfigurations provides the business with a clear ledger-like overview. Cyber security coverage, maturity and control effectiveness is listed on the one hand and the resultant cyber exposure and security posture of the organisation on the other. Importantly, CAASMs can highlight the maturity of the security controls to report the status of risk management activities for security and business stakeholders.

This multi-dimensional view of the systems and platforms, their configuration and controls, and the protection they provide against hackers, APTs and ransomware enables the measurable, timely and accurate view of cyber security that all parts of the business need.

Top 10 Questions about Cyber Security Management for Executives & Directors (AU)


Related Cybersecurity Content


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.