Cyber innovation and digital transformation are moving at increasing speeds.
With the shift to cloud-based software and assets, SaaS (software-as-a-service) applications, and the need for remote working, businesses are changing the way they approach risk management and the security of their digital assets.
These newer technologies have broadened most organizations’ attack surfaces, making it more complex and difficult for companies to manage IT security processes and prepare for increasing cyber attacks.
In order to strengthen their cybersecurity framework, businesses and organizations must rely on reliable IT asset management methods like attack surface management (ASM), including vulnerability management.
Any asset, cloud-based or otherwise, is a potential entry point for a cyber attack. It’s critical to fully understand how attack surface management and vulnerability management work to ensure they’re implemented effectively in your organization.
This article assesses the difference between attack surface management and vulnerability management.
The Difference Between Attack Surface Management and Vulnerability Management
The main difference between attack surface management (ASM) and vulnerability management is the overall security scope they cover within an organization’s structure. ASM has a broader focus when compared to vulnerability management, which has a narrower scope and focuses only on an immediate impact of a vulnerable asset.
Vulnerability management is a subset of attack surface management. It’s more limited, dealing with code-based scans, and has a more narrow approach in its cybersecurity methods. Vulnerability management tries to identify, classify, prioritize, and remediate vulnerabilities in a network or system that can be potentially exploited.
Attack surface management is more infrastructure based, providing IT teams a holistic view of their external assets and the cybersecurity threats affecting them. ASM accounts for how the devices, networks, and apps are connected between each other, and it deals with covering other potential entry points across an organization’s infrastructure, applications, IoT devices, data, etc.
Separately, they’re efficient in their own field of procedure. Combined, they represent a well-organized cybersecurity framework, offering granular visibility into the security posture of an organization’s overall IT infrastructure.
What is Attack Surface Management?
Attack surface management is a cybersecurity practice in which software tools are used for continuous asset discovery, testing, detection, identification, monitoring, classification, evaluation, prioritization, and finally, remediation of potential attack vectors and vulnerabilities within an organization’s IT infrastructure.
ASM provides greater visibility into an organization's attack surface by identifying how your cyber assets are connected and their potential affect on internal systems during a breach. ASM prioritizes identified threats to improve a company’s security posture, reduce the attack surface, and mitigate security risks within certain assets. These functions work together to help prevent cyber attacks and unauthorized access to sensitive data.
In attack surface management, security teams can identify attack paths and patterns to mitigate or resolve cybersecurity risks in accordance with your risk management framework. To do this, the IT staff uses ASM software and tools that identify vulnerabilities and misconfigurations that could be potential attack vectors for cybercriminals.
Effective ASM tools help organizations perform the following critical cybersecurity tasks:
- Identify and evaluate security risks within known or unknown assets;
- Map out and monitor all assets over time;
- Automate asset discovery, asset review, and asset remediation;
- Identify leaked credentials, outdated software, misconfigurations, and other common vulnerabilities;
- Identify shadow IT assets and unknown assets.
What is an Attack Surface?
In cybersecurity, the term “attack surface” (also known as “external attack surface” or “digital attack surface”) is the sum of all attack vectors which could be exploited as entry points in a cyber attack.
The attack surface includes digital (software), physical (hardware), and cloud-based assets in which data is processed or stored.
Categorizing Attack Surface Assets
There are several categories of external assets within the attack surface. Common types of assets include:
- Known assets include corporate websites, current servers, IoT devices, on-site hardware assets, and all the dependencies running on them.
- Unknown assets, such as Shadow IT or orphaned IT infrastructure that has been shelved for development or forgotten by your security team.
- Cloud assets like cloud servers, SaaS applications, and cloud-hosted databases.
- Rogue assets are mostly malicious infrastructure made and implemented by threat actors. Common examples include malware and typosquatted domains (URL hijacking), the latter of which relies on typographical mistakes and takes advantage of human error by mimicking trusted websites to trick users into sharing sensitive data. Typosquatting often also occurs via phishing scams or malicious mobile applications.
- Third-party vendors are external assets or online services that are usually purchased and can be integrated within your network, commonly to store and process data. In turn. their vendors introduce fourth-party risk to your organization.
The use of even the smallest third-party vendor can lead to massive data breaches. For example, the 2020 SolarWinds cyber attack, in which a US information technology company got attacked via malicious code that spread to its staff, customers, and clients through a software update. The malware went undetected for months, and a reported 18,000 customers were compromised by the breach.
Since these assets can be accessed via the Internet, they’re outside the protection of a firewall and other endpoint protection methods.
Identifying your assets is a primary objective of any security program, so security teams need to have a hacker’s point of view when managing the attack surface.
Reducing The Attack Surface
Many organizations in include attack surface reduction strategies in their information security policies. Below are common ways organizations reduce their attack surfaces.
- Decreasing the amount of code running;
- Eliminating entry points for untrusted users via access control, RBAC, or the principle of least privilege;
- Reducing web applications, mobile apps, or services running.
Removing these excessive internet-facing assets serves as an important component of driving operational efficiency and maintaining asset visibility.
However, this alone is not enough to prevent security controls failures. Cybercriminals can still find vulnerabilities in remaining assets and threaten your organization’s security with malware, ransomware attacks, and other security incidents that cause data breaches.
Identifying, classifying, and constantly monitoring your existing assets with a robust attack surface management program offers greater control and visibility over your active ecosystem.
How Does Attack Surface Management Work?
Effective attack surface management strategies follow five phases.
1. Asset Discovery
As is evident by the name, the first phase comprises the identification and mapping out of all internet-facing digital assets.
The assets may belong to an organization or their third parties, including business partners, IaaS and SaaS cloud providers, and other service providers.
Below is a list of digital assets that an attack surface management program must identify and map:
- Web applications, services, and APIs
- Mobile applications and their backends
- Cloud storage and network devices
- Domain names, SSL certificates, and IP addresses
- IoT and connected devices
- Public code repositories such as GitHub, BitBucket, and Gitlab
- Email servers
Outdated attack surface solutions perform asset discovery through the much slower process of manually inputting domains and IP addresses. They also aren’t capable of mapping out unknown, rogue, or external assets.
Modern attack surface management solution providers automate the discovery process, allowing instant threat identification.
External attack surface visibility allows organizations to map out all potential assets that can be used as an attack vector, such as data leaks.
2. Inventory and Classification
Following asset discovery, the attack surface management solution then proceeds with the asset inventory and classification process.
All digital assets (IT assets) must be properly labeled depending on:
- Technical specifications and properties;
- Business importance;
- Prerequisites of compliance and regulations.
3. Risk Scoring and Security Ratings
The third phase of attack surface management consists of risk scoring and security rating. These methods are used to swiftly identify the asset’s security problems which may turn into potential cyber attacks, data breaches, data leaks, or other security issues.
Security ratings are an objective measurement of an organization’s security posture, derived from precise, relevant, and verifiable data, in contrast to other risk assessment concepts, such as security questionnaires or pen testing. They provide the necessary context required to assess the security issues each of asset, including whether they are exposing critical information that could result in data leaks, data breaches, or other cyber attacks.
Advanced ASM solutions offer in-built security ratings to provide greater context around the the level of security risk affecting an asset.
Paired with real-time asset discovery, organizations can leverage instant security ratings to prioritze threat and vulnerability remediation.
4. Continuous Security Monitoring
One of the most important aspects of ASM is continuous security monitoring. Attack surfaces grow each time a new user or device is added and new cyber threats emerge daily. Organizations must monitor their attack surfaces continously to ensure they maintain visibility over the dynamic attack surface.
Today’s innovative attack surface management software solutions can review and analyze assets at all times to better manage vulnerabilities, identify security gaps and weak points, and eliminatemisconfigurations.
5. Malicious Asset and Incident Monitoring
While phase one and two are effective at detecting known and unknown IT assets, newer and more sophisticated rogue assets can be deployed by bad actors in the modern threat landscape. Examples of these malicious assets include:
These types of cyber attacks can be used to exploit vulnerabilities and uncover sensitive data that can remain visible on the internet for other attackers to exploit in future attacks.
Robust attack surface solutions scan the web’s surface, as well as the dark web and deep web to find any exposures of an organization’s sensitive information, such as employee credentials, before a bad actor exploits them in a data breach.
The Benefits of Attack Surface Management
Manually managing your attack surface can be tedious. Automated ASM uses a variety of software tools and processes for real-time monitoring of a network’s vulnerable infrastructure.
Attack surface management approaches vulnerability management from a cyber attacker’s point of view, practicing a very holistic approach to cybersecurity.
This grants an organization better strategic visibility, or “a big picture,” of their surfaces’ potential vulnerabilities, attack vectors, and cybersecurity risks. Additionally, ASM also watches over the “human attack surface,” for example, the presence of phishing scams.
Most importantly, ASM helps with better risk prioritization, reducing exposure that can be exploited by threat actors and exposing and mitigating any cybersecurity risks of a company’s digital assets, known or unknown.
According to Gartner, the benefits of ASM are:
- Increasing asset visibility and removing blind spots.
- Identifying potential attack paths to prioritize security measures.
- Faster reporting and collecting audit evidence.
- Increased IT visibility and apps in multiple departments.
- Actionable threat intelligence and metrics on a continuous basis.
What is Vulnerability Management?
Vulnerability management, or vulnerability scanning, is a security and asset management method that cybersecurity experts use to identify and categorize vulnerabilities, points of entry, and exploit points in an organization’s network devices, computers, and apps.
With vulnerability management, an organization can rate a specific vulnerability within its security so that members can see the severity of the issue.
As an ongoing process that identifies, classifies, prioritizes, and remediates vulnerabilities, VM focuses more on the internal, software-based IT landscape, as well as assets that may be a target for potential threat actors.
Compared to attack surface management, vulnerability management software is more subjective and only focuses on a separate part of a network as a singular asset.
It doesn’t consider how it connects to the rest of the IT environment, be it people, software, or other connections. VM only targets the immediate impact of a vulnerable asset while ignoring how the threats and assets are connected, which is not the case in ASM.
Simply put, it cannot aid in communicating across business functions to emphasize the importance of solving the problem to the extent that ASM does.
What is Vulnerability?
In cybersecurity, the term “vulnerability” means a weak spot in a network’s surface that can be exploited, or more specifically, a particular asset with an IP address.
Here are some examples of vulnerabilities:
- Misconfigurations in systems and clouds;
- Unencrypted data;
- Leaked username and password credentials;
- Out-of-date or unpatched software and apps.
How Does Vulnerability Management Work?
Using a database of known vulnerabilities and cybersecurity gaps, vulnerability management uses vulnerability scanning, and its resulting scans are compared. They’re fed into risk management or patch management lists, and then it’s up to the IT expert to decide how the issue can be fixed, patched, and remediated.
Vulnerability scanning works best in combination with ASM and vulnerability management tools.
Vulnerability scanning can discover crucial security gaps in an IT environment. This significantly helps with patching efforts and improving an organization’s cyber security. It’s easy to perform, less expensive than penetration testing, and can be run on a regular, automated basis.
However, an overlooked downside of vulnerability scanning is that it can give a false sense of security if used in isolation.
Although ASM encompasses vulnerability management, the main difference between ASM and vulnerability management is that ASM considers all interconnected assets.
In contrast to ASM, VM concentrates on a specific section of your network and works on individual, software-based assets that may be potential targets for threat actors. It does not concern itself with understanding a system’s interconnectivity and only figures that out if action is needed.
Because it ignores the way how a system is interconnected, VM doesn’t help in calculating immediate solutions on the spot.
How Attack Surface Management and Vulnerability Management Work Together
The main purpose of ASM and vulnerability management is building a well-prepared cybersecurity posture that is capable of managing and mitigating any IT security risks.
ASM provides greater coverage, offering a holistic view of an organization's Internet-facing assets to help drive comprehensive cyber risk management.
Vulnerability scanning doesn't detect third-party vulnerabilities, but it offers a more laser-precise approach in detecting and resolving cybersecurity vulnerabilities. While vulnerability management is often a compliance requirement and necessary for identifying internal IT issues, organizations also need to consider external threats that can facilitate unauthorized access.
Before deciding on what your organization needs, a good starting point is to check if your organization is subject to regulatory requirements. ASM and vulnerability management, and sometimes even penetration testing on its own, can be mandatory and required by law.
While organizations can decide to use either one of these security management concepts, it’s best practice to use them in unison to form a complete and robust cybersecurity program.
Ultimately, you’ll want to leave no stone unturned when it comes to cybersecurity. Complete ASM solutions, like UpGuard, can instantly detect vulnerabilities affecting your organization and its vendors, with real-time security ratings to provide greater visibility over the supply chain attack surface.