Security performance management (SPM) and attack surface management (ASM) are two excellent approaches for managing cyber risk considering the current cyber threat landscape and the context of the world’s ongoing and accelerating digital transformation. Although the two processes are sometimes referred to interchangeably, there are some differences in their execution.
The rapid progress of digital transformation and the use of new technologies is making IT infrastructure far more complex than it has ever been. At the same time, protecting IT assets from cyber threats has never been more important.
The latest factors making IT infrastructure more complex include the following:
- 5G — Increased speeds and connectivity are changing the way the world does business but also opening up vulnerabilities to cyber criminals.
- Artificial Intelligence (AI) — While delivering efficiencies and innovations across industries, AI and machine learning are also leveraged by cybercriminals to crack access credentials and perform cyber attacks.
- Internet of Things (IoT) devices — IoT devices mean increasing connected endpoints, virtually all of which are potential ways for cybercriminals to access a system.
- Remote working — Unvetted devices, SaaS applications, poor security from third-party cloud-based service providers, and configuration-related vulnerabilities make a move toward remote working challenging from a cybersecurity perspective.
With obstacles such as these, combined with the increased pressure of cybersecurity regulations, such as GDPR and HIPAA, IT infrastructures need robust cybersecurity controls but also systems to manage them and ensure regulatory compliance.
What is Security Performance Management?
Security performance management (SPM) is a process that evaluates an organization's cybersecurity maturity and overall security performance. SPM assesses a company’s biggest risks and its current security posture and combines this with data regarding how much work is necessary to ensure the business meets its cybersecurity goals and complies with cybersecurity regulations.
SPM helps with cyber risk governance by providing data for cybersecurity metrics. It increases visibility and helps describe security posture and information security needs to security teams and other stakeholders, ensuring cybersecurity projects are measurable and outcome-driven.
Measuring security performance is vital to ensure organizations comply with these regulations and prepare for the current cyber threat landscape.
Nonetheless, fewer than half of organizations measure cybersecurity performance, which means they don’t know how effective their security is nor the direction in which their cybersecurity capabilities are going.
SPM Strategic Insights
One of the benefits of SPM is that it helps Chief Information Security Officers (CISOs) set metrics and achieve unique goals according to their individual business needs.
SPM helps businesses know where it is succeeding and failing and why, which is crucial for replicating success and remediating vulnerabilities. It also improves the visibility of the impact of external issues and emerging threats.
Furthermore, SPM assists the prioritization process, showing a business its top attack vectors and how they compare to peers’ systems. Unlike traditional cyber risk management, it does not rely on a lone cybersecurity risk assessment, threat intelligence report, audit reports, or one-off penetration testing. On the contrary, over time, SPM does all these things regularly, doing away with static data and providing up-to-date, continuous information regarding cybersecurity performance.
So, rather than providing a snapshot, SPM offers data on performance over time, making it easier for CISOs to know if their initiatives are making IT infrastructure more secure.
Key Components of Security Performance Management
One of the keys to security performance management is data analytics. The more accurate and useful the data, the better the basis for business decisions.
Data needs to be objective. Excellent data helps to measure risk, make decisions, and show stakeholders the organization’s performance. The data must also be specific enough for CISOs to set their own agenda and metrics.
The excellent analytics capability provided by an excellent SPM solution also allows stakeholders to compare an organization’s performance to similar organizations facing similar challenges, which can help put cybersecurity performance into context.
Clean, accurate data helps a business build cyber resilience by keeping stakeholders up to date on the firm’s security posture. It also fosters proactivity. With the increasing potential for damage from cyber attacks, it’s more important than ever for cybersecurity teams to be proactive.
Security Ratings for Security Performance Management
SPM offers stakeholders a company-wide view of security performance. It’s not just about isolated departments or systems, which are outdated in an increasingly connected world. SPM provides a necessarily holistic approach to improving an organization’s cybersecurity posture.
Ongoing SPM can help board members understand an organization's security ability and needs because it can provide a clear, understandable comparison to other firms, gives stakeholders context, and provides real-time information about the organization’s security posture.
With SPM, CISOs can use peer comparisons and security ratings to set goals and report on the organization’s cybersecurity maturity. Thanks to SPM, these security ratings can be objective, data-driven, and continuous, changing in real-time.
The higher the security rating, the better the organization’s security posture. An organization with a strong security posture is less likely to face a data leak, data breach, or cyber attack and is more prepared to deal with these incidents should they occur.
Security ratings can be more effective than traditional cyber risk management activities, including using security questionnaires. On the contrary, security ratings are developed from inherently more useful and verifiable data.
Internal and External Monitoring
Cyber threats are constantly developing, so organizations need to implement continuous monitoring and assessment of their organizations and their supply chains. Measurement combined with continuous monitoring helps businesses achieve goals according to their key performance indicators (KPIs).
By analyzing the security ratings of businesses in the supply chain, an organization can identify its high-risk vendors, evaluate its ecosystem better, get a more accurate view of its security posture, and manage cyber risk more effectively.
Monitoring and managing supply chains can be challenging, so look for SPM systems that automate workflows, including vendor questionnaires, and ensure data is mapped to cybersecurity best practices, such as the security controls of the NIST Cybersecurity Framework.
What is Attack Surface Management (ASM)?
Attack surface management (ASM) is a set of processes that discovers and monitors an organization’s internet-facing digital assets (attack surface) to discover potential vulnerabilities, risks, and attack vectors and remediate them. An attack surface is a sum of the pathways, vulnerabilities, and methods — attack vectors — through which a cybercriminal could launch a cyber attack on a system or extract data.
Any digital, cloud-based, or otherwise asset can be considered an entry point. These endpoints are potential targets for cyber attacks. ASM helps an organization reduce cyber risk dramatically by limiting and hardening endpoints and other ways threat actors can access the organization’s information systems.
A business’s attack surface could be described as comprising three main kinds of assets:
- On-site assets — These include the organization’s servers and hardware.
- Cloud assets — This category includes cloud servers and SaaS applications.
- External assets — This refers to online services from third-party vendors connected to the company network that store and process company data.
A subsidiary network — i.e., a parent or holding company network — would also comprise part of a company’s attack surface.
One of the main ways ASM is different from other cybersecurity solutions is that it approaches IT infrastructure from the perspective of attackers. A modern ASM solution will predict the activities of a cybercriminal with wide-ranging and thorough techniques for revealing vulnerabilities. It aims to find and fix vulnerabilities before cybercriminals can exploit them.
ASM helps stakeholders understand a business’s attack surface by providing the number of endpoints and explaining the connections between devices and how they might affect information security during a data breach.
Effective Attack Surface Management
An effective attack surface management solution should include the following:
- Asset discovery
- Detection of threats
- Evaluation of cyber risks related to both known and unknown assets
- Identification of shadow IT assets, unknown assets, and cybersecurity risks, including software requiring updates, misconfigurations, and leaked access credentials
- Mapping to create a digital asset inventory
- Prioritization of vulnerabilities
- Remediation of vulnerabilities and potential attack vectors
Continuous monitoring is also integral to ASM because attack surfaces are constantly changing. Every device added to or removed from a network — and every user accessing the network — changes the company’s attack surface, making around-the-clock monitoring and testing of the attack surface critical.
Implementing ASM is essential for growing businesses or those ready to expand. It’s critical for these businesses to scale safely, so keeping a close eye on their digital attack surfaces is integral to successful scaling.
ASM tools and solutions help business leaders see which areas are most at risk so they can prioritize risk and vulnerability remediation. An excellent ASM system provides deep and specific detail, so stakeholders can effectively remediate cyber issues and reduce the attack surface.
Some ASM solutions include vulnerability management. Whereas ASM focuses on the entirety of an organization’s attack surface, vulnerability management focuses on remediating exploitable vulnerabilities.
Approaches to vulnerability remediation are more narrow than for ASM. They work well within a wider ASM strategy.
Fixing attack surface issues typically involves one of two broad approaches:
- Mitigating risk associated with specific assets
- Reducing the attack surface to limit exposure
ASM helps CISOs prioritize vulnerabilities, appreciating that not all assets are equally important to an organization or pose the same risk to the network or business function.
By providing visibility regarding the context of the asset, how it is used, and the potential damage of the vulnerability, ASM helps CISOs decide where to focus remediation efforts.
CISOs can also benefit from the aforementioned security ratings to decide on prioritization of remediating the most severe risks based on objective, agreed-upon criteria.
Having identified, evaluated, and prioritized cyber risks, reducing and hardening attack surfaces is an ongoing process that can be achieved to a large extent with the following steps of an ASM process:
- Removal of unnecessary apps and devices
- Verification and minimization of the configurations of all internet-facing assets
- Patching for all remaining servers, endpoints, and other assets
- Implementation of endpoint security
- Implementation of strong access control
- Implementation of web-application firewalls and other security controls to protect assets
Protection of Internal and External Assets
Modern businesses operate with attack surfaces, including third and fourth-party providers. Evaluating and remediating the risk of the entire supply chain with internal and external attack surface management helps organizations avoid security issues such as compromised access credentials, data leaks, and cyber attacks.
ASM begins with mapping and identifying all assets across the organization’s internal and external attack surface. Web application firewalls are a key component of a business’ defense against cybercrime, but the enhanced visibility ASM provides on both sides of firewalls is invaluable in an increasingly complex cyber threat landscape.
Cloud systems are a risk because they don’t always have sufficient security operations. However, they are a target for cybercriminals because they potentially provide access to large amounts of sensitive data. External ASM is also excellent for other use cases, including automating vulnerability management or asset inventory.
Common Attack Vectors
The importance of attack surface management can become even more evident when looking at common attack vectors. The most common attack vectors include:
While cybersecurity awareness training and developing a cybersecurity culture can reduce such risks, they take time. Furthermore, they work best alongside digital solutions and strategies, including ASM.
Cybercriminals are constantly looking for new vulnerabilities listed on the Common Vulnerabilities and Exposures (CVE) site and the dark web. Furthermore, they continually develop ways to exploit existing vulnerabilities.
Cyber attacks are varied and increasingly sophisticated, so defending information systems from unauthorized access, data breaches, and cyberattacks requires a robust suite of security controls, digital solutions, and techniques.
What’s the Difference Between? Security Performance Management (SPM) and Attack Surface Management (ASM)?
So what are the differences between SPM and ASM?
Security Performance Management’s main objective is to understand how well the organization's security posture is performing in light of the established policies and procedures. This also includes tracking compliance with relevant security standards and regulations, using security ratings to understand security postures, and understanding where an organization’s biggest risks are. Regular auditing and reporting are also key components of security performance management.
On the other hand, Attack Surface Management is a more nuanced, proactive security practice aimed at identifying, mapping, and securing all potential points of vulnerability that an attacker could exploit in a network, application, or system. The goal of attack surface management is to minimize the impact of exploitable risks and vulnerabilities as much as possible, making it more difficult for an attacker to penetrate the system.
SPM processes are a more surface-level assessment and management of a company’s overarching security controls, while ASM processes are more directed toward discovering, mitigating, and remediating risks and vulnerabilities. However, many SPM and ASM solutions today have overlapping goals and similar features that make them both great for businesses looking for security solutions.