According to Forrester, External Attack Surface Management (EASM) emerged as a market category in 2021 and gained popularity in 2022. In a different report, Gartner concluded that vulnerability management vendors are expanding their offerings to include Attack Surface Management (ASM) for a suite of comprehensive offensive security solutions.
Recognition from global analysts has officially put ASM on the map, evolving the way security leaders approach their cybersecurity.
Why Now is the Right Time for Attack Surface Management
Businesses today rely more on digital assets than ever before. Shifts over time include more use of the cloud, an increase in remote workforces, and greater expansion of digital assets in part because of mergers and acquisitions.
This resulted in an expansion of both known and unknown attack surfaces that businesses manage, presenting a greater number of pathways for malicious actors to gain entry to an environment.
Consider this analogy for example: If your house only has one entrance, you can put 100 locks on it to enhance security. But if you have 100 doors to your house, each door can only get one lock. In this case, reducing the number of doors on a house, or the assets for attackers to gain entry, creates a more secure environment. This is where Attack Surface Management comes in.
The Role of EASM in Continuous Threat Exposure Management (CTEM)
EASM is distinct from similar market categories, such as cyber attack surface management (CAASM) or security risk rating services, but the differences are nuanced. In a recent Gartner® report, the authors recommended more education on the role ASM plays within continuous threat exposure management (CTEM) to help security leaders advance their programs.
Gartner defines CTEM as, "a set of processes and capabilities that allows enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise's digital and physical assets."
5 Phases of Continuous Threat Exposure Management
Attack Surface Management assists in the first three phases of CTEM: scoping, discovery, and prioritization by supporting businesses through the inventory of known digital assets, continuous discovery of unknown assets, and human intelligence to prioritize severe exposures for timely remediation. In some cases, offensive security providers take this a step further by also performing penetration testing on the identified vulnerabilities to validate they are vulnerable and to prove exploitation. This is a sign of a true ASM partner.
"By 2026, organizations prioritizing their security investments based on a continuous exposure management program will be three times less likely to suffer from a breach."
Attack Surface Management Supports Scoping, Discovery, and Prioritization
Let's look deeper at the first three phases in CTEM:
- Scoping: Identifies known and unknown exposures by mapping an organization's attack surface.
- Discovery: Uncovers misconfigurations or vulnerabilities within the attack surface.
- Prioritization: Evaluates the likelihood of an exposure being exploited. The best attack surface management platforms combine technology innovation with human ingenuity to verify alerts and add context to help prioritize remediation efforts.
Keep Up with Expanding Attack Surfaces
Clarifying where ASM fits into an existing security strategy helps leaders select the right mix of technologies for their offensive security program.
Note: This expertly contributed article is written by Jake Reynolds. Jake is a computer science graduate from the University of Minnesota, Twin Cities. He specializes in enterprise web development and currently leading the Research and Development for emerging penetration testing technology at NetSPI.
NetSPI is a leading offensive security company providing comprehensive penetration testing, attack surface management, and breach and attack simulation solutions. With 20 years of experience, their cybersecurity experts secure prominent organizations worldwide, including top banks, cloud providers, healthcare companies, and Fortune 500 firms. Headquartered in Minneapolis, they have offices in the U.S., Canada, the UK, and India.