The cyber asset attack surface management process combines discovery, classification, and monitoring capabilities to gain visibility into your organization’s attack surface. This includes all external-facing IT infrastructure and internal assets (routers, servers, IoT devices, code repositories, etc.) and their connections.
This contrasts with vulnerability management, which often focuses on individual assets and needs to examine how they connect to limiting risk assessment.
Classification
The first step in cyber asset attack surface management is to identify and classify the digital assets a business has – both on-premises, in the cloud, in subsidiary networks, or even in third-party data centers. A business must then map those assets and analyze their risks to the organization’s security posture.
This involves identifying, prioritizing, and remediating vulnerabilities in those assets. But it also entails evaluating the risk of the broader attack surface by looking at other weaknesses beyond code-based vulnerabilities, such as those found in infrastructure, applications, IoT devices, and data.
To accomplish this, CAASM solutions use a query engine that connects findings, assets, owners, and relationships across multiple tools to provide continuous visibility into an evolving attack surface. This contrasts the single point of vulnerability discovery and assessment typical of most vulnerability management programs.
This is a critical distinction between CAASM and vulnerability management because it allows security teams to continuously evaluate a business’s ever-changing attack surface from a hacker’s perspective.
Assessment
Corporate networks used to be stable and centralized, but new cyber risks surface daily. For example, penetration testing focuses on known assets but can’t assess the new vulnerabilities and attack vectors due to cloud adoption, digital transformation, and remote work trends.
A vulnerability management solution performs an in-depth assessment of each asset on your business network, looking for critical weaknesses such as device misconfigurations, encryption issues, and sensitive data exposures. It then prioritizes them by attackability—meaning how likely hackers would be to exploit them to steal or otherwise compromise your business-critical assets.
A vital component of a vulnerability management solution is the ability to share contextual information about each threat with teams responsible for remediation. This helps them better understand the threats and how to eliminate them, increasing the efficiency and effectiveness of their efforts.
Remediation
Once vulnerabilities are identified, they must be fixed to reduce or eliminate the risk of cyberattacks and data breaches. Remediation is an ongoing process that includes patching, hardening, and compensating controls. Mitigation strategies can also be implemented to reduce the impact of a vulnerability until remediation is complete.
In today’s highly linked systems, it is impossible for traditional asset discovery, threat assessment, and vulnerability management methods to keep up with the rapid emergence of new vulnerabilities and attack vectors. This is why it’s essential to implement a solution that uses continuous, automated, and risk-based vulnerability scanning.
Vulnerability management solutions use advanced detection methods to identify all organization assets, whether on-premises or in the cloud, including remote systems, IoT devices, and third-party software components. They then continuously track, monitor, and inspect these assets, identifying potential threats and vulnerabilities. This information can be used to develop a proactive, layered cybersecurity stack that significantly reduces risks and speeds up response time.
Monitoring
Traditional asset discovery, threat assessment, and vulnerability management techniques cannot keep up with the rapid emergence of new vulnerabilities and attack vectors in today’s increasingly linked systems. Penetration testing can find suspected vulnerabilities, but these can’t help security teams identify unknown risks resulting from configuration drift or shadow IT.
When vulnerabilities are discovered, they must be analyzed to determine how severe they are and what type of vulnerability it is. This allows IT and security teams to prioritize vulnerability remediation efforts and focus on the most critical ones first.
Continual monitoring will ensure that all assets are continuously scanned, detecting changes to the attack surface and alerting security teams to any new risks that must be addressed. This is necessary to reduce the work required to mitigate and identify new vulnerabilities before attackers can exploit them.