Attack surface management: Advantage or waste of time?

By John Bruggeman, virtual Chief Information Security Officer, CBTS

You will likely hear the term “attack surface management” or ASM in the weeks ahead and beyond. Great, but what is it?

Attack surface management is a product several vendors are selling that can help customers gain visibility into what the bad guys know about their business.

Think about company assets that are exposed to the Internet, ones that are not protected by a firewall.?Those computers are the attack surface that bad actors attack to get access to private or sensitive company data.

Every computer or cloud asset that is exposed on the Internet—intentionally or not—is a target of the criminal community. Think of a company website, remote access server, a VPN connection, AWS and Azure servers, and even cloud storage. All those external facing devices are targeted by criminals to see if they can be compromised in order to steal data or gain access.

For a small company with five or ten computers that are exposed, it’s pretty easy to monitor them and make sure they are patched and protected.

But what about a company that has grown through acquisition and mergers? Does the new CIO or IT director know what assets are exposed to the Internet? Maybe they do, maybe they don’t? All those exposed devices are the attack surface.

What to do?

For a large company with hundreds or thousands of external devices, they need to keep an accurate and up-to-date inventory of their attack surface.

There are a number of vendors who sell that kind of data for a subscription fee. Vendors like Palo Alto, BitSight, and Security Scorecard have a database of devices on the Internet and have a security rating for those devices. Those services provide management tools for companies that need to protect their devices.

CBTS provides managed security services for companies that need to protect their devices at the edge.

For a longer overview of ASM, you can read this post .

About the author

John Bruggeman is a veteran technologist, CTO, and CISO with nearly 30 years of experience building and running enterprise IT and shepherding information security programs toward maturity. He helps companies, boards, and C-level committees improve and develop their cybersecurity programs, create risk registers, and implement compliance controls using industry-standard frameworks like CIS, NIST, and ISO.