Does the concept of Attack Surface Management vs. Attack Surface Analysis make sense to you?

1.5k views5 Upvotes18 Comments

Director of IT in Software, 201 - 500 employees
Speaking from a security standpoint the two terms mean different things and they should be distinguished.

Attack Surface Analysis is an analysis of the number of exploitable vulnerabilities. It can be used by both sides to discover weaknesses in a system. You start by scanning the target for vulnerabilities and then checking which ones have exploits available, and you choose the attack vector. OWASP has an attack surface analysis cheat sheet.

Attack Surface Management is the process of, discovering/resonance, inventorying, classification and monitoring of the systems. This is more on the offensive (attacker) side point of view. You are looking at what IT assets are exposed inside the organization and to the internet.
5 3 Replies
Director of Information Security in Manufacturing, 1,001 - 5,000 employees

Agree with Ajet, but with an addition.  The result of an analysis is some kind of report, which may or may not be acted upon.    The result of management has to be a specific action.  Neither one is better, you need both ;-)

CTO in Software, 11 - 50 employees

 I'll agree with you that the reports generated by most tools aren't looked at or validated, but I'm sure you would agree that if the technology "shows" rather than "tells" me where the issue is, relative to the sensitivity of the network, I'm more likely as an operator / owner to engage with the vulnerability. 

Director of Information Security in Manufacturing, 1,001 - 5,000 employees

Thanks Joe. 100% agree

Technology Compliance Director, Information Security in Travel and Hospitality, 51 - 200 employees
Ajet's comments are correct, but as a SecOps leader, here is how I view it:
My goal is to keep the attack surface as tiny as possible.  This is the driving force behind a great many defensive policies.
 - Every port on every IP is scanned at least once a week.
 - Any changes are investigated as though it were a breach.  We find the offender and 'meet' with them and their supervisor.
 - Cloud services have a nice report of every single port and IP.  This is reviewed automatically every day.
 - For the known and accepted open ports, a full vuln scan is performed once a week.  Any change is banners or detected version is escalated as a breach.  Another 'meeting'.
Keep the attack surface tiny, make every effort to secure those service that must be exposed.
2 2 Replies
CISO in Software, 201 - 500 employees

This is a good perspective! Let me add my 2 cents:

I totally understand what you meant by "keeping the surface tiny", but let's face it – the surface is growing and will keep growing, as companies expand their usage of cloud technologies, build their own cloud apps and adopt and interconnect SaaS systems. Yes, we still need to be persistent when it comes to minimization, but the scale keeps growing exponentially and this should lead to changes in paradigms.

Great insights about the need to scan / do a compliance review often, isolate and investigate the exceptions. Automation is the key, and configuration as a code a critical success factor to drive this at scale. 

Ajet got it right. You need to continually assess your surface ("Analysis") and have a risk-based response strategy ("Management"). Of course this is interconnected, without a proper analysis, you will be managing wrong risks, but these are two separate disciplines.

CTO in Software, 11 - 50 employees

While I agree with Ajet’s positioning statement, I would have to nudge Tom Currie’s point around their reliance on tools providing a minimized attack surface. From my experience, it is the alignment of those tools concentrated into a single lens that reduces perceived / known attack surface, and not the other way around. Far too often I have seen the emphasis on “tell” tools and not enough on “show” tools, that provide an incomplete view of the ground truth. I trust that explanation makes sense.
WRT - Tomas Honzak’s point around shadowIT, I would agree that automation plays a role, however I also helps to enable teams to “drill down” into the sources in that same analysis platform to explore the key indicators that are present. While ASA and ASM have connective tissues, in my experience the two (when done properly) provide a greater value. 
Great responses everyone! Thanks for that - Let’s keep the momentum going!

CEO, MSSP - High Assurance Cybersecurity SOC in Services (non-Government), 1,001 - 5,000 employees
Seconding all that has been said by my esteemed peers, I will add a few cents. There's nothing to "manage" without accurate and continuous "analysis" first. In the case of this topic what may be note-worthy to state is internal and external attack surface analysis and subsequent management go hand in glove - think DiD (defense in depth). Internal you may have some say and control over, externally you have far less control or visibility. Gartner coined the term EASM (external attack surface management) and now you have a plethora of products available. And, EASM is so important owing to burgeoning remote work? 
3 2 Replies
CTO in Software, 11 - 50 employees

Any suggestions Neal regarding the Internal attack surface. Defence in depth is great, but if I can "see" it, how am I going to fight it? I assume that makes sense. 

CEO, MSSP - High Assurance Cybersecurity SOC in Services (non-Government), 1,001 - 5,000 employees

Great point Joe - and that is where we shine with managed XDR. If you can't identify gaps in your cyber hygiene then as you said so well, there's no fighting it. Security operation's job 1 is engineering, implementing, caring, and nurturing cyber hygiene. The only way to "see it" is to continuously assess cyber hygiene via a wide body of internal and external assessments. The data from assessments is the enrichment for your 24x7 monitoring service for correlation with threat intelligence, mapping to ATT&CK, threat hunting, gaps identification, and configuration and compliance drifts, and wait for it ---- automated response! And hence I say, SIEM is dead, long live XDR. 

CTO in Software, 11 - 50 employees
I'd say that 'Analysis' is a component of 'Management' and as others have correctly said, this needs to be a *continuous* process/activity, not a periodic "audit", as attack vectors shift rapidly in today's world
CISO in Software, 10,001+ employees
I agree with the others.  They are different processes and some could describe as different layers of the problem space.  You need to perform an attack surface analysis to understand risks, gaps and issues, but then once they are known, you need to have a process to monitor and manage these.  
2 1 Reply
CTO in Software, 11 - 50 employees

1000% - sounds like we're reading the same content. 

Senior Director, Defense Programs in Software, 5,001 - 10,000 employees
I’m wondering where folks don’t think this makes sense conceptually, even if their program isn’t robust enough in either area?
2 1 Reply
CTO in Software, 11 - 50 employees

From my experience, you'd be surprised. 
A reliance on a managment dashboard has been pointed to as an example of a clear understanding of the attack posture of the enterprise. 

VP of Information Security in Software, 11 - 50 employees
With the explosion if IoT, 5G and APIs to connect everything, the attack surface is only going to grow.  Management of the attack surface is ensuring that you understand the surface, ensure it is no larger than essential and is relevant to the business focus.  The management aspect also addresses the vulnerabilities identified in;

Attack Surface Analysis.  This looks at the attack surface for vulnerabilities and in helpful analysis, suggests options for addressing any vulnerabilities found.  A good ASA, will take a risk based and realistic approach in reporting the vulnerabilities identified.
1 Reply
CTO in Software, 11 - 50 employees

Thanks Andrew, I've yet to witness in my research a managment product that clearly represents/ synthesizes an all encompassing view of the environment. 
I do wholeheartedly agree that a solid Attack Surface Analysis platforms on the other hand, can clearly define the blurred lines. Granted I do have some bias in this domain. 

CEO in Services (non-Government), Self-employed
Yes because they are two different things. Attack surface analysis  looks at the number of vulnerabilities and goes on to prioritize them (e.g. risk level) and document them. Attack surface management is discovery and mitigation and prevention. It is the actions taken to remove threats.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
48.9k views133 Upvotes326 Comments

Poor efficiency of the detection and threat hunting solution (SIEM/SOAR, EDR solutions)49%

Too much time wasted on false positive alerts64%

Lack of security skills and defined processes46%

Not enough demand in the market6%


567 views1 Upvote

Adding MDR and other advanced security28%

Consolidating vendors48%

Expanding product breadth33%

Automating processes52%

Outsourcing strategies (ex: SOC or NOC)19%

Differentiating from competitors25%

Focusing on reputation building14%

Moving more to the cloud17%

Redefining MSP metrics3%


452 views2 Upvotes