Does the concept of Attack Surface Management vs. Attack Surface Analysis make sense to you?

Threat Intelligence & Incident ResponseThreat & Vulnerability Management
1.6k viewscircle icon4 Upvotescircle icon18 Comments
Sort by:
CEO in Services (non-Government)3 years ago

Yes because they are two different things. Attack surface analysis  looks at the number of vulnerabilities and goes on to prioritize them (e.g. risk level) and document them. Attack surface management is discovery and mitigation and prevention. It is the actions taken to remove threats.

VP of Information Security in Software3 years ago

With the explosion if IoT, 5G and APIs to connect everything, the attack surface is only going to grow.  Management of the attack surface is ensuring that you understand the surface, ensure it is no larger than essential and is relevant to the business focus.  The management aspect also addresses the vulnerabilities identified in;

Attack Surface Analysis.  This looks at the attack surface for vulnerabilities and in helpful analysis, suggests options for addressing any vulnerabilities found.  A good ASA, will take a risk based and realistic approach in reporting the vulnerabilities identified.

1 Reply
no title3 years ago

Thanks Andrew, I&#39;ve yet to witness in my research a managment product that clearly represents/ synthesizes an all encompassing view of the environment. <br>I do wholeheartedly agree that a solid Attack Surface Analysis platforms on the other hand, can clearly define the blurred lines. Granted I do have some bias in this domain. 

Senior Director, Defense Programs in Software3 years ago

I’m wondering where folks don’t think this makes sense conceptually, even if their program isn’t robust enough in either area?

Lightbulb on2 circle icon1 Reply
no title3 years ago

From my experience, you&#39;d be surprised. <br>A reliance on a managment dashboard has been pointed to as an example of a clear understanding of the attack posture of the enterprise. 

CISO in Software3 years ago

I agree with the others.  They are different processes and some could describe as different layers of the problem space.  You need to perform an attack surface analysis to understand risks, gaps and issues, but then once they are known, you need to have a process to monitor and manage these.  

Lightbulb on2 circle icon1 Reply
no title3 years ago

1000% - sounds like we&#39;re reading the same content. 

CTO in Software3 years ago

I'd say that 'Analysis' is a component of 'Management' and as others have correctly said, this needs to be a *continuous* process/activity, not a periodic "audit", as attack vectors shift rapidly in today's world

Lightbulb on2

Content you might like

Do you feel confident that most third-party vendors are following your data security policies?

Yes, I’m completely confident27%

I’m mostly confident64%

Not quite confident - I have some doubts…5%

No, I highly doubt it3%

View Results

What tools/services do you use for CTEM (continuous threat exposure management)?

Read More Comments

How are you making sure the security team has visibility into social engineering attempts on helpdesk staff, especially with attacks using voice impersonation or other deepfake techniques?

Disesdi Susanna Cox outlines 3 critical threats:
1. Non-deterministic decisions – same prompt, different actions (e.g., unintended transfers).
2. Cascading failures – multi-step tasks = more attack surface.
3. Emergent behavior – guardrails can’t cover infinite edge cases; focus on blast radius and recovery.

3 Controls to Implement Now: 
• Map agent workflows to attack tactics (MITRE ATLAS)
• Weekly prompt-injection tests (OWASP + CSA)
• Least-privilege, expiring agent tokens (NIST AI RMF + CSA MAESTRO)

Which control or framework gives you the biggest headache, and how are you tackling it?

Full analysis: https://disesdi.substack.com/p/openai-just-dropped-their-agentic

Has your organization experienced model denial of service attacks on its LLM?

Yes43%

Not to my knowledge55%

Not sure

View Results