Home

Does the concept of Attack Surface Management vs. Attack Surface Analysis make sense to you?

Speaking from a security standpoint the two terms mean different things and they should be distinguished. Attack Surface Analysis is an analysis of the number of exploitable vulnerabilities. It can be used by both sides to discover weaknesses in a system. You start by scanning the target for vulnerabilities and then checking which ones have exploits available, and you choose the attack vector. OWASP has an attack surface analysis cheat sheet. Attack Surface Management is the process of, discovering/resonance, inventorying, classification and monitoring of the systems. This is more on the offensive (attacker) side point of view. You are looking at what IT assets are exposed inside the organization and to the internet.

Anonymous Author
Speaking from a security standpoint the two terms mean different things and they should be distinguished. Attack Surface Analysis is an analysis of the number of exploitable vulnerabilities. It can be used by both sides to discover weaknesses in a system. You start by scanning the target for vulnerabilities and then checking which ones have exploits available, and you choose the attack vector. OWASP has an attack surface analysis cheat sheet. Attack Surface Management is the process of, discovering/resonance, inventorying, classification and monitoring of the systems. This is more on the offensive (attacker) side point of view. You are looking at what IT assets are exposed inside the organization and to the internet.
5 upvotes
Anonymous Author
Seconding all that has been said by my esteemed peers, I will add a few cents. There's nothing to "manage" without accurate and continuous "analysis" first. In the case of this topic what may be note-worthy to state is internal and external attack surface analysis and subsequent management go hand in glove - think DiD (defense in depth). Internal you may have some say and control over, externally you have far less control or visibility. Gartner coined the term EASM (external attack surface management) and now you have a plethora of products available. And, EASM is so important owing to burgeoning remote work? 
3 upvotes
Anonymous Author
Ajet's comments are correct, but as a SecOps leader, here is how I view it: My goal is to keep the attack surface as tiny as possible.  This is the driving force behind a great many defensive policies.  - Every port on every IP is scanned at least once a week.  - Any changes are investigated as though it were a breach.  We find the offender and 'meet' with them and their supervisor.  - Cloud services have a nice report of every single port and IP.  This is reviewed automatically every day.  - For the known and accepted open ports, a full vuln scan is performed once a week.  Any change is banners or detected version is escalated as a breach.  Another 'meeting'. Keep the attack surface tiny, make every effort to secure those service that must be exposed.
2 upvotes
Anonymous Author
I'd say that 'Analysis' is a component of 'Management' and as others have correctly said, this needs to be a *continuous* process/activity, not a periodic "audit", as attack vectors shift rapidly in today's world
2 upvotes
Anonymous Author
I agree with the others.  They are different processes and some could describe as different layers of the problem space.  You need to perform an attack surface analysis to understand risks, gaps and issues, but then once they are known, you need to have a process to monitor and manage these.  
2 upvotes
Anonymous Author
I’m wondering where folks don’t think this makes sense conceptually, even if their program isn’t robust enough in either area?
2 upvotes
Anonymous Author
With the explosion if IoT, 5G and APIs to connect everything, the attack surface is only going to grow.  Management of the attack surface is ensuring that you understand the surface, ensure it is no larger than essential and is relevant to the business focus.  The management aspect also addresses the vulnerabilities identified in; Attack Surface Analysis.  This looks at the attack surface for vulnerabilities and in helpful analysis, suggests options for addressing any vulnerabilities found.  A good ASA, will take a risk based and realistic approach in reporting the vulnerabilities identified.
0 upvotes