Here is the process followed by most ASM tools to discover assets, test them for vulnerabilities, prioritize risks, and remediate them.
1. Discover Assets
You cannot manage an asset without knowing it exists. In the modern digital environment, there are many things, such as outdated IPs and credentials, shadow IT, cloud environments, and IoT devices. Legacy tools and processes can easily miss these assets, which represent important attack surfaces. However, they are quickly discovered with modern attack surface management solutions that use the same advanced reconnaissance techniques as attackers.
Related content: Read our guide to external attack surface management
2. Add Context
Business context and ownership are a critical part of attack surface management. Existing asset discovery tools often do not provide context in a consistent way, making it difficult to prioritize remediation.
Effective attack surface management practices make sure that assets are enriched with information such as IP address, device type, current use, purpose, owner, connection to other assets, and potential vulnerabilities. This allows security teams to prioritize cyber risks and determine whether assets should be removed, removed, patched, or monitored.
In almost all cases, it will not be possible to verify and fix the entire list of potential attack vectors against all assets. Therefore, it is important to be able to use contextual information to determine focus and priorities. Security teams can add criteria such as exploitability, detectability, attacker priority, and remediation, to prioritize the most pressing tasks.
4. Test Continuously
Testing the attack surface once has limited value, because attack surfaces grow and change every time a new device, user account, workload, or service is added. Every new account or device creates a risk of misconfiguration, known vulnerabilities, zero day vulnerabilities, and sensitive data exposure.
It is important to continuously test all possible attack vectors against all attack surfaces, and always refer to the most current version of the organization’s attack surface.
Related content: Read our guide to attack surface monitoring
Once the attack surface is fully mapped and contextualized, remediation can begin. Based on priorities, the organization can remediate security weaknesses. This can be done by:
- Automated tools, which can remediate certain types of vulnerabilities without human intervention.
- Security operation teams, who are responsible for risk enforcement
- IT operations teams, who are responsible for operating the affected systems
- Development teams, who are building, updating, and maintaining assets/applications
These teams need business risk context and clear guidance on how to fix security issues, to establish trust and ensure efficient handling of remediations.