Why is ASM Important?
Your attack surface is the sum of all entry points an attacker could use to access your systems, applications, devices, or network. For most organizations, it’s a complex web of Internet-facing hardware and software assets, including any open ports and services, logic systems, and unmitigated vulnerabilities.
The larger your attack surface, the more opportunities an attacker has to gain entry. Today, attack surfaces are overwhelmingly larger than even a decade ago, and IT and security are scrambling to stay on top. This is why ASM is so important.
ASM is the continuous discovery, inventory, analysis, and remediation of all components within an organization’s attack surface. This means maintaining a complete and current picture of all externally-accessible digital assets, including hardware, web properties, IP addresses, systems, and services. It also requires continuous monitoring and analysis of all assets to identify and remediate vulnerabilities and configuration issues that attackers could exploit.
The Attack Resistance Gap
Effective ASM is among the top security challenges for organizations today.
HackerOne’s 2022 Attack Resistance Report surveyed over 800 respondents from various industries, organization sizes, and locations. A third of respondents from large enterprises said at least 25% of their attack surface is unknown, while almost 20% believe over half is unknown.
Based on these figures, a typical enterprise’s attack surface could contain thousands of unknown, unprotected digital assets. These unprotected assets form a large part of the attack resistance gap—the portion of an organization’s attack surface that is not ready to resist attack. Collectively, respondents said just 63% of their attack surface is prepared to resist attack, leaving an attack resistance gap of 37%.
Why ASM Alone Can’t Solve the Problem
ASM solutions continuously monitor the attack surface to discover, inventory, and assess the security profile of externally-facing assets. Once discovered, identified assets are added to a single repository, through which an organization can track its attack surface. Typically, asset entries are enriched with a range of information, technical details, network and Internet identifiers, weaknesses (e.g., open ports or known vulnerabilities), and an estimated risk score.
These technologies are an essential part of any ASM program. They enable an organization to close the attack resistance gap and prioritize security resources to address high risk issues. ASM can also help organizations achieve a variety of other security and business objectives, including:
- Identifying exposed development infrastructure.
- Securing APIs.
- Supporting M&A activities.
- Ensuring compliance with data protection regulations, e.g., GDPR.
However, ASM alone isn't enough to stay on top of an organization’s full attack surface. This technology relies heavily on asset data provided by security and IT teams, which is typically incomplete or outdated. As a result, attack surface scanners inevitably miss some assets, leaving them stranded outside the scope of an organization’s cybersecurity program.
ASM solutions also typically have a high false positive rate, which requires manual intervention to assess. Since this takes time, most asset repositories provide an incomplete and outdated picture of cyber risk.
The Solution: Combining Automation with Human Security Expertise
If automation alone isn’t the solution, what is? Combining automation with the reconnaissance skills of handpicked security experts.
Security testers and researchers frequently uncover unknown assets during their work. Unlike automation, which can only uncover assets using a logical, brute force approach, humans can often recognize discovered assets as belonging to an organization even if they aren’t linked to other known assets. This makes human security experts an ideal counterpart for automated tools to help any organization uncover and manage its full attack surface.
HackerOne Assets provides the incentives, technology platform, and workflows security experts need to formalize this discovery process and submit new assets directly to the organizations they work with. The solution includes a dynamically updated asset inventory that becomes the single source of truth for an organization’s attack surface.
Unlike other ASM solutions, Assets ingests results from HackerOne’s continuous attack surface scanner, imports results from other ASM solutions, and captures assets uncovered by our community of security experts. This hybrid approach to ASM is substantially more effective compared to pure automation.
Enterprise customers see their visible attack surface visibility more than double with HackerOne Assets, often discovering hundreds or thousands of previously unknown assets. At the same time, they are able to reduce the time and effort required for asset inventory management and maintenance.
Learn more about HackerOne Assets or see how it works in action
Bolster Your ASM Strategy with Human Expertise
To help your organization gain a complete picture of its attack surface by combining automation with expert human reconnaissance, HackerOne has produced a new guide:
Get the latest guide: Outsmart Cybercriminals with Proactive Attack Surface Management
Download the guide to learn:
- Why even security-first enterprises struggle to understand and manage their full attack surface.
- The primary barriers to an effective ASM program and how to overcome them.
- How supporting ASM with expert human research and reconnaissance can help any organization gain a full picture of its attack surface.
- The role of thorough ASM in supporting a complete and effective security testing program.
- How a major US bank used HackerOne Assets to improve attack surface visibility by 530% in preparation for a multi-year cloud migration