Attack Surface Management Vs. Vulnerability Management
Post originally appeared in Security Boulevard.
Cybersecurity is full of acronyms and industry terms. So many, in fact, that I would be hard-pressed to find someone who knows what they all stand for or clearly explain the subtle differences between many of them. Let’s not forget to mention the cybersecurity industry is still evolving at a quick pace, meaning new lingo, technology and acronyms are being added all the time. While we don’t have time to cover all the latest buzzwords and categories in the space, I wanted to dig into two important terms: Attack surface management (ASM) and vulnerability management (VM) and the differences between them.
Defining Vulnerability Management
In cybersecurity, a vulnerability is something that has the potential to be exploited by an attack. Vulnerability management is a set of processes and solutions that an organization uses to identify, classify, prioritize and mitigate these vulnerabilities within its systems or networks. The goal is to improve the overall cybersecurity health of the company.
Vulnerability scanners, either active or passive, are used to identify vulnerabilities within an organization:
● Passive Vulnerability Scanners: These monitor operating systems and software that are in use, along with the overall status of services. These scanners help security professionals understand what is being sent to and from endpoints through its network or system.
● Active Vulnerability Scanners: These test endpoints or nodes by sending out transmissions and analyzing responses for potential weaknesses with the end result of uncovering vulnerabilities.
A vulnerability management solution helps to manage the workflow process, assigning mitigation tasks to eliminate vulnerabilities before they are exploited. Vulnerability management tools are focused on an organization’s IT environment and assets but do not take into consideration how assets are interconnected and how a weakness from one asset may impact another asset.
Defining Attack Surface Management (ASM)
An organization’s attack surface includes all of its assets, physical, digital and human, that might be exploited by an attacker. The attack surface spans all assets accessible from the internet. Attack surface management (ASM) aims to discover and highlight the risks of unknown, unmonitored, and unprotected assets. It provides a holistic view of a company’s environment from the perspective of an attacker. ASM takes into account both internal and external assets, understanding how these assets are connected. This means if one asset is breached, ASM considers how this breach can impact other assets. ASM also provides guidance on the prioritization of resources. This helps IT teams address issues related to the most important assets or the most likely vulnerabilities to be exploited by a hacker.
Why Isn’t Vulnerability Management Alone Enough?
While vulnerability management is an important element of any cybersecurity strategy, it is not comprehensive. In 2022 alone, there were over 22,500 vulnerabilities discovered, which is way too many to mitigate for all potential entry points.
Vulnerability management does not take into consideration:
● Shadow IT
● Third-party applications and supply chain connections
● Ad hoc implementation
● Unknown cloud services, web apps, mail servers, etc.
● M&A risk evaluations
● Asset records that are not up to date
● The introduction of unpatched and untested assets
● Out-of-date operating systems
Companies need visibility over the entire attack surface in order to protect it, the above included.
Differences Between ASM and VM
There are a few key differences between ASM and VM. The biggest comes down to scope. ASM starts with assuming an organization has unknown assets and discovering these assets. VM, meanwhile, is focused on managing a list of known assets.
VM also doesn’t take into account how an organization’s assets are connected or how a vulnerability affecting one asset can impact another. ASM takes this into account with a holistic view, considering how an organization’s networks, assets, and applications are all connected.
Better Together
Any organization leveraging an ASM approach is also using vulnerability management. These two approaches complement one another and are stronger together. VM provides the insights you need into your known assets, while ASM adds to this, discovering assets you didn’t even know you had. Our attack surfaces are only getting bigger, as our world becomes increasingly more connected. The best way an organization can protect itself as its attack surface expands is to make sure it is employing both vulnerability management and attack surface management.