<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Contact us
German website
search
close

Attack Surface Management compared to 5 security technologies

by Sebastiaan Bosman Blog 25 Feb 2021

In this blog, we'll cover our attack surface management approach compared to five existing security approaches. What methods do they share? And where do they complement each other?

We'll have a look at these techniques: 

1. Asset discovery
2. Vulnerability management
3. Penetration testing
4. Red teaming
5. Supplier security governance

Each has some touch points with attack surface management. For this comparison, we build on our earlier explanations of the concept. In the first blog, we gave our definition and summarised what drives the need for the solution. You can read our second blog to see how attack surface management is positioned with regards to External Threat Intelligence.

Mind the gap

Many existing security techniques have been created to solve a specific problem. This is not a bad thing, as it often means it is very effective. It does, however, make them difficult to repurpose to other challenges, and the specific method doesn’t allow for the best overall coverage. Many organisations make trade-offs between thoroughness and frequency of testing. For example, they perform pentests on a yearly basis and simple surface scanning the year round. This yields a big gap in between.

A attack surface management approach is not the answer to everything. If only such a wonder tool would exist. Rather, it is a great fit for certain techniques, and complements other methods by solving specific weaknesses. It can also function as the basis of another technique, as the first step in a process. Here are some comparisons.

Asset Discovery and Vulnerability Scanning

The larger the organisation, the more difficult it becomes to keep your Configuration Management Database (CMDB) in order. Not all new assets are reported to IT teams like they should, resulting in shadow IT and an incomplete picture of the attack surface. Checking for digital assets manually is simply too time-consuming, even with some clever tools. Furthermore, asset discovery from the inside-out doesn’t provide the best overview.

Using an attack surface management tool to look at it from the outside-in - like hackers do - will help you find assets you didn’t know existed. It combines a variety of sources, tools, and AI in one platform to automatically and continuously detect the assets related to your brand. These can than be integrated into your CMDB. 

Identifying the assets is one thing, but keeping them secure is a bigger step. That's why the platform immediately scans assets for vulnerabilities. Are there configuration errors? Any open ports? Or has the domain certificate expired? All vulnerabilities and risks are listed for each asset, resulting in a risk score. That makes prioritisation and mitigation much easier. 

Pentesting and Red Teaming

Pentesting and red teaming are techniques which typically go deeper into systems than any attack surface solution does. They try to determine what specific systems or data can be accessed, for instance via privilege escalation. It is a very thorough process with detailed results, taking more time and manual work. 

Attack surface management doesn't work in the same way. It's more 'on the surface', mapping the outer shell instead of what lies beneath. This means it can be done automatically and continuously, requiring fewer resources. It therefore complements the two techniques, for instance by pre-defining the scope for a pentest. 

Supplier Security Governance

Lastly, attack surface management can be used as an addition to your supply chain governance. You will still beheld accountable for a data leak, even though the attack started at a service provider. And increasing regulations push for security validation reports of your third parties. 

Traditionally, enforcing a right to audit and having suppliers fill in extensive excel sheets was the way to go. But that takes far too much time and only provides static, snap-shot pictures of their systems. 

The continuous and outside-in approach of a Third-Party Risk solution within the Attack Surface Management platform will map the digital connections your organisations share, without relying on the agenda and (possibly limited) data you'd receive from a supplier. Even though you don't control any assets in their attack surface, you can pro-actively engage in a constructive dialogue with your findings whenever a vulnerability arises. That helps secure both of your organisations. 

We hope to have clarified some of the differences and similarities of these five traditional security techniques with our attack surface management approach. One is not a replacement for the other, but addresses the problem in a different way. Ultimately, your security would be most efficient with an integrated interaction between techniques. 

Are you curious to see how attack surface management strengthens your existing security programme? Click here to go to our additional resources, including webinar recordings and use case testimonials. 


Sebastiaan Bosman is Content Marketeer at Cybersprint.
With an educational background in Communications and Linguistics, 
he is responsible for creating and editing most of the internal and external communication. He writes content such as blogs, whitepapers, product sheets, and case studies, primarily based on Cybersprint’s own research data.
Previously, Sebastiaan worked as Content & Communications Advisor at ING Global. 

Editorial: Exchange CVEs: The Response Plan Gap

It’s been two weeks since Microsoft released a patch for the Exchange vulnerabilities. For many, the dust has settled. Others are still fighting fires. Today, I’d like to look back at some of the problems we saw. Some were expected, other surprised us. I’ll go over them, and give tips on how these problems can be avoided in the future.

read more

Editorial: Supply chain attacks

Today, supply chain attacks are as abundant as they are elusive. However, as many parties communicate about the dangers and their technical solutions, not much is said about the basics of supply chains attacks. I have written this article based on my personal experiences knowledge on the subject. I hope it answers most of your questions about the topic, so that you have a solid basis to expand your supply chain security from.

read more

Attack Surface Management compared to 5 security technologies

In this blog, we'll cover our attack surface management approach compared to five existing security approaches. What methods do they share? And where do they complement each other? We'll have a look at these techniques:  1. Asset discovery 2. Vulnerability management 3. Penetration testing 4. Red teaming 5. Supplier security governance Each has some touch points with attack surface management. For this comparison, we build on our earlier explanations of the concept. In the first blog, we gave our definition and summarised what drives the need for the solution. You can read our second blog to see how attack surface management is positioned with regards to External Threat Intelligence.

read more

Do you have a question?

Our experts have the answers

Contact us