In this blog, we'll cover our attack surface management approach compared to five existing security approaches. What methods do they share? And where do they complement each other?
We'll have a look at these techniques:1. Asset discovery
2. Vulnerability management
3. Penetration testing
4. Red teaming
5. Supplier security governance
Each has some touch points with attack surface management. For this comparison, we build on our earlier explanations of the concept. In the first blog, we gave our definition and summarised what drives the need for the solution. You can read our second blog to see how attack surface management is positioned with regards to External Threat Intelligence.
Mind the gap
Many existing security techniques have been created to solve a specific problem. This is not a bad thing, as it often means it is very effective. It does, however, make them difficult to repurpose to other challenges, and the specific method doesn’t allow for the best overall coverage. Many organisations make trade-offs between thoroughness and frequency of testing. For example, they perform pentests on a yearly basis and simple surface scanning the year round. This yields a big gap in between.
A attack surface management approach is not the answer to everything. If only such a wonder tool would exist. Rather, it is a great fit for certain techniques, and complements other methods by solving specific weaknesses. It can also function as the basis of another technique, as the first step in a process. Here are some comparisons.
Asset Discovery and Vulnerability Scanning
The larger the organisation, the more difficult it becomes to keep your Configuration Management Database (CMDB) in order. Not all new assets are reported to IT teams like they should, resulting in shadow IT and an incomplete picture of the attack surface. Checking for digital assets manually is simply too time-consuming, even with some clever tools. Furthermore, asset discovery from the inside-out doesn’t provide the best overview.
Using an attack surface management tool to look at it from the outside-in - like hackers do - will help you find assets you didn’t know existed. It combines a variety of sources, tools, and AI in one platform to automatically and continuously detect the assets related to your brand. These can than be integrated into your CMDB.
Identifying the assets is one thing, but keeping them secure is a bigger step. That's why the platform immediately scans assets for vulnerabilities. Are there configuration errors? Any open ports? Or has the domain certificate expired? All vulnerabilities and risks are listed for each asset, resulting in a risk score. That makes prioritisation and mitigation much easier.
Pentesting and Red Teaming
Pentesting and red teaming are techniques which typically go deeper into systems than any attack surface solution does. They try to determine what specific systems or data can be accessed, for instance via privilege escalation. It is a very thorough process with detailed results, taking more time and manual work.
Attack surface management doesn't work in the same way. It's more 'on the surface', mapping the outer shell instead of what lies beneath. This means it can be done automatically and continuously, requiring fewer resources. It therefore complements the two techniques, for instance by pre-defining the scope for a pentest.
Supplier Security Governance
Lastly, attack surface management can be used as an addition to your supply chain governance. You will still beheld accountable for a data leak, even though the attack started at a service provider. And increasing regulations push for security validation reports of your third parties.
Traditionally, enforcing a right to audit and having suppliers fill in extensive excel sheets was the way to go. But that takes far too much time and only provides static, snap-shot pictures of their systems.
The continuous and outside-in approach of a Third-Party Risk solution within the Attack Surface Management platform will map the digital connections your organisations share, without relying on the agenda and (possibly limited) data you'd receive from a supplier. Even though you don't control any assets in their attack surface, you can pro-actively engage in a constructive dialogue with your findings whenever a vulnerability arises. That helps secure both of your organisations.
We hope to have clarified some of the differences and similarities of these five traditional security techniques with our attack surface management approach. One is not a replacement for the other, but addresses the problem in a different way. Ultimately, your security would be most efficient with an integrated interaction between techniques.
Are you curious to see how attack surface management strengthens your existing security programme? Click here to go to our additional resources, including webinar recordings and use case testimonials.
Sebastiaan Bosman is Content Marketeer at Cybersprint.
With an educational background in Communications and Linguistics,
he is responsible for creating and editing most of the internal and external communication. He writes content such as blogs, whitepapers, product sheets, and case studies, primarily based on Cybersprint’s own research data.
Previously, Sebastiaan worked as Content & Communications Advisor at ING Global.