<img src="https://certify.alexametrics.com/atrk.gif?account=kla4t1zDGU20kU" style="display:none" height="1" width="1" alt="">
Contact us
Request demo →
Contact us
German website

Attack Surface Management compared to 5 security technologies

by Sebastiaan Bosman Blog 25 Feb 2021

In this blog, we'll cover our attack surface management approach compared to five existing security approaches. What methods do they share? And where do they complement each other?

We'll have a look at these techniques: 

1. Asset discovery
2. Vulnerability management
3. Penetration testing
4. Red teaming
5. Supplier security governance

Each has some touch points with attack surface management. For this comparison, we build on our earlier explanations of the concept. In the first blog, we gave our definition and summarised what drives the need for the solution. You can read our second blog to see how attack surface management is positioned with regards to External Threat Intelligence.

Mind the gap

Many existing security techniques have been created to solve a specific problem. This is not a bad thing, as it often means it is very effective. It does, however, make them difficult to repurpose to other challenges, and the specific method doesn’t allow for the best overall coverage. Many organisations make trade-offs between thoroughness and frequency of testing. For example, they perform pentests on a yearly basis and simple surface scanning the year round. This yields a big gap in between.

A attack surface management approach is not the answer to everything. If only such a wonder tool would exist. Rather, it is a great fit for certain techniques, and complements other methods by solving specific weaknesses. It can also function as the basis of another technique, as the first step in a process. Here are some comparisons.

Asset Discovery and Vulnerability Scanning

The larger the organisation, the more difficult it becomes to keep your Configuration Management Database (CMDB) in order. Not all new assets are reported to IT teams like they should, resulting in shadow IT and an incomplete picture of the attack surface. Checking for digital assets manually is simply too time-consuming, even with some clever tools. Furthermore, asset discovery from the inside-out doesn’t provide the best overview.

Using an attack surface management tool to look at it from the outside-in - like hackers do - will help you find assets you didn’t know existed. It combines a variety of sources, tools, and AI in one platform to automatically and continuously detect the assets related to your brand. These can than be integrated into your CMDB. 

Identifying the assets is one thing, but keeping them secure is a bigger step. That's why the platform immediately scans assets for vulnerabilities. Are there configuration errors? Any open ports? Or has the domain certificate expired? All vulnerabilities and risks are listed for each asset, resulting in a risk score. That makes prioritisation and mitigation much easier. 

Pentesting and Red Teaming

Pentesting and red teaming are techniques which typically go deeper into systems than any attack surface solution does. They try to determine what specific systems or data can be accessed, for instance via privilege escalation. It is a very thorough process with detailed results, taking more time and manual work. 

Attack surface management doesn't work in the same way. It's more 'on the surface', mapping the outer shell instead of what lies beneath. This means it can be done automatically and continuously, requiring fewer resources. It therefore complements the two techniques, for instance by pre-defining the scope for a pentest. 

Supplier Security Governance

Lastly, attack surface management can be used as an addition to your supply chain governance. You will still beheld accountable for a data leak, even though the attack started at a service provider. And increasing regulations push for security validation reports of your third parties. 

Traditionally, enforcing a right to audit and having suppliers fill in extensive excel sheets was the way to go. But that takes far too much time and only provides static, snap-shot pictures of their systems. 

The continuous and outside-in approach of a Third-Party Risk solution within the Attack Surface Management platform will map the digital connections your organisations share, without relying on the agenda and (possibly limited) data you'd receive from a supplier. Even though you don't control any assets in their attack surface, you can pro-actively engage in a constructive dialogue with your findings whenever a vulnerability arises. That helps secure both of your organisations. 

We hope to have clarified some of the differences and similarities of these five traditional security techniques with our attack surface management approach. One is not a replacement for the other, but addresses the problem in a different way. Ultimately, your security would be most efficient with an integrated interaction between techniques. 

Are you curious to see how attack surface management strengthens your existing security programme? Click here to go to our additional resources, including webinar recordings and use case testimonials. 

Sebastiaan Bosman is Content Marketeer at Cybersprint.
With an educational background in Communications and Linguistics, 
he is responsible for creating and editing most of the internal and external communication. He writes content such as blogs, whitepapers, product sheets, and case studies, primarily based on Cybersprint’s own research data.
Previously, Sebastiaan worked as Content & Communications Advisor at ING Global. 

Securing critical infrastructure: new regulations mandate control

The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack. Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?

read more

Mandatory IT audits: risk scores don’t mean security

More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?

read more

Determining your cybersecurity maturity

How safe your organisation is from a cybersecurity point of view depends on a lot of factors. Not only should your private and confidential data be kept private and confidential through a plethora of technical defenses, there are also, among others, many processes such as for IT governance and incident response to consider. How your organisation deals with all these challenges determines its cybersecurity maturity. But why is determining this maturity level important?

read more

Do you have a question?

Our experts have the answers

Contact us