The attack surface — i.e. the sum of all possible points, or "attack vectors,” where an unauthorized user can enter or extract data — of modern organizations keeps growing at speed.
Unlike the single websites and contained networks of the past, they now have to contend with ever-increasing potential entry points that are immeasurably harder to define and defend. This development, as complex as it is, also presents an opportunity for managed service providers (MSPs) to step in and provide their small to midsize business (SMBs) with the intricate knowledge it takes to reduce the risk of exploitation.
While external attacks seize the biggest headlines, a senior Forrester analyst makes an important point in the introduction to the research firm’s latest report on the state of enterprise breaches:
“Concerns over types of breaches are far afield from the reality on the ground. Security decision-makers are more concerned about external attacks than any other attack vector, at 47%. Breaches come in various ways, however, and are much more evenly spread in frequency among external attacks, lost/stolen assets, internal incidents, and third-party providers.”
Enter attack surface management (ASM), the ongoing process of identifying, classifying, prioritizing, and securing these potential points of entry to reduce the overall risk of a breach. The process takes aim at the entire IT ecosystem and can be divided into two broad categories that share the same goal — identifying and mitigating risks before attackers can exploit them:
Attack surface management, as a concept and a practice, has grown in response to the increasingly complex digital environments and advanced threats that have evolved over the past few decades.
In the early days of the internet, the concept of an “attack surface” was, as we pointed out earlier, relatively straightforward. The potential entry points for attackers were fairly limited and easy to identify. But as technology evolved, so did the attack surface.
The late 1990s and early 2000s saw the rise of ecommerce and the wider adoption of web applications in businesses. This resulted in more entry points for attackers and the introduction of new types of vulnerabilities. At the same time, the growing popularity of the internet among consumers led to an increase in cybercrime.
Around this time, Microsoft began using the term "attack surface" in the context of software security. They defined it as the amount of code that could be accessed by unauthorized users. This was a key part of their strategy to reduce vulnerabilities in their software, which involved minimizing the attack surface as much as possible.
In the late 2000s and 2010s, the widespread adoption of cloud services and IoT devices, as well as the increasing practice of remote work, led to a further expansion of the attack surface. According to Pew Research, 35% of workers with jobs that can be done remotely work from home all the time, compared to only 7% before the COVID-19 pandemic. As a result, traditional perimeter-based security measures, like firewalls, became less effective as data and services moved outside the corporate network. (Reading tip: Why Antivirus and RMM Don’t Work as Vulnerability Assessment Tools)
In response to these changes, cybersecurity professionals began focusing more on attack surface management — identifying and securing all potential points of entry, rather than just protecting the perimeter. This shift was also driven by the increasing regulatory requirements for businesses to manage their cybersecurity risks. (Reading tip: Attorney Eric Tilds on What Businesses Should Know About Cyber Insurance)
Today, attack surface management is a key component of any cybersecurity strategy. It involves not just technical measures like vulnerability scanning and patch management, but also broader strategies like employee training, third-party risk management, and incident response planning.
To get started with attack surface management, MSPs first need to discover all of the assets within their client's digital ecosystem. This can include obvious components like web servers and email systems, as well as oft-forgotten assets like IoT devices, cloud storage, and third-party services.
Once these assets have been identified, the next step is to analyze each one for potential vulnerabilities. This might involve anything from scanning for unpatched software to testing firewall configurations to identify weaknesses.
After potential vulnerabilities have been identified, they are prioritized based on factors such as their severity, the importance of the asset they affect, and the likelihood of them being exploited. MSPs can then work to mitigate the highest priority vulnerabilities, reconfigure systems to minimize the risk they pose, or even retire assets that are too risky to keep. (Reading tip: EPSS Scoring: A Quick Guide on Vulnerability Prioritization for MSPs)
Lastly, this process isn't a one-time event. The digital landscape is constantly changing, which means new vulnerabilities are always emerging. This requires regular reassessment and continuous monitoring for changes in the attack surface.
For MSPs, implementing attack surface management provides an opportunity to elevate their cybersecurity offering and bring more value to their SMB clients.
In conclusion, attack surface management represents a significant opportunity for MSPs to improve their security posture, streamline their operations, and strengthen their client relationships. As threats continue to evolve, embracing strategies like this will be key to staying ahead of the curve. MSPs that recognize the benefits and invest in attack surface management will not only protect their clients but also secure their own future.
ConnectSecure cybersecurity platform now includes Attack Surface Scanning, providing a 360-degree view of network vulnerabilities. Sign up for a free 14-day trial today.