What is Business Attack Surface Management?

I dislike creating new terms for things in cybersecurity that already exist, so I’m on thin ice with that headline. But hear me out.

Attack Surface Management (ASM) has made sense to me. “You can’t manage threats” is one of the foundations of cybersec companies and organizations have forgotten. Although we can’t manage threats, we sure can manage how we watch them, respond to them and structure our tech and security though. ASM is often subdivided into external or internet-facing External Attack Surface Management (EASM) and internal or asset derived Cyber Asset Attack Surface Management (CAASM). I think these are interesting distinctions not because the technology between them is different, but it hints that the purpose of the surface means differentiation.

ASM has us turning around the camera from focusing on the baddies to looking at ourselves. This is exciting because it makes the attacker’s job harder and makes them more detectable sooner. The weakest link in ASM has been actionability, especially in any trusted automated fashion. Hold that thought and let’s talk about security posture for a moment.

Security posture and ASM

In parallel to ASM during the approximately last two years has been the development of real-time and actionable security posture assessments. Security posture has taken information about entities and produces an assessment (i.e. not just data) and often a score about how much trust can be placed in that entity.

Examples include assessments such as “even though this identity is valid, don’t trust

Read more

Explore the site

More from the blog

Latest News