Ask 10 security leaders to define attack surface management (ASM) and it’s likely that you’ll get as many different answers. For some, it’s an asset inventory. For others, it’s another name for vulnerability scanning. The result is a security term that sounds familiar but means very different things in practice. Without a shared playbook, how do you judge maturity, measure progress or even put it into practice?
“Attack surface management is powerful, but it’s not the silver bullet,” says Richard Cassidy, Rubrik’s EMEA CISO. “On its own, it can absolutely tell you where the cracks are, for lack of a better phrase, but it certainly won’t fix them.”
The old view of ASM was tied to lifecycle management, finding desktops, servers and unpatched endpoints, but that’s too narrow for modern environments. Today, ASM is a continuous practice in hybrid estates, on-prem, public and private cloud and SaaS. It’s about identifying what exists, classifying it, watching it for a change and linking it to business context. “Where leaders get it wrong is assuming detection equals protection,” says Cassidy. Discovery is critical, but it’s not the destination. Without understanding context, you can’t prioritise what to fix first.
A misconfigured database, for example, is not the same everywhere. The risk depends on the information it holds and the identities that can touch it. That is why strong ASM efforts map data, then map who can reach that data and then asks if those identities are over-provisioned and if they’re behaving as expected. Cassidy explains that this sequence (data first and identity wrapped around it) is what turns a long list of assets into a decision about what matters most to the business.
Closing the visibility gap also means linking ASM outputs to the rest of the security programme. Discovery has to flow into triage, response and recovery, “otherwise organisations end up with a better lit attack surface, more to look at, same ability to act,” says Cassidy. The pieces are already well known in the security world: SIEM, SOAR, vulnerability risk management, detection and response. Integration is what turns visibility into action, so the same risk that shows up on a dashboard can also trigger a workflow that blocks, rolls back or restores. “If you have the visibility, but you don’t have the capability to act on it, then you’re just staring at problems rather than fixing them,” he adds.
And then there’s multicloud, something that Cassidy says makes ASM harder. When different clouds are managed in isolation, you end up with a fragmented view of the world and, as a result, security teams end up chasing low-impact issues on one platform while missing higher risk exposures in another. “Every cloud provider has its own native tooling and what we’re forced into, more often than not, is relying on those in isolation,” says Cassidy. “When you’re integrating ASM into multicloud environments, the most important step is to start with as unified a visibility view as you can get.” That said, a unified view is not an end in itself. ASM data has to move into the rest of the stack, not live beside it. That means feeding ASM outputs into existing detection and response tools and normalising risk scoring across cloud providers. Done right, this cuts through the multicloud noise and helps security teams focus on the biggest vulnerabilities, like the high value data stores, misconfigurations and over-privileged identities.
Attackers don’t wait for you to run your next quarterly scan.
Richard Cassidy, Rubrik
With ASM, there is also confusion about scope – how far should it go? Does ASM stop at external assets, or does it extend inside the organisation too? “External attack surface management tends to keep attackers out in the traditional sense. Internal attack surface management stops them moving once they’re in,” says Cassidy. “If you look at it that way, then you’ve got a good view of how both work in synergy, and you need both to be truly secure.” In other words, external ASM looks at what the world can see — internet-facing assets, cloud workloads, web apps, APIs and third-party integrations. Internal ASM looks behind the perimeter for misconfigurations, over-privileged accounts, insider risk and unsanctioned systems.
The payoff for running both of these views in one process is practical. Not only will you reduce the chances of missing the exposed API that an automated scan will find in minutes, you’ll reduce the chances of ignoring that misconfigured storage bucket that was never meant to be public but leaks internally all the same. “ASM is like a GPS,” says Ian Oelofse, solutions architect at CASA Software. “It gives you the map, the hazards and the changes in real-time so you can make informed decisions based on context and risk.”
Attack surfaces have become very broad, complex and agile.
Hendrik de Bruin, Check Point
The next frontier for ASM is agentic AI. Instead of waiting for a manual scan or a scheduled inventory, autonomous agents can spot a new workload or SaaS tool the moment it appears, check its configuration against policy, and, in some cases, trigger a fix on their own. It sounds impressive, but it’s important to keep in mind that attackers are experimenting with the same approach. According to Check Point’s AI Security report, agent-based frameworks can already chain tasks together, from testing code for hidden weaknesses to reverse engineering firmware. What used to take a researcher weeks can now be delegated to an AI assistant that never needs to rest. The report warns that the biggest challenge isn’t the capability itself, but putting safeguards around accuracy and control. It’s this speed that makes agentic AI both powerful and a risk to ASM. “AI agents move just as fast in the wrong direction as they do in the right one,” says Rubrik’s Cassidy. “If an autonomous process changes or deletes the wrong thing, then you have to have the ability to bring that back to that precisely known good state before it happened.” And that’s exactly where ASM comes in: making sure speed doesn’t outpace sense, and that every new agent or workload is treated as part of the attack surface from the start.
IN THE SHADOWS
Employees want to use AI. They want to work in a way that’s more productive and, sometimes, the tools they’re given aren’t delivering smarter outcomes. And then there are those employees who work from home in a hybrid or full-time capacity and the rules around AI aren’t exactly clear. You’re using your own network, and sometimes your own device, which means access is unregulated. There’s a reason Gartner estimates that by 2027, 75% of employees will be using some form of shadow IT. Erik Nost, a senior analyst at Forrester, compares ASM to a star-nosed mole. This creature is blind but, using its nose, it manages to locate food. Like the star-nosed mole, ASM is about finding what organisations can’t detect. Shadow IT, driven in large part by AI, is making the attack surface bigger than traditional security tools were ever built to handle.
It’s creating blindspots that cybercriminals are quick to exploit if you don’t have the right visibility tools in place. And yes, it comes down to a common security mantra – you can’t secure what you cannot see. “Without visibility into its digital attack surface, a company can’t effectively identify, prioritise and remediate security gaps that could leave it vulnerable to exploitation,” says Hendrik de Bruin, Check Point’s head of security consulting for the SADC region. AI only adds to the complexity. On the one hand, AI-powered ASM tools can uncover shadow IT faster than ever before, analysing traffic, APIs and identity patterns to surface assets that would otherwise remain invisible. At the same time, AI services themselves are fuelling the shadow IT problem.
Entire SaaS platforms are being adopted outside of IT’s oversight, pulling sensitive data into third-party systems and creating compliance headaches. The result is a paradox: AI is giving security teams new visibility while simultaneously multiplying the number of blind spots they need to chase. “Attack surfaces have become very broad, complex and agile,” says De Bruin. “Maintaining constant visibility of the risks is critical to stay ahead of attackers who leverage weaknesses in the same surface to execute attacks.” Once shadow IT assets are uncovered, the real decision is whether to secure them or shut them down — and ASM is built for just that. Without it, you’re stuck in the dark.
* Article first published on www.itweb.africa
Share