What Is Attack Surface Discovery—And Why Is It Important?

Attack surface discovery is the practice of identifying the information on all potential points of exploits within your organization’s environment. These vulnerabilities can be digital (applications, websites, shadow IT), physical (all endpoint or IoT devices), or social (human error such as whaling attacks). Knowing where your vulnerabilities exist within your attack surface is a critical first step in protecting your infrastructure and applications from attack.

Why is attack surface discovery important?

Knowing exactly what is visible across your attack surface is imperative. The larger an attack surface, the more opportunities a bad actor has to gain unauthorized access to the organization’s systems and data; the smaller an attack surface, the easier it is to keep it secure. Once a cybercriminal gains access, sensitive data could be compromised and business operations could be halted, sometimes causing irreparable damage. 

Why are attack surfaces expanding?

Expanding attack surfaces are not a new phenomenon. Prior to the pandemic, the number of vulnerabilities companies had to account for and secure were steadily growing thanks to broad adoption of new technologies, cloud computing in particular. Just before COVID-19 was upheaving entire nations around the world, an O’Reilly survey conducted in January of 2020 revealed over 88% of organizations relied on some form of cloud services. And out of the more than 1,200 respondents, 25% reported their companies planned to migrate their entire business operations to the cloud during the year. 

Businesses were full steam ahead on cloud migration when a worldwide shutdown forced record-breaking populations of employees to work remotely. In fact, a Statista study revealed working from home during an average work week rose from 17% to 44% in 2020. This caused a definitive spike in attack surfaces but even as the world continues to settle into a new hybrid normal, attack surfaces are still growing at a substantial rate. 

The proliferation of IoT and 5G adoption, too, have created an influx of new vulnerabilities (and therefore larger attack surfaces), especially given shorter development and testing timeframes and the growing number of smart devices in homes and offices. Even more frequent space launches have caused concern for potentially immense attack surfaces thanks to increased connected devices and networks supporting space-based activity.

This digital climate spells trouble for enterprises looking to lock down their environment. Threat actors are having a field day capitalizing on the large and vulnerable targets created by these massive surfaces. In the midst of an unprecedented surge in cyber attacks, security leaders everywhere are working to get a grip on their rapidly expanding surfaces and limit opportunities for entry. 

How can I discover—and manage—an expanding attack surface?

We’ve put together the top five critical steps you can take to discover and then minimize your attack surface, and finally eliminate vulnerable points of entry. 

1. Audit your environment. As painful as it may be (particularly for those companies who have decades of digital buildup), peeling back the layers of your environment is the first step toward a smaller and more manageable attack surface. Use attack surface management (ASM) tools, vulnerability scanners, pen testing, static and dynamic application security testing (SAST and DAST) programs, bug bounty programs, and software composition analysis (SCA) tools. This will allow you to amass a full inventory of your attack surface to understand what lives in your environment, uncover forgotten assets, and identify unpatched issues. Itemizing your potential entry points will help you understand how exposed you are. 

1. Simplify your security. As environments grow increasingly complex and nuanced, teams lose their competitive edge attempting to make outdated, legacy systems keep them secure. Too many vulnerabilities, too much security data (with little to no context), and too little time and budget leave remediation teams overwhelmed, overworked, and still vulnerable. Embracing a comprehensive threat and vulnerability management tool will empower Security and IT to aggregate their disparate security data in one place, understand their biggest risks, and take swift and decisive action. Leading vendors offer robust XDR (endpoint detection and response) with risk-based vulnerability prioritization baked in to help teams fix the vulnerabilities that lower the most risk while saving time and money, and increasing efficiency.

1. Take a risk-based approach. Risk-based thinking doesn’t have to be limited to vulnerability management. Viewing security operations through a lens of risk helps align teams, streamline processes, and eliminate the need for security “gatekeepers.” By rallying more people around risk, organizations can target their resources on the biggest risks facing the company, lowering the overall risk profile and creating advocates for safer and smarter cybersecurity. Security can be a team effort, not just a Security team effort.

1. Think like a cybercriminal. Interrogate your environment to uncover attack vectors that might be sniffed out and exploited by threat actors. Get creative. Some of the most mundane entry points have brought businesses to their knees. 

1. Plan for the worst case scenario. No one likes to think the worst can happen, but for too many it will. Have a plan in place in the event of a data breach, ransomware attack, or hijacked systems. Use your attack surface findings to create a plan for each scenario. Regularly testing and updating your response plan will help you and your team feel confident about your ability to navigate the worst case scenario. 

How can I prepare to manage my attack surface in the future?

Future security operations will have to manage monumentally large attack surfaces, so this challenge of mitigating and managing potential vulnerabilities won’t get any easier. Today, the average organization battles vulnerabilities in the millions, and even the most resourced, top performing teams can only address 10% of them. The good news is on average, organizations need only address between 2% and 5% of vulnerabilities. Yet for companies with less-than-stellar security management tools, the number of vulns deemed high or critical can be vastly inflated, meaning remediation teams are wasting time, money, and energy on potentially irrelevant vulns. At the end of the day, cybersecurity will be a tremendous balancing act. 

Luckily, industry innovators started solving for this years ago, defining a new path forward based on data science and machine learning, enhanced threat and vulnerability intelligence, and granular contextual data (including a company’s own appetite for risk). With data-driven, actionable risk-based vulnerability management, teams can make smarter prioritization decisions, better leverage their security investments, and optimize resources.

Risk-based prioritization will be a necessary weapon in every SecOps arsenal, resulting in evidence-based fix lists that isolate the vulns that pose the greatest risk to the infrastructure and business.

How do I assess my options for vulnerability management?

Finding the right risk-based vulnerability management vendor for you can be a laborious and time-consuming process, however it’s a worthy endeavor with long-term benefits including a more agile and resilient organization that can withstand whatever unpredictable circumstances the future holds. 

To make this process easier, and to ensure you’re able to gather the pertinent decision-making data you need, check out 7 Questions to Ask Every Vulnerability Management Vendor. It provides a helpful framework for navigating these conversations and zeroing in on the best solution for you and your organization.