Attack surface reduction (ASR) and management is the practice of reducing as much of the attack surface through various means. It involves continuously assessing the attack surface based on the understanding that the surface constantly changes and requires constant visibility. As you gain a better understanding of the surface, you can take steps to reduce it and protect vectors you cannot eliminate.
The importance of attack surface reduction
In the past, networks had clear borders guarded by firewalls, and the attack surface existed outside these borders. However, modern networks are complex and chaotic with no clear border—threats are both inside and outside. The attack surface is extended wherever corporate data is at rest or in transit.
For example, an organization's attack surface may include propriety source code stored in Azure Repos, documents in Google Workspace, customer data stored on SAP, storage bucket and application servers on Amazon Web Services (AWS), emails in Microsoft 365, and more. Each of these assets is located in different areas in the ecosystem and may transfer data in between.
This type of attack surface is the reality of the modern corporate technology architecture. It provides flexibility and enables remote work, but it creates an increasingly complex attack surface. This issue is further aggravated by new software development paradigms like DevOps and cloud native paradigms that utilize microservices, significantly increasing the attack surface.
Attack surface reduction and management tools
Organizations can leverage various tools to obtain continuous visibility into the attack surface, determine existing and changing attack vectors, and work to eliminate or protect against these attack vectors. Here are several tools to help achieve this level of visibility:
- Inventory management—helps organizations create a repository of known systems. It typically involves asset discovery to scan for all systems and inventory all assets, including shadow IT.
- Vulnerability management—these tools scan external and internal systems for known vulnerabilities. It helps prioritize vulnerabilities so organizations can address the most critical vulnerabilities first.
- External risk ratings—involves allowing external parties to perform ongoing assessments of the organization's public-facing security posture.
- Red teaming and penetration testing—these teams provide expert information about attack vectors that allow surface attackers to breach the target. These insights help prioritize the most pressing attack vectors to address to reduce the attack surface.