In the pursuit of cybersecurity excellence, Attack Surface Management (ASM) has emerged as a powerful tool for organizations seeking to fortify their defenses. However, amidst the excitement surrounding ASM's capabilities, it's crucial to acknowledge the inherent limitations and challenges that come with it. In this blog, we delve into the nuanced realities of ASM, highlighting the need for a balanced approach that recognizes both its strengths and shortcomings.
Here is the verbatim discussion:
So that 5% is still a risk as an organization you have to account that you know uh you have to you have to consider that ASM is is still just a tool built by humans and it's going to have its own shortcomings you know based on human fallacies uh so it don't assume that it's complete uh assume that you still have more more work to do the other side even though ASM I will say I get excited about ASM because of how good it is at discovering things so that's you know the asteris there is it's it's almost perfect but it's not quite the other side the other thing I I I emphasized I touched on this a little bit earlier is the internal attack surface um ASM is really good at the external attack surface right now uh and there appears to be uh a direction where some vendors or some ASM Solutions are building similar capabilities not the exact same because they're achieved differently but similar once they got to know all those assets they saw like half of it we don't need it they shouldn't be online yeah they actually went and kind of reduced the attex surface which is great from the security perspective but also reduce the spend on cloud costs that's a great Point uh how many organizations have you worked with or you know I've I've worked in many organizations that once they start to wrap their arms around the attack surface they start to say wait a second I thought that was decommissioned a year and a half ago what is it still doing? Don't turn that off. That's a risk. It's $800 a month. Why is that running?
Highlights:
The Human Factor: While ASM offers unparalleled capabilities in discovering vulnerabilities and mitigating risks, it's essential to remember that it is ultimately a tool created by humans. As such, it is susceptible to human fallacies and limitations. Organizations must not fall into the trap of assuming that ASM provides a foolproof solution. Rather, they should approach it with a mindset that acknowledges the possibility of errors and shortcomings, necessitating ongoing vigilance and supplementary measures.
The External vs. Internal Attack Surface: ASM excels in assessing and managing the external attack surface of an organization's digital infrastructure. However, its effectiveness in addressing internal vulnerabilities may vary. While some ASM solutions are expanding to cover internal attack surfaces, there remains a gap in comprehensive coverage. Organizations must recognize this disparity and implement additional measures to mitigate risks stemming from internal vulnerabilities effectively.
Optimizing Resource Utilization: One of the overlooked benefits of ASM is its potential to optimize resource utilization by identifying and eliminating unnecessary assets from the attack surface. By gaining insights into their digital footprint, organizations can uncover dormant or redundant assets that pose security risks and incur unnecessary costs. This dual benefit of enhanced security and cost reduction underscores the value of ASM beyond its traditional scope.
As organizations embrace Attack Surface Management as a cornerstone of their cybersecurity strategy, it's imperative to maintain a nuanced understanding of its capabilities and limitations. While ASM offers unprecedented insights into vulnerabilities and threats, it is not without its flaws. Human error, internal vulnerabilities, and the need for ongoing optimization remain persistent challenges in the ASM landscape. By adopting a holistic approach that combines ASM with supplementary measures and a culture of continuous improvement, organizations can maximize the efficacy of their cybersecurity efforts. In doing so, they can navigate the imperfect landscape of cybersecurity with confidence and resilience, safeguarding their digital assets against evolving threats.
Speakers:
Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.
Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.
Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.
Comments