Over the last decade, many organizations have seen their attack surface soar out of control.
Digital transformation initiatives, cloud migrations, and increased uptake of user-centric technology architectures have led to huge growth in Internet-accessible assets. At the same time, the number of CVEs reported annually has risen substantially.
As a result, security teams are scrambling to secure known assets while maintaining a complete picture of their asset inventories—and often falling short on both counts.
Why is ASM Important?
Your attack surface is the sum of all entry points an attacker could use to access your systems, applications, devices, or network. For most organizations, it’s a complex web of Internet-facing hardware and software assets, including any open ports and services, logic systems, and unmitigated vulnerabilities.
The larger your attack surface, the more opportunities an attacker has to gain entry. Today, attack surfaces are overwhelmingly larger than even a decade ago, and IT and security are scrambling to stay on top. This is why ASM is so important.
ASM is the continuous discovery, inventory, analysis, and remediation of all components within an organization’s attack surface. This means maintaining a complete and current picture of all externally-accessible digital assets, including hardware, web properties, IP addresses, systems, and services. It also requires continuous monitoring and analysis of all assets to identify and remediate vulnerabilities and configuration issues that attackers could exploit.
The Attack Resistance Gap
Effective ASM is among the top security challenges for organizations today.
HackerOne’s 2022 Attack Resistance Report surveyed over 800 respondents from various industries, organization sizes, and locations. A third of respondents from large enterprises said at least 25% of their attack surface is unknown, while almost 20% believe over half is unknown.
Based on these figures, a typical enterprise’s attack surface could contain thousands of unknown, unprotected digital assets. These unprotected assets form a large part of the attack resistance gap—the portion of an organization’s attack surface that is not ready to resist attack. Collectively, respondents said just 63% of their attack surface is prepared to resist attack, leaving an attack resistance gap of 37%.
Why ASM Alone Can’t Solve the Problem
ASM solutions continuously monitor the attack surface to discover, inventory, and assess the security profile of externally-facing assets. Once discovered, identified assets are added to a single repository, through which an organization can track its attack surface. Typically, asset entries are enriched with a range of information, technical details, network and Internet identifiers, weaknesses (e.g., open ports or known vulnerabilities), and an estimated risk score.
These technologies are an essential part of any ASM program. They enable an organization to close the attack resistance gap and prioritize security resources to address high risk issues. ASM can also help organizations achieve a variety of other security and business objectives, including:
- Identifying exposed development infrastructure.
- Securing APIs.
- Supporting M&A activities.
- Ensuring compliance with data protection regulations, e.g., GDPR.
However, ASM alone isn’t enough to stay on top of an organization’s full attack surface. This technology relies heavily on asset data provided by security and IT teams, which is typically incomplete or outdated. As a result, attack surface scanners inevitably miss some assets, leaving them stranded outside the scope of an organization’s cybersecurity program.
ASM solutions also typically have a high false positive rate, which requires manual intervention to assess. Since this takes time, most asset repositories provide an incomplete and outdated picture of cyber risk.
The Solution: Combining Automation with Human Security Expertise
If automation alone isn’t the solution, what is? Combining automation with the reconnaissance skills of handpicked security experts.
Security testers and researchers frequently uncover unknown assets during their work. Unlike automation, which can only uncover assets using a logical, brute force approach, humans can often recognize discovered assets as belonging to an organization even if they aren’t linked to other known assets. This makes human security experts an ideal counterpart for automated tools to help any organization uncover and manage its full attack surface.
HackerOne Assets provides the incentives, technology platform, and workflows security experts need to formalize this discovery process and submit new assets directly to the organizations they work with. The solution includes a dynamically updated asset inventory that becomes the single source of truth for an organization’s attack surface.
Unlike other ASM solutions, Assets ingests results from HackerOne’s continuous attack surface scanner, imports results from other ASM solutions, and captures assets uncovered by our community of security experts. This hybrid approach to ASM is substantially more effective compared to pure automation.
Enterprise customers see their visible attack surface visibility more than double with HackerOne Assets, often discovering hundreds or thousands of previously unknown assets. At the same time, they are able to reduce the time and effort required for asset inventory management and maintenance.