Ivanti Blog: Posts by

Understanding Risk Appetite – a Critical Component of Exposure Management

Mon, 10 Feb 2025 14:44:03 Z

Risk is inherent in any business. It’s how an organisation understands and manages it that makes all the difference.

From operational challenges to market volatility, regulatory changes and technological advancements, companies face a spectrum of uncertainties that could either generate growth or lead to losses.

To effectively manage them, a business needs to set out a framework that helps it determine just how much risk it’s willing to accept in pursuit of its objectives. This is where the concept of "risk appetite" comes into play.

But to define its risk appetite, a company has to see and understand all the risks it faces. And for security teams that are laying the groundwork for their exposure management strategy, defining their organisation’s risk appetite is a critical step.

What is risk appetite?

Risk appetite is the level of risk an organisation is willing to accept in pursuit of its objectives. Defining it sets boundaries for the organisation regarding what risks it will take and to what degree. A high risk appetite means being open to accepting greater risks for possibly higher rewards, while a low risk appetite means the organisation prefers reducing risk as much as possible.

Consider a tech startup that wants to invest in cutting-edge research and development. It may adopt a higher risk appetite to achieve disruptive, breakthrough innovations, knowing that the potential rewards are worth the uncertainty. Conversely, a large, well-established corporation might have a lower risk appetite, focusing on steady growth while avoiding projects that could significantly harm its market position or reputation.

Risk appetite is both quantitative and qualitative

Risk appetite is never static; it’s a dynamic measure that should be adjusted based on factors such as industry, company size and health, strategic objectives, regulatory requirements and the overall market environment.

Nor is it just about the numbers: risk appetite is a blend of both quantitative and qualitative factors.

On one hand, a business may have measurable elements like how much loss it’s willing to tolerate, its debt ratios and what kind of return on investment (ROI) it’s shooting for. It may also have subjective aspects to consider, such as the potential effect on company reputation, ethical considerations and how well its decisions align with its core values.

Why is it important to define risk appetite?

Nearly any organisation that wants to succeed has to take calculated risks. But without a clear understanding of its risk appetite, it can wander into inconsistent, reactive or overly cautious decision-making. That can lead to missed opportunities or business losses. Here's why defining risk appetite is essential:

To align strategy and risk management

Having a clearly defined risk appetite provides a strategic framework that aligns risk management practices with overall business goals. When an enterprise knows how much risk it is willing to accept, it can pursue opportunities that match its risk appetite while avoiding others that might expose it to undue risk.

To improve decision-making

Defining risk appetite allows leaders and managers to make informed decisions by clearly understanding what constitutes an acceptable risk. It also sets expectations for both risk-taking and risk-avoidance behaviours across the organisation, helping managers evaluate risk/reward trade-offs in different scenarios.

To build stakeholder confidence

A clearly defined risk appetite reassures investors, regulators, employees and other stakeholders that the organisation prioritises risk management. It also demonstrates a methodical, trustworthy approach to balancing risk against reward, further shoring up stakeholder confidence.

To promote consistency

When everyone in an organisation “gets the memo” on how much risk is permissible, that helps them make consistent decisions because they all understand what's an acceptable gamble. This means there’s less chance of working at cross-purposes or even pulling in opposite directions. For instance, a legal department might put the brakes on a marketing team’s Big Idea if they don’t share the same notion of acceptable risk.

To support effective risk monitoring

When companies define their risk appetite, they can set up systems to monitor risk levels across the entire enterprise, from finance to operations. Thus, they’re able to spot potential issues early and ensure activities stay within the boundaries of what’s seen as safe — or at least acceptable. Setting and monitoring key risk indicators (KRIs) provides early warnings if somebody is coming too close to those boundaries.

How does a company define its risk appetite?

Typically, an organisation does this by drafting a risk appetite statement (RAS). The first parts of an RAS lay out the company’s strategic objectives and the risks involved.

A company might want to become the leading software provider in their industry. They should list the strategic objectives that are vital to reaching that goal and also list the risks associated with them. For instance, Ivanti is in the business of delivering cloud-based IT services and security management solutions. That means it’s incumbent on us that our risk appetite statement catalogues all the risks involved in that line of business and explains how we’ll manage them.

Here’s an example of how one section of a risk appetite statement might look for a software provider:

General Risk Appetite

[Company XYZ] adopts a balanced approach to risk, recognising that not all risks are equal and that some level of risk is necessary to achieve our strategic goals.

Innovation Risk We have a high risk appetite for investing in advanced technologies and innovative solutions that differentiate our products in the competitive landscape. We understand this requires accepting a degree of uncertainty in R&D and product development.

Operational Risk We maintain a low to moderate risk appetite. While striving for operational excellence, we prioritise initiatives that improve efficiency and service quality without compromising our delivery standards.

Security Risk We have an extremely low risk appetite for security threats and breaches. Our commitment to network security and data protection is paramount, and we invest substantially in safeguarding our systems and our clients’ data.

Compliance Risk We have a low risk appetite for non-compliance with legal and regulatory requirements. Ensuring adherence to relevant laws, standards and best practices in all operational areas is critical.

General Risk Appetite [Company XYZ] adopts a balanced approach to risk, recognising that not all risks are equal and that some level of risk is necessary to achieve our strategic goals.
Innovation Risk	We have a high risk appetite for investing in advanced technologies and innovative solutions that differentiate our products in the competitive landscape. We understand this requires accepting a degree of uncertainty in R&D and product development.
Operational Risk	We maintain a low to moderate risk appetite. While striving for operational excellence, we prioritise initiatives that improve efficiency and service quality without compromising our delivery standards.
Security Risk	We have an extremely low risk appetite for security threats and breaches. Our commitment to network security and data protection is paramount, and we invest substantially in safeguarding our systems and our clients’ data.
Compliance Risk	We have a low risk appetite for non-compliance with legal and regulatory requirements. Ensuring adherence to relevant laws, standards and best practices in all operational areas is critical.

The RAS should define the risks that would have the greatest impact on the organisation, not everyday risks that are simply part of doing business. It ought to account for multiple risk scenarios; for instance, a specific strategy may entail supply chain risk, such as the effects of being locked into a vendor or the dangers of regulatory exposure if a supplier mishandles customer data.

It should also define the amount of financial risk a company is willing to take on. If its objectives include offering a new product or service, there's always a chance of failure in the marketplace.

Components of risk appetite

These are key factors that have to be considered in defining risk appetite:

Risk capacity

This refers to the maximum amount of risk that an organisation can bear. Financial resources, operational capabilities and regulatory constraints decide this. And risk capacity differs from risk appetite: an organisation may have the capacity to take on a certain level of risk but might choose not to, based on its risk appetite.

Risk tolerance

Whereas risk capacity is about how much risk an organisation can withstand, risk tolerance is an acceptable deviation from its target. It may even set different tolerances for different areas. For example, an organisation might be good with taking a chance on a new product, but risk-avoidant about managing customer data.

Risk thresholds

We’ve mentioned risk monitoring and KRIs above, as they’re used to keep a company from crossing risk thresholds — the “red lines” that represent too much risk. Crossing a risk threshold might require a change in plans, increased safety measures or even a complete halt to what they’re doing.

Related: Ivanti Research Report: Aligning Perspectives: Cyber Risk Management in the C-Suite

Why is risk appetite important in exposure management?

Once upon a time, mitigating digital risk was much simpler than it is today. That’s because most large organisations’ attack surfaces have vastly expanded over time. The addition of more devices and applications, used by employees in more places, have transformed the workplace and expanded the digital threat landscape.

It’s one reason why Ivanti research found that more than half of IT professionals are not very confident they can prevent a damaging security incident in the next 12 months. More than one in three even say they’re less prepared to detect threats and respond to incidents than they were a year ago.

Traditional vulnerability management has long been focused on reactively remediating software and hardware vulnerabilities and other CVEs, but usually only applies intermittent scans. But today’s cyberthreat scenario demands a new approach.

Modern exposure management is focused on continually, proactively finding and remediating risks and vulnerabilities across the entire digital attack surface. That’s whether they arise from exposed IT assets, unsecured endpoints and applications, cloud-based resources or other vectors. What makes exposure management and risk appetite so intertwined?

Assessing exposure according to acceptable risk levels: Exposure management involves quantifying the risk levels associated with different exposures. By defining acceptable risk, organisations can compare the possible impact of different risks with their risk appetite.
Deploying resources based on risk: Organisations must prioritise which exposures pose the greatest threat to their strategies – an assessment they can only make with a clear understanding of their risk appetite. That prioritisation lets them concentrate resources on mitigating the most critical ones, often with the help of an advanced RBVM tool.
Adjusting risk appetite: As a business environment changes or new risks emerge, risk appetite may need to be adjusted. The data and insights organisations uncover as part of their exposure management practice help them make informed decisions around such adjustments.
Ensuring compliance: Many industries have regulatory requirements related to risk management, which in turn influence an organisation’s risk appetite. Exposure management involves identifying and addressing risks that could cause non-compliance.

Related: Ivanti Research Report: Attack Surface Management

Looking at security risk through the lens of exposure management

A notable difference between exposure management and other security practices is that exposure management includes not just prioritising remediation of the risks that pose the most risk to the organisation, but actively defining which risks fall within an organisation’s risk tolerance. For example, an e-commerce company may be willing to accept heightened security risks in order to keep their site functional on Black Friday – the tradeoff is worth it to them.

Instead of viewing every potential risk as a crisis that needs instant remediation, organisations need to prioritise them based on business needs. In this framework, most risk isn’t bad: it’s about how you react to it, control it and mitigate it to bring it to an acceptable level.

The Five Ws (and H) of Exposure Management

Wed, 22 Jan 2025 17:10:20 Z

The Five Ws and H — who, what, when, where, why and how — have long been used as a checklist in journalism to make sure a story covers every piece of essential information. The same concept is employed here to make sure all the essential information about exposure management is covered in this post.

Read on for a better understanding of exposure management (the Five Ws) and actionable guidance for implementing it (the H).

Who

Who invented exposure management?

The term “exposure management” has been used in various contexts for decades, though it’s unknown when it was first used within the context of cybersecurity. That being said, exposure management is an evolution of vulnerability management, so it’s not an entirely new concept within the cybersecurity space but rather a reimagining of a preexisting practice.

Exposure management started gaining popularity in the cybersecurity space in 2022 as analyst firms began publishing research reports on the topic and vendors began releasing exposure management products and services.

Who benefits from exposure management?

Exposure management benefits a range of internal stakeholders — I recommend reading on if you fit any of the following profiles:

Role	Relevant Responsibility	Benefit
Security architect	Develop secure systems and networks	Improved understanding of risk posed to systems and networks
Vulnerability risk management (VRM)	Identify exposures and prioritise for remediation	Improved efficiency and accuracy of prioritisation process
SOC / security analyst	Detect and respond to cyber attacks	Lower volume of incidents requiring reactive response
IT operations	Remediate exposures prioritised by VRM	Lower volume of exposures requiring remediation
Development	Make code changes to resolve exposures in software	Lower volume of exposures requiring resolution
Chief information security officer (CISO)	Oversee infosec programme that protects systems and data	Stronger security posture better protects systems and data
Chief information officer (CIO)	Own management, implementation and usability of IT	Less downtime leads to improved digital employee experience
C-suite	Ensure day-to-day operations align with long-term strategies	Better equipped to make decisions regarding risk
Board of directors	Protect interests of shareholders and stakeholders	Fewer attacks means less damage to reputation and revenue
Business unit (BU) leader	Lead a specific division towards its goals	Decreased downtime of BU’s critical systems and services
Public relations (PR)	Reverse negative communication and perception around a crisis	Fewer PR crises stemming from cyber attacks
Chief financial officer (CFO) / finance organisation	Maintain the fiscal health of the organisation	Less unanticipated costs for cyber attack response and recovery
Compliance team	Ensure adherence to regulations and avoidance of missteps that could harm the organisation	Lower odds of violating regulations or experiencing other harm thanks to fewer breaches

External stakeholders also benefit when exposure management results in improved security postures for organisations. For example, customers are at lower risk of having their personally identifiable information (PII) compromised in a data breach and shareholders are less likely to see stock prices dip due to a brand’s reputation being damaged by a cyber attack.

Who “owns” exposure management?

This may seem illogical, or even controversial, but it’s the C-suite that owns exposure management. While Security owns day-to-day exposure management operations, those operations are executed at the direction of the executive team — as noted above, they’re the ones determining the organisation’s risk appetite. The numbers support this stance. 86% of security professionals we surveyed said that cybersecurity is a topic discussed at the board level.

Such a stance may have been blasphemous in the past, as most C-suite members lack the knowledge necessary to make cybersecurity decisions. But by focusing on exposure management, organisations can use quantifiable data to assess risks, reducing reliance on subjective judgement. This means that decisions regarding cybersecurity priorities and responses can be based on measurable risk factors, such as the likelihood of a threat and its potential impact.

Further, by linking cybersecurity operations directly to risk posture, exposure management offers a greater opportunity for aligning these operations with the overall business strategy. Under this approach, cybersecurity is no longer just a technical requirement but a strategic enabler that supports broader business objectives.

What

What is exposure management?

Exposure management is a proactive cybersecurity practice that enables organisations to maintain their exposures at a level that aligns with their risk appetite. It is, in essence, an evolution of vulnerability management that addresses the shortcomings of traditional vulnerability management practices.

Exposure management practices are commonly guided by continuous threat exposure management (CTEM) programmes.

Refer to Ivanti’s Exposure Management glossary page for a more thorough answer to this question.

What is continuous threat exposure management (CTEM)?

Continuous threat exposure management — or CTEM — is defined in the 2023 Gartner® Implement a Continuous Threat Exposure Management (CTEM) Program report as follows:

“Continuous Threat Exposure Management (CTEM) programme is a set of processes and capabilities that allow enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise’s digital and physical assets.

At any stage of maturity, a CTEM cycle must include five steps to be completed: scoping, discovery, prioritisation, validation and mobilisation.”¹

What are the components of exposure management?

In its current form, exposure management effectively combines capabilities from these existing categories:

Attack surface management (ASM), e.g., external attack surface management (EASM) and cyber asset attack surface management (CAASM).
Risk-based vulnerability management (RBVM).
Validation, e.g., breach and attack simulation (BAS), continuous automated red teaming (CART) and penetration testing as a service (PTaaS).

Expect to see purpose-built exposure management products and platforms as the exposure management market matures.

What is risk appetite?

Risk appetite is the level of cyber risk an organisation is prepared to accept in pursuit of its business objectives, such as increased agility, innovation or performance. To determine its risk appetite, an organisation must weigh the cost of maintaining a certain security posture against the benefit of doing so. Setting risk appetite is a business decision, though one that must include input from Security.

Refer to Understanding Risk Appetite – a Critical Component of Exposure Management for an in-depth description of risk appetite.

Where

Where should exposure management be implemented?

Exposure management practices should be implemented at all organisations that rely on technology that’s accessible from the internet or other external pathways.

Exposure management is especially important for organisations that are beholden to laws and/or other regulations regarding the safe handling of personal data. Examples include the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).

Organisations likely to have lots of unknown devices connecting to the network and other unknown internet-facing assets in their environment are also optimal candidates for exposure management. Unknown assets often proliferate as a result of bring your own device (BYOD) policies and mergers and acquisitions.

When

When should I implement exposure management?

According to a Gartner press release, “By 2026, Gartner predicts that organisations prioritising their security investments based on a CTEM programme will realise a two-thirds reduction in breaches.”²We believe that’s a compelling reason to begin implementing exposure management as soon as possible. It’s also good news at a time when organizations’ attack surfaces are rapidly expanding, putting them at higher risk of attack.

More good news: any organisation practising vulnerability management has already laid the foundation upon which they can build an exposure management practice. Read on for actionable advice on how to do so.

Why

Why implement exposure management?

Many organisations have an incomplete understanding of their cyber risk due to limited views of the assets and exposures in their environments. Lots of effort is exerted in attempts to lower risk by remediating exposures, but the ROI on that effort is often low due to shortcomings associated with traditional vulnerability management methods.

Such organisations thus remain at elevated risk of experiencing cyber attacks that take advantage of un-remediated exposures and can negatively impact their operations, image and revenue. Exposure management solves this problem by empowering those organisations to maintain their exposures in alignment with their risk appetite.

The following is an overview of the shortcomings of traditional vulnerability management that exposure management addresses:

Shortcoming #1: Organisations look only at a narrow sliver of their continuously expanding attack surfaces.

Many organisations only closely monitor and manage their traditional perimeter — endpoints and servers — from a cybersecurity standpoint.

Why it’s a problem: Full attack surface visibility is needed to properly protect against all potential threats.

Modern attack surfaces have expanded beyond the traditional perimeter to include mobile devices, applications, websites, certificates/domains and more. Each of these components introduces added risk to an organisation that must be accounted for.

Shortcoming #2: The number of cybersecurity exposures organisations face continues to grow at an unmanageable rate.

There are hundreds of thousands of existing Common Vulnerabilities and Exposures (CVEs) and dozens — sometimes hundreds — more are published to the National Vulnerability Database (NVD) every day. And while CVEs are often the only type of exposure organisations account for, they face many others, such as misconfiguration of assets and security controls.

Why it’s a problem: Remediating all exposures is operationally infeasible, leaving organisations stuck in reactive mode.

Organisations are overwhelmed by the constant onslaught of exposures turning up in their environments. They can’t fix every exposure as that would require critical systems to be offline far too often — not to mention many exposures don’t have known fixes.

This forces them into firefighting mode, always trying to unbury themselves from endless exposures or overcome ongoing security incidents instead of working proactively to improve their security posture.

Shortcoming #3: Remediation activities are prioritised based strictly on the severity of vulnerabilities.

The Common Vulnerability Scoring System (CVSS) v3.1 is among the most popular methods for prioritising vulnerabilities for remediation. CVSS assigns vulnerabilities with scores from zero to 10 based on their severity — zero being the least critical and 10 being the most.

Unfortunately, those scores don't account for real-world threat context — meaning organisations employing CVSS are misguided if their intent in doing so is to reduce risk.

Why it’s a problem: Remediation decisions are based on the makeup of vulnerabilities instead of a given organisation’s risk appetite and the potential impact a given vulnerability may pose to their business.

Organisations that use CVSS are basing decisions on vulnerabilities’ characteristics without accounting for their own. For starters, since CVSS scores don’t accurately reflect risk, organisations can’t use CVSS to determine if a given vulnerability exceeds their individual risk appetite.

Further, CVSS doesn’t enable organisations to determine how a vulnerability might impact their business — certainly a crucial consideration when determining whether that vulnerability needs to be remediated.

How

How do I implement exposure management?

This bears repeating one more time: exposure management is an evolution of vulnerability management. Most organisations thus already have the foundation for its exposure management practice in place.

But how do you advance from vulnerability management to exposure management? Here are six best practices to guide the process:

Best practice #1: Widen your attack surface aperture

Evolving to exposure management requires widening your attack surface aperture to include non-patchable attack surfaces. While you’ll always need to account for traditional devices and applications, nowadays, you also need to account for all systems, applications and subscriptions, including those not owned by IT or even managed by the business.

Examples include everything from third-party applications and services — such as SaaS, supply chain dependencies and online code repositories — to corporate social media accounts and leaked data. To gain this visibility, you’ll need to implement digital risk protection services (DRPS) and external attack surface management (EASM) solutions in addition to any existing cybersecurity asset management (CSAM) tools.

Best practice #2: Reframe remediation

If you expand your exposure management programme to include non-patchable attack surfaces, you’ll also need to expand it to include means for managing your exposure through ways other than patching.

There are many routes to resolution for threat exposures, ranging from accepting and managing the risk by increasing monitoring, through to mitigation and resolutions that, in addition to patching, may mean implementing a policy change or redeveloping an application.

Remember, there's often more than one fix to an issue, and your team will often need to collaborate closely with other teams to implement those fixes, including infrastructure and operations teams and enterprise architecture functions. In some cases, your team may need to acquire new skills and understanding to execute fixes that fall under Security’s umbrella.

Best practice #3: Reprioritize

As mentioned under “Why implement exposure management?” above, using CVSS to prioritise exposures for remediation omits risk from the prioritisation process. That can be remedied through the use of risk-based vulnerability management (RBVM) solutions.

Here’s how such solutions improve exposure management, using the graphic above as a reference:

There are 330,000+ known vulnerabilities.
Fortunately, you don’t need to remediate every vulnerability in your environment. The number that are tied to ransomware is low, and even less are trending/active exploits.
RBVM solutions provide risk-based scoring and views to help you focus remediation efforts on that small number of vulnerabilities that pose a significant risk.

Ultimately, a risk-based approach ensures you don’t waste time and effort mitigating or remediating any of the hundreds of thousands of exposures that pose no real danger to your organisation, and that the effort you do expend actually goes toward improving your security posture.

Best practice #4: Build a bridge to the business side

With traditional vulnerability management, the “business side” typically only learns a patch is coming when they receive a notification telling them their PC needs to restart to finish installing updates — such is not the case with exposure management.

For starters, their input is required to determine the business impact of exposures and your organisation’s risk appetite. You’ll need to continually work with the revenue-generating functions of the organisation to determine what systems and solutions have a high impact on their priorities so that exposures that threaten those systems and solutions can be prioritised accordingly.

This is the type of work that earns Security a seat at the business table — work that shows Security exists to enable the business. Of course, teams on the business side may not be thrilled with the prospect of taking on extra work for something that has never been their responsibility, but there are ways to earn their buy-in:

CISOs need to lead the outreach effort — their position within the organisation will make it easier for them to open the necessary doors.
Once you’re in the door, work with senior leadership to develop metrics that will enable them to make effective exposure management decisions without having to be security specialists.
Ensure you keep all the departments you interact with informed on the various options that exist for resolving issues that may impact them. You may need to put in extra time here to shed Security’s reputation for being overly restrictive.
Make it clear to them that the business will simply have to accept large amounts of unknown and unquantified risk if a poorly governed exposure management programme fails to accurately scope, discover, prioritise and validate issues, thereby leading to a lack of visibility into threat exposure.

Best practice #5: Validate, validate, validate

Traditional vulnerability management is guided by prioritisation, while exposure management couples prioritisation with validation. Validation is necessary since prioritisation alone leaves a large volume of issues to resolve.

In the context of exposure management, validation involves:

Assessing how potential attackers can exploit an identified exposure.
Estimating the highest potential impact of potential attack paths.
Identifying how monitoring and control systems might react in the event of an attack.

Validation can be conducted via a mixture of manual and technological methods, including:

Penetration testing conducted by automated tools, internal teams or contract pen testing as a service (PTaaS).
Red team exercises.
Breach and attack simulation (BAS).
Attack path analysis.

Best practice #6: Crawl, walk, run

Last but not least, the final best practice for evolving to exposure management is: don’t attempt to do it overnight. Use your vulnerability management practice as your starting point and expand from there by adopting the other best practices covered here as your bandwidth and budget allow.

Gartner. D’Hoinne, J., Schneider, M., Shoard, P. (2022, July 21). Implement a Continuous Threat Exposure Management (CTEM) Programme. https://www.gartner.com/document/4016760.
Gartner Press Release. Gartner Identifies the Top Cybersecurity Trends for 2024. (2024, February 22). https://www.gartner.com/en/newsroom/press-releases/2024-02-22-gartner-identifies-top-cybersecurity-trends-for-2024.

How to Identify Your Organisation’s Attack Surface

Thu, 05 Oct 2023 14:59:23 Z

Our glossary page on attack surfaces defined the terms associated with the concept. This post provides information that'll help your organization identify its attack surface.

Much like your lawn after a good rain, your attack surface will grow rapidly if left unchecked. Along with increases in attack surface size comes an increase in cybersecurity risk. That risk can’t be eliminated as attack surfaces are always evolving, but it must be carefully managed.

How do I identify my organisation’s attack surface?

Managing that risk begins with identifying your organization’s attack surface. More specifically, you must identify what lurks below the surface — the endpoints, vulnerabilities and other attack vectors that expose your environment.

To quote CIS Critical Security Controls (CIS Controls) v8: “Enterprises cannot defend what they do not know they have.” But how does one figure out what they have? If you or anyone from your team has ever wondered the same, you’ve come to the right place.

By the end of this post, you’ll discover the answers to these questions and better understand how to identify your organization’s attack surface using modern best practices:

How do I identify my organization’s digital attack surface?
What is attack surface management (ASM)?
What is cyber asset attack surface management (CAASM)?
What is external attack surface management (EASM)?
What are digital risk protection services (DRPS)?
What’s the difference between CAASM, EASM and DRPS?
Are there any options beyond ASM offerings for identifying digital attack surfaces?
How do I identify my organization’s physical attack surface?
How do I identify my organization’s human attack surface?

How do I identify my organisation’s digital attack surface?

Identifying your digital attack surface can be difficult with traditional tools and practices, especially as that surface seems to expand exponentially every year. Fortunately, technology and service providers are mobilizing to meet this moment with attack surface management (ASM) offerings.

Attack surface management (ASM)

Gaining visibility into the IT assets deployed across your organization — plus their exposure and associated risk — is essential to achieving a strong cybersecurity posture. Leading security frameworks corroborate this stance. For instance, the first Function of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) Version 1.1 is Identify, and NIST states, “The activities in the Identify Function are foundational for effective use of the Framework.” Similarly, CIS Controls v8 contains the following Controls:

Control 1: Inventory and Control of Enterprise Assets
Control 2: Inventory and Control of Software Assets
Control 7: Continuous Vulnerability Management

Such visibility is also the key to defining your digital attack surface. Unfortunately, organizations have long struggled to attain high levels of visibility.

Research from Randori and Enterprise Strategy Group (ESG) reveals that, on average, organizations have 30% more exposed assets than traditional asset management programs indicate. That figure stands to grow if companies fail to act as Gartner predicts 75% of employees will acquire, modify or create technology outside IT’s visibility by 2027.

Companies need to close the gap between the number of assets exposed to attackers and the number they know about. They must eliminate those blind spots and unmanaged technology from their environments. ASM does just that. According to Gartner, ASM aims to answer the question: “What does my organization look like from an attacker’s point of view, and how should it find and prioritize the issues attackers will see first?”

What is attack surface management (ASM)?

By taking an attacker’s perspective, ASM enables security teams to gain visibility into assets over which IT lacks governance and control, such as shadow IT, third-party systems and line-of-business applications.

It works by combining people, processes, technologies and services to continuously discover, inventory and manage an organization’s internal and external assets. By doing so, ASM ensures any newly identified exposures are addressed before they can be exploited by malicious actors.

ASM is comprised of three areas: cyber asset attack surface management (CAASM), external asset surface management (EASM) and digital risk protection services (DRPS). Each area focuses on a specific use case: CAASM for assets and vulnerabilities, EASM for external assets and DRPS for digital assets.

When combined, their capabilities can greatly help the 47% of security professionals surveyed for Ivanti’s Government Cybersecurity Status Report that lack visibility into all the users, devices, applications and services residing on their networks.

What is cyber asset attack surface management (CAASM)?

CAASM provides a complete, current and consolidated view of an organization’s internal and external assets, such as endpoints, servers, devices and applications. CAASM products enable this visibility by collecting data from existing internal sources such as asset discovery, IT asset management, endpoint security, vulnerability management and patch management tools as well as ticketing systems via API integrations.

Collected data is automatically aggregated, normalized and deduplicated, then presented in a single user interface, eliminating the need for IT and security teams to manually gather and reconcile asset data. CAASM products also let those teams query against collected data, identify security vulnerabilities, spot gaps in security controls and remediate issues.

Gartner states less than 1% of companies had CAASM functionality implemented in 2022 but anticipates 20% will by 2026. Adoption is thought to be slow as CAASM relies on existing technologies but doesn't replace any of them. It can also likely be attributed to the fact that there are currently limited vendors in the CAASM space

What is external attack surface management (EASM)?

As its full name implies, EASM focuses on an organization’s external attack surface by employing processes, technology and managed services to discover internet-facing assets and systems plus related vulnerabilities.

Examples of external assets and systems EASM discovers include web applications, Internet Protocols (IPs), domain names, Secure Sockets Layer (SSL) certificates and cloud services. Additionally, examples of vulnerabilities discovered by EASM include — but aren't limited to — exposed servers, credentials, public cloud service misconfigurations, deep web and dark web disclosures and vulnerabilities in third-party partner software code.

In addition to asset discovery, EASM products commonly offer other capabilities, including:

Active external scanning of cloud, IT, IoT and OT environments.
Analysis of assets to determine if they are risky, vulnerable or behaving in an anomalous manner.
Prioritization of assets based on business impact, likelihood of exploitation by a malicious actor and other factors.
Remediation workflow and third-party integrations with ticketing systems, security orchestration, automation and response (SOAR) solutions and other tools.

The main benefits of EASM are its ability to provide visibility of unknown digital assets and an outside-in view of an organization’s external attack surface. These benefits have helped 31% of companies with an EASM solution to find unknowingly exposed sensitive data, 30% to discover unknown or third-party hosted web assets, and 29% to discover unknown misconfigurations and vulnerable systems.

EASM’s benefits have also driven 34% of organizations to deploy a dedicated EASM offering. Like CAASM products, EASM products don't replace any existing technologies — meaning they require net-new spending — and there aren't currently very many of them on the market. However, unlike CAASM, EASM products aren't dependent on any existing technologies to operate, making them easier to adopt.

What are digital risk protection services (DRPS)?

DRPS blends technology and services to protect digital assets and data from external threats. It does so by extending detection and monitoring outside the enterprise perimeter — to the open web, deep web, dark web, social media and app marketplaces — to search for threats to enterprise digital resources, including IP addresses, domains and brand-related assets.

As organizations engage in more and more online activities, it's critical for security teams to adopt DRPS capabilities and look beyond threats within the enterprise network.

According to Gartner, DRPS products don't simply identify threats, but provide actionable intelligence on threat actors as well as the tools, tactics and processes they exploit to carry out malicious activities. Additionally, DRPS also enables security teams to mitigate active threats using a combination of people, process and technology;and carry out activities required to foil future threats and protect digital assets.

In its 2022 Hype Cycle for Security Operations, Gartner indicated DRPS is two to five years away from reaching the last key phase of a technology’s life cycle. That phase — deemed the Plateau of Productivity — is defined as follows:

Mainstream adoption starts to take off. Criteria for assessing provider viability are more clearly defined. The technology's broad market applicability and relevance are clearly paying off.

Delayed adoption of DRPS plus other ASM solutions like CAASM and EASM can likely be attributed to market confusion on the distinction between such solutions. We'll erase some of that confusion in the next section.

What’s the difference between CAASM, EASM and DRPS?

CAASM, EASM and DRPS are all components of ASM. Additionally, they all focus on security asset management and issue prioritization. These similarities have caused confusion in the market between these different solutions.

The following table highlights the differences between CAASM, EASM and DRPS to help you distinguish between the different solutions:

Feature / Capability	CAASM	EASM	DRPS
Focus area	Assets and vulnerabilties	External assets	Digital risk
Applicable assets	Endpoints Servers Devices Applications	Web applications IPs Domain names SSL certificates Cloud services	IP addresses Domains Brand-related assets
Composition	Technology	Technology Services Processes	Technology Services
Capabilities	Collect, aggregate, normalize, deduplicate and present data Query against collected data Identify security vulnerabilities Spot gaps in security controls Remediate issues	Discover assets Employ active external scanning of cloud, IT, IoT and OT environments Analyze assets Prioritize assets Leverage remediation workflow Integrate with third-party ticketing systems, SOAR solutions and other tools	Detect and monitor for threats outside the enterprise perimeter Gain actionable intelligence on threat actors Mitigate active threats Carry out activities required to foil future threats and protect digital assets
Data sources	Passive data collection via API integrations with existing internal tools: Asset discovery ITAM Endpoint security Vulnerability management Patch management Ticketing systems CAASM tools commonly also collect data from DRPS and EASM tools.	Active Internet-wide scans performed by EASM Passive DNS WHOIS	Monitoring of: Open web Deep web Dark web Social media App marketplaces
Sample vendors	Axonius Balbix JupiterOne Lansweeper Lucidum Noetic Cyber OctoXLabs Panaseer Qualys Resmo runZero Scrut Automation Sevco ThreatAware	C2SEC Censys Cyberpion CyCognito FireCompass Palo Alto Networks (Cortex Xpanse) Pentera Randori Reposify RiskIQ (a Microsoft company)	BlueVoyant CloudSEK Digital Shadows Group-IB GroupSense HelpSystems (PhishLabs) IntSights (a Rapid7 company) SafeGuard Cyber ZeroFox

In the future, the distinctions between these solutions may not matter much. Gartner predicts 70% of all CAASM, EASM and DRPS functionality will be part of broader, preexisting security platforms by 2026 and not provided by standalone vendors as it is today.

Are there any options beyond ASM offerings for identifying digital attack surfaces?

Organizations have had a need to identify and manage their digital attack surfaces since before ASM solutions have been available. Instead of ASM solutions, many organizations have leveraged — and continue to leverage — other approaches to do so:

Approach used in place of ASM solution	Description	Pro	Con
Asset discovery tools	Find and inventory hardware and software assets connecting to your network.	Already deployed at most organizations. Better than spreadsheets.	Often has blind spots such as shadow IT, third-party systems and line-of-business applications.
Breach and attack simulation (BAS)	Automatically test threat vectors to gain a deeper understanding of security posture vulnerabilities and validate security controls.	Generates reports on security gaps and prioritizes remediation based on risk.	Only focuses on known attacks. Doesn't provide remediation.
Cloud security posture management (CSPM)	Understand changes in cloud configurations.	Ability to understand cloud configuration changes.	Doesn't reveal when configurations drift out of compliance or potential impact of emerging threats.
Configuration management database (CMDB)	Track changes made to systems.	Already deployed at most organizations. Know when configuration changes are made.	Doesn't reveal when configurations drift out of compliance or potential impact of emerging threats.
Homegrown approach	Combine spreadsheets, scripts and manual processes to manage attack surface.	Inexpensive or free from a pure cost perspective (overlooking analyst hours).	Time-consuming and error-prone. Not scalable or real-time.
IT asset management (ITAM)	Track and monitor assets through their full lifecycle.	Already deployed at most organizations. Better than spreadsheets.	Only covers known and managed assets while overlooking unknown or unmanaged facets of attack surface.
Penetration testing (e.g., automated penetration testing tools and penetration testing as a service)	Identify vulnerabilities within your network and applications by simulating a cyberattack.	Provides examples of security posture and associated budget priorities.	Only focuses on the first phase of the cyber kill chain: reconnaissance. Also, results are typically point-in-time and only as good as the penetration testers carrying out the simulation.
Red teaming	Provides a comprehensive picture of an organization’s cybersecurity posture by staging a cyberattack simulation against networks, applications, physical safeguards and employees.	Goes beyond penetration testing by focusing on other phases of the cyber kill chain. Also goes beyond digital attack surface and touches on physical and human attack surfaces.	Results are typically point-in-time and only as good as the penetration testers carrying out the simulation.
Threat intelligence	Access information on threats and other cybersecurity issues.	Arms security experts with intelligence on threats and vulnerabilities.	Geared toward organizations with highly mature security operations consisting of skilled personnel and extensive resources.
Vulnerability management tools (e.g., scanners)	Identify and manage vulnerabilities within your infrastructure and applications.	Already deployed at most organizations.	No visibility into unknown assets. Overwhelming amounts of data.

While these technologies, services and other approaches don't offer all the capabilities and benefits that purpose-built CAASM, EASM and DRPS solutions deliver, most still have their place in an organization’s IT and security practices. In fact, CAASM tools can't function without data from asset discovery, ITAM, vulnerability management and/or patch management tools.

Similarly, according to Gartner, EASM complements a few of the technologies and services listed above. These include threat intelligence and various types of security testing, including breach and attack simulation, penetration testing as a service and automated penetration testing and red teaming tools.

How do I identify my organization’s physical attack surface?

The first major component of an organization’s physical attack surface is what may be referred to as its endpoint attack surface as it’s composed primarily of all the endpoints that connect to the organization’s network: desktop computers, laptops, mobile devices and IoT devices.

Fortunately, this component of the digital attack surface can be identified via any CAASM tool used to identify the same elements of the digital attack surface, eliminating the need to purchase another new technology. Asset discovery and ITAM tools are other, if less capable, options.

The second major component of an organization's physical attack surface is its offices, data centers and other facilities. Again, fortunately, techniques already used in the identification of the digital attack surface overlap with those that can be used to identify the physical attack surface. In this case, that'd be the physical penetration testing component of red teaming.

How do I identify my organization’s human attack surface?

Identifying your human attack surface begins by looking at your organizational chart. Anyone associated with your organization that possesses the ability to access your organization’s sensitive information — or to prevent others from accessing that information — can contribute to your human attack surface.

That includes not just full-time employees but part-time employees, board members, contractors, partners, vendors, suppliers, temps and others as well.

On top of that, it includes both the people currently in those roles and anyone that's held those roles in the past. Press Reset: A 2023 Cybersecurity Status Report shows nearly half of security professionals believe or know the login credentials for some former employees and contractors are still active, allowing those individuals access to company systems and data.

The tricky part is that it’s not humans themselves but their actions — or inactions — that make up a human attack surface. Those actions and inactions are hard to spot as they often happen in the moment and out of sight of others, especially with more and more people working remotely.

Red teaming, a practice used to identify elements of both the digital and physical attack surfaces, can also be used to identify a major component of the human attack surface: employee susceptibility to social engineering. Red teamers accomplish this by attempting to manipulate employees into offering up sensitive information such as access credentials via phishing, smishing, vishing and other tactics.

Improper assignment of user privileges is another major contributor to human attack surfaces. Reviewing the systems and data the people that contribute to your human attack surface have access to, plus the levels of access they possess, is another way to identify parts of that surface.

Identifying most other elements of human attack surfaces requires employees to be vigilant for issues and to hold others accountable. For example, say one employee sees that another has written their password on a post-it note and stuck it to their monitor or that an HVAC vendor propped the back door to an office building open.

That employee should politely inform the others they are in violation of security best practices — and likely company policy as well — and ask them to correct their actions. When necessary, they should also involve the organization’s security team.

You’ve identified your organization’s attack surface … now what?

With the information in this post, you should be well on your way to identifying your organization’s digital, physical and human attack surfaces. Once you achieve that visibility, it’s time to take the next step: minimizing your attack surface.

Read The 8 Best Practices for Reducing Your Organization’s Attack Surface to uncover the technologies and tactics your organization can employ to shrink its attack surface.