IT Jargon Explained

What Is Attack Surface Management?

Attack surface management (ASM) takes an attacker’s perspective and helps security teams gain visibility into assets over which IT lacks governance and control, such as shadow IT, third-party systems and line-of-business applications.

ASM combines people, processes and technologies and services to continuously discover, inventory and manage an organization’s internal and external assets. The ultimate goal is to make sure that any identified exposures are addressed before they can be exploited by malicious actors. 

There are three areas of ASM: cyber asset attack surface management (CAASM), external attack surface management (EASM) and digital risk protection services (DRPS). Each area focuses on a specific use case: CAASM for assets and vulnerabilities, EASM for external assets and DRPS for digital assets. 

Related: Ivanti’s State of Cybersecurity Research Report Series: Attack Surface Management 

What is cyber asset attack surface management (CAASM)? 

CAASM provides a complete, current and consolidated view of an organization’s internal and external assets, such as endpoints, services, devices and applications. 

CAASM products do this by collecting data from existing internal sources, such as asset discovery, IT asset management, endpoint security, vulnerability management and patch management tools, as well as ticketing systems via API integrations. 

It then automatically aggregates, normalizes and deduplicates the collected data and presents it in a single user interface, eliminating the need for IT and security teams to manually gather and reconcile asset data. CAASM products also let teams query against collected data, identify security vulnerabilities, spot gaps in security controls and remediate issues. 

What is external attack surface management? 

As the name implies, external attack surface management focuses on an outside-in view of the attack surface, discovering internet-facing assets and systems, plus related vulnerabilities. 

Examples of the assets that EASM discovers include web applications, IPs, domain names, SSL certificates and cloud services. The types of vulnerabilities EASM identifies include – but aren’t limited to – exposed servers, credentials, public cloud service misconfigurations, deep web and dark web disclosures and vulnerabilities in third-party software code. 

In addition to asset discovery, EASM products commonly offer other capabilities, including: 

  • Active external scanning of cloud, IT, IoT and OT environments. 
  • Analysis of assets to determine if they are risky, vulnerable or behaving in an anomalous manner. 
  • Prioritization of assets based on factors like business impact and likelihood of exploitation by a malicious actor. 
  • Remediation workflows and integrations with ticketing systems, security orchestration, automation and response (SOAR) solutions and other tools. 

What are digital risk protection services (DRPS)? 

DRPS blends technology and services to protect digital assets and data from external threats. It extends detection and monitoring outside the enterprise perimeter – to the open web, deep web, social media and app marketplaces – to search for threats to enterprise digital resources, including IP addresses and brand-related assets. 

As organizations engage in more and more online activities, it’s critical for security teams to adopt these capabilities and look beyond threats within the enterprise network. DRPS both identifies threats and provides actionable intelligence on threat actors and the tools, tactics and processes they exploit. 

What’s the difference between CAASM, EASM and DRPS? 

CAASM, EASM and DRPS are all components of ASM, and they focus on security asset management and issue prioritization. These similarities can cause confusion about the differences between these solutions. 

This table summarizes the differences between CAASM, EASM and DRPS. 

Feature / Capability  CAASM  EASM  DRPS 
Focus area  Assets and vulnerabilities  External assets  Digital risk 
Applicable assets 
  • Endpoints 
  • Servers 
  • Devices 
  • Applications 
  • Web applications 
  • IPs 
  • Domain names 
  • SSL certificates 
  • Cloud services 
  • IP addresses 
  • Domains 
  • Brand-related assets 
Composition 
  • Technology 
  • Technology
  • Services 
  • Processes 
  • Technology
  • Services 
Capabilities 
  • Collect, aggregate, normalize, deduplicate and present data. 
  • Query against collected data. 
  • Identify security vulnerabilities. 
  • Spot gaps in security controls. 
  • Remediate issues. 
  • Discover assets. 
  • Employ active external scanning of cloud, IT, IoT and OT environments. 
  • Analyze assets. 
  • Prioritize assets. 
  • Leverage remediation workflows. 
  • Integrate with third-party ticketing systems, SOAR solutions and other tools. 
  • Detect and monitor threats outside the enterprise perimeter. 
  • Gain actionable intelligence on threat actors. 
  • Mitigate active threats. 
  • Carry out activities required to foil future threats and protect digital assets. 
Data sources 

Passive data collection via API integrations with existing internal tools: 

  • Asset discovery. 
  • ITAM. 
  • Endpoint security. 
  • Vulnerability management. 
  • Patch management. 
  • Ticketing systems. 

CAASM tools commonly also collect data from DRPS and EASM tools. 
  • Active Internet-wide scans performed by EASM. 
  • Passive DNS. 
  • WHOIS. 

Monitoring of: 

  • Open web. 
  • Deep web. 
  • Dark web. 
  • Social media. 
  • App marketplaces. 

Why is attack surface management important? 

Leading security frameworks agree that understanding your attack surface is critical for a strong security posture. Both NIST CSF and CIS Controls include it as a foundational capability. 

Attack surface management is so important because without visibility into the entirety of your attack surface, you don’t know what vulnerabilities are exposing your organization. This in turn gives you an insufficient view of your organization’s risk posture – so you have no way of knowing whether you’re staying within your risk appetite, or how to direct your efforts to address the highest-risk exposures. 

With attack surfaces changing and expanding so rapidly, attack surface management can only become more critical. Security teams simply can’t afford to be flying blind.

RelatedAttack Surface Discovery: How to Identify Your Organization's Attack Surface