Now Available - Forrester Report: The Total Economic Impact™ Of The CyCognito Platform
See Exactly What Attackers See
The term “attack surface” is sometimes defined as the collection of ways an organization can be breached. But that is really just the sum of your organization’s attack vectors.
A better definition is: Your attack surface is all of your attacker-exposed IT assets, whether secure or vulnerable, known and unknown, wherever they are: on-premises, in the cloud, in third-party or partner environments, or in the networks of your subsidiaries. That’s a better definition of “attack surface” because organizations benefit from having an understanding and visibility into their entire IT ecosystem that includes all of their network interconnectivity.
One of the most critical security issues today is the fact that IT and security teams don't know where all of their organization’s digital infrastructure and assets are, or whether they’re fully protected. This ‘awareness gap’ is called shadow risk; it’s a major problem, since unknown and unmanaged assets are often the easiest points of entry for attackers. Organizations must expose their shadow risk by mapping and assessing their full attack surface.
The need for attack surface analysis and management is universally recognized by security practitioners and vendors, but a critical point that may not be explicitly called out is that managing your attack surface isn’t something you should start doing only after you have implemented your security stack. Instead, it must be a foundational step that guides your security program and resource investments.
Learn about an attack surface and other industry terms in our glossary.
Gartner, Implement a Risk-Based Approach to Vulnerability Management
Prateek Bhajanka, Craig Lawson, ID: G00356414, Published: 21 August 2018
Many authors providing advice on attack surface management use the term “attack surface reduction” and offer tips for reducing the size of an organization’s attack surface. What’s implied in that approach is that the attack surface is being defined as the sum of vulnerabilities, whereas a better approach is to define the attack surface expansively as the collection of all the assets associated with an organization, whether currently deemed vulnerable or not.
Thus, your goal is not to reduce your attack surface but to reduce the attack vectors in your attack surface, beginning with those that pose the greatest risk to your organization.