{"id":406,"date":"2020-01-07T17:35:00","date_gmt":"2020-01-07T17:35:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=406"},"modified":"2024-08-02T14:15:08","modified_gmt":"2024-08-02T21:15:08","slug":"reduce-your-attack-vectors-not-your-attack-surface","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/","title":{"rendered":"Reduce Your Attack Vectors, Not Your Attack Surface"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Why bigger is better when it comes to your attack surface<\/h2>\n\n\n\n<p>Although the term \u201cattack surface\u201d has been around for well over two decades, its importance has been under-emphasized, especially in the \u201ccloud era.\u201d We advise every chief information security officer and security team to take a thorough look at how they are defining and managing their attack surface as a foundational step in their security program. And, we challenge the common wisdom that your goal is to reduce your attack surface. Bigger is actually better.&nbsp;<\/p>\n\n\n\n<p>Of course, it\u2019s all in how you look at it. And how you look at your attack surface is undeniably important to being able to effectively assess your organization\u2019s IT risk.&nbsp;<\/p>\n\n\n\n<p>The term \u201cattack surface\u201d is sometimes defined as the collection of ways an organization can be breached. But that is really just the sum of your organization\u2019s attack vectors.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Definition of an attack surface<\/h2>\n\n\n\n<p>A better definition of attack surface is: all of your attacker-exposed IT assets, whether secure or vulnerable, known and unknown, wherever they are: on-premises, in the cloud, in third-party or partner environments, or in the networks of your subsidiaries.<\/p>\n\n\n\n<p>That\u2019s a better definition of \u201cattack surface\u201d because organizations benefit from having an understanding and visibility into their entire IT ecosystem that includes all of their network interconnectivity.<\/p>\n\n\n\n<p>Why is it important to have the broadest view of your attack surface \u2013 making it bigger, not smaller? Attackers are looking for the path of least resistance in your attack surface so that they can break into your high-value digital assets. To stay ahead, you have to think like an attacker too. That requires ongoing\u00a0<a href=\"\/learn\/attack-surface-discovery.php\">visibility of your entire attack surface<\/a>\u00a0by performing reconnaissance across your entire IT ecosystem, adopting an outside-in approach.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"789\" height=\"397\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface.png\" alt=\"\" class=\"wp-image-407\" srcset=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface.png 789w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface-512x258.png 512w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface-768x386.png 768w\" sizes=\"auto, (max-width: 789px) 100vw, 789px\" \/><\/figure>\n\n\n\n<p>Organizations invest in basic risk assessment for only about 30% of their attack surface, and in-depth assessment for about 1%. Attackers target your entire attack surface, with a particular focus on the remaining 70% that you aren&#8217;t aware of and don&#8217;t assess.<br><\/p>\n\n\n\n<p>With the full view of your attacker-exposed assets, you have a good foundation for&nbsp;evaluating your organizational risk&nbsp;and establishing an effective security program that allows you and your team to focus your resources on eliminating the highest priority risks for your business.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Requirements for an effective attack surface management<\/h2>\n\n\n\n<p>Effective attack surface management requires:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Visibility of your entire attack surface, particularly the unknown, abandoned and unmanaged assets that attackers seek as easy points of entry<\/li>\n\n\n\n<li>Understanding the business context of each asset based on the business functions supported by the applications and data on the asset<\/li>\n\n\n\n<li>Knowing which group in your organization owns the asset, what IT environments it is part of, and whether it is part of a partner or third-party network<\/li>\n\n\n\n<li>Identification and prioritization of potential attack vectors in your attack surface so you know where your team should focus their efforts<\/li>\n\n\n\n<li>Continuous security monitoring to maintain the full and current view of your attack surface<\/li>\n<\/ul>\n\n\n\n<p>You want to reduce the number of attack vectors in your attack surface, not your attack surface. Your attack surface will grow and shrink as the needs of your organization changes. Reducing the number of attack vectors, especially critical ones, is what you want to control.<\/p>\n\n\n\n<p>Some sources reference the term \u201cattack surface reduction,\u201d and offer tips for reducing the size of an organization\u2019s attack surface. What\u2019s implied in that approach is that the attack surface is being defined as the sum of attack vectors as opposed to the more useful definition of attack surface as the collection of all the assets associated with an organization, whether currently deemed vulnerable or not.<\/p>\n\n\n\n<p>As opposed to \u201creducing\u201d your attack surface, you should seek to develop an attack surface map that expands your organization\u2019s previous knowledge about the composition of the attack surface. This includes unknown assets, unknown infrastructure, cloud environments and applications and other shadow IT. Visibility of your entire attack surface is critical to your ability to identify and manage your shadow risk, the risk associated with your attacker-exposed assets.<\/p>\n\n\n\n<p>It\u2019s the high priority risks that you want to focus on reducing, not the size of your organization\u2019s known attack surface.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The term \u201cattack surface\u201d is sometimes defined as different ways an organization can be breached. But that is really just the sum of your attack vectors.<\/p>\n","protected":false},"author":22,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[6],"class_list":["post-406","post","type-post","status-publish","format-standard","hentry","category-perspectives","tag-attack-surface-management"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Reduce Your Attack Vectors, Not Your Attack Surface | CyCognito Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Reduce Your Attack Vectors, Not Your Attack Surface | CyCognito Blog\" \/>\n<meta property=\"og:description\" content=\"The term \u201cattack surface\u201d is sometimes defined as different ways an organization can be breached. But that is really just the sum of your attack vectors.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-01-07T17:35:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-08-02T21:15:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface.png\" \/>\n<meta name=\"author\" content=\"Raphael Reich\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Raphael Reich\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/\"},\"author\":{\"name\":\"Raphael Reich\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/5fc71e29aa32c6153db0b1cbcfd395a7\"},\"headline\":\"Reduce Your Attack Vectors, Not Your Attack Surface\",\"datePublished\":\"2020-01-07T17:35:00+00:00\",\"dateModified\":\"2024-08-02T21:15:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/\"},\"wordCount\":714,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface.png\",\"keywords\":[\"Attack Surface Management\"],\"articleSection\":[\"Perspectives\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/\",\"name\":\"Reduce Your Attack Vectors, Not Your Attack Surface | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface.png\",\"datePublished\":\"2020-01-07T17:35:00+00:00\",\"dateModified\":\"2024-08-02T21:15:08+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#primaryimage\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface.png\",\"width\":789,\"height\":397},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Reduce Your Attack Vectors, Not Your Attack Surface\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/5fc71e29aa32c6153db0b1cbcfd395a7\",\"name\":\"Raphael Reich\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a187c2484d7ae7c4068cf1f26c507972?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a187c2484d7ae7c4068cf1f26c507972?s=96&d=mm&r=g\",\"caption\":\"Raphael Reich\"},\"description\":\"Was Vice President of Marketing at CyCognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/raphael-reich\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Reduce Your Attack Vectors, Not Your Attack Surface | CyCognito Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/","og_locale":"en_US","og_type":"article","og_title":"Reduce Your Attack Vectors, Not Your Attack Surface | CyCognito Blog","og_description":"The term \u201cattack surface\u201d is sometimes defined as different ways an organization can be breached. But that is really just the sum of your attack vectors.","og_url":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/","og_site_name":"CyCognito Blog","article_published_time":"2020-01-07T17:35:00+00:00","article_modified_time":"2024-08-02T21:15:08+00:00","og_image":[{"url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface.png","type":"","width":"","height":""}],"author":"Raphael Reich","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Raphael Reich","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/"},"author":{"name":"Raphael Reich","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/5fc71e29aa32c6153db0b1cbcfd395a7"},"headline":"Reduce Your Attack Vectors, Not Your Attack Surface","datePublished":"2020-01-07T17:35:00+00:00","dateModified":"2024-08-02T21:15:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/"},"wordCount":714,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface.png","keywords":["Attack Surface Management"],"articleSection":["Perspectives"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/","url":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/","name":"Reduce Your Attack Vectors, Not Your Attack Surface | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#primaryimage"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface.png","datePublished":"2020-01-07T17:35:00+00:00","dateModified":"2024-08-02T21:15:08+00:00","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#primaryimage","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/what-is-an-attack-surface.png","width":789,"height":397},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/reduce-your-attack-vectors-not-your-attack-surface\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Reduce Your Attack Vectors, Not Your Attack Surface"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/5fc71e29aa32c6153db0b1cbcfd395a7","name":"Raphael Reich","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/a187c2484d7ae7c4068cf1f26c507972?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a187c2484d7ae7c4068cf1f26c507972?s=96&d=mm&r=g","caption":"Raphael Reich"},"description":"Was Vice President of Marketing at CyCognito","url":"https:\/\/www.cycognito.com\/blog\/author\/raphael-reich\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/406","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=406"}],"version-history":[{"count":7,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/406\/revisions"}],"predecessor-version":[{"id":997,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/406\/revisions\/997"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}