Group Purchasing
Group Purchasing

The SANS Guide to Evaluating Attack Surface Management

The SANS Guide to Evaluating Attack Surface Management (PDF, 0.44MB)Published: 01 Feb, 2023
Created by:
Pierre Lidome
Pierre Lidome

The SANS Guide to Evaluating Attack Surface Management, published by SANS Institute, was first released in October 2020 and updated in February 2023. The guide explains what attack surface management (ASM) is and lays out a practical framework for evaluating ASM solutions, covering both product requirements and operational requirements that security teams should weigh during a proof of concept.

Key findings:

  • 94% of enterprises use cloud services, a key driver of the external asset visibility problem ASM addresses, according to Cloudwards
  • The number of internet-connected devices worldwide is projected to reach more than 25 billion by 2025, continually expanding the attack surface organizations must track, per Statista
  • 26% of US employees now work remotely, four times the rate before the COVID-19 pandemic, adding external assets outside the traditional network perimeter, according to Zippia
  • An organization's attack surface includes all internet-accessible hardware, software, SaaS, and cloud assets that an attacker could discover, attack, and use to gain a foothold
  • ASM solutions should be evaluated against three core product requirements: automated discovery, continuous monitoring, and risk-based management
  • Automated discovery should require nothing more than a domain name, using whois, passive DNS, and network registration data to map exposed assets without manual IP input
  • Continuous monitoring needs to track both newly added and newly removed assets, since retired infrastructure and newly acquired entities still carry assumed risk
  • Effective risk-based management combines a vendor's external threat assessment, covering vulnerabilities, exploit code, and asset criticality, with user-supplied business context to generate a prioritized risk score
  • Operationalizing ASM depends on four additional capabilities: proactive email alerting, enterprise management features like role-based access control and single sign-on, interoperability through documented APIs, and bi-directional integrations with SIEM and ticketing systems
  • The most common ASM use cases are discovering exposure, uncovering shadow IT, prioritizing exposure, achieving real-time security agility, managing mergers and acquisitions risk, and exercising the security program
  • Managing false positives is described as the most difficult requirement for any ASM solution, particularly for tools that rely on rigid keyword matching to assign asset ownership
  • Security posture validation, testing whether a discovered asset is actually exploitable, is flagged as a newer capability that should quickly become a standard requirement for ASM tools

The guide frames ASM as a complement to, not a replacement for, existing asset and vulnerability management programs. Its core argument is that the value of an ASM tool comes less from raw discovery volume and more from pairing high-fidelity external discovery with contextual risk scoring and false-positive control, and evaluators should weigh a vendor's bi-directional integration capabilities as heavily as its discovery breadth.

The guide was written by SANS Certified Instructor Pierre Lidome as part of the SANS Analyst Program, and presents an evaluation framework and criteria rather than original survey data.

FAQ

Meet the expert

Pierre Lidome
Pierre Lidome

Pierre Lidome

Certified Instructor

Pierre is a SANS course author and cyber threat hunter with 25+ years in DFIR, security, and network engineering. He volunteers for NCCDC, teaches at University of Houston, and serves on the GIAC advisory board and SANS Technology Institute faculty.

Read more about Pierre Lidome