By: Kyle Pillay - Security as a Service Manager at Datacentrix

Attack surface management (ASM) has grown exponentially in recent years, evolving into a recognised market category that equips businesses with the strategies and visibility needed to protect their digital assets. As Forrester’s Attack Surface Management Solutions Landscape, Q2 2024 notes, ASM “delivers insights on assets that ultimately support business objectives, keep the lights on, generate revenue, and delight customers.”

At its core, ASM is the process of continuously discovering, identifying, inventorying, and assessing the exposures of an organisation’s IT asset estate; a step that is foundational to maintaining a strong security posture.

Knowing your environment

Essentially, ASM assists in ‘knowing your environment’, or identifying the gaps in your defences before an attacker does.

Every threat actor or hacker starts with reconnaissance – foot printing your external-facing assets. This is why the term External Attack Surface Management (EASM) exists: it focuses on what the attacker sees. Without evaluating your environment through this external lens, you won’t know which access points are visible and exploitable, leaving you unable to proactively detect or prevent threats before they become incidents.

First steps in protecting your attack surface

The starting point of ASM is identifying external-facing touchpoints, such as public IPs, domains and so on. For example, you might know your primary domain (e.g. mydomain.co.za), but you also need visibility into similar domains that could be used maliciously, like mydomain.com, mydomain.net, mydomain.tech, mydomain.ac.za, for instance. The reason is that these can be targeted for domain squatting or cybersquatting, where attackers use similar names to mislead users and set them up for phishing attacks.

A robust ASM solution not only identifies your current footprint but also pinpoints potentially available domains worth securing before they fall into the wrong hands. 

And if a deceptive domain does get registered - like mydomain-tech.co.za for example - you need a clear takedown process. International domain takedowns can be complex, requiring a partner who can legally liaise with global registrars in multiple jurisdictions. With the right processes and partnerships, such domains can often be taken down within four to eight hours, helping to limit the potential damage.

Keeping pace with today’s infrastructure

One of the biggest challenges in ASM is keeping up with the sheer speed and sprawl of modern IT environments. While there are many tools on the market, there isn’t one capable of fully matching the pace of change. And this is despite the most competitive vendors constantly iterating, often in weekly development sprints, to keep their detection capabilities relevant. 

In addition to speed, it’s also important to maintain perspective. So, while an organisation might have visibility from one angle, attackers don’t limit themselves to a single viewpoint. To truly defend against modern threats, you need to see your environment the way they do from the outside and understand the vulnerabilities that could be exploited from within. This is where the distinction between external and internal ASM becomes essential.

External ASM (EASM) focuses on your publicly exposed digital footprint, but internal vulnerabilities can be just as - if not more - dangerous. Internal ASM uses network exposure activity tools to simulate real-world attack techniques, following frameworks such as MITRE ATT&CK, to identify weaknesses from the inside. These simulations check whether known attack methods can bypass security controls; if sensitive data can be exfiltrated; whether passwords are weak or compromised; and if lateral movement is possible within the network.

Combining internal and external ASM delivers a far more accurate view of your security posture, enabling you to close gaps before they are exploited.

Making the business case for ASM

Cost is often a sticking point when it comes to ASM investments, but, when weighed against the reputational and financial impact of a breach – not to mention the risk of sensitive data appearing on the dark web – the case for prevention becomes clear.

The reality is simple: if you’re not using a combination of internal and external ASM, your organisation is essentially blind to its vulnerabilities. And the ability to identify, monitor and remediate gaps, before adversaries exploit them, has become a business imperative.