Understanding modern attack surface management

Attack surface management (ASM) has seen significant growth in recent years, evolving into a recognised market category that provides businesses with the visibility and strategies needed to safeguard their digital assets, reports Kyle Pillay, security as a service manager at Datacentrix

As Forrester’s Attack Surface Management Solutions Landscape, Q2 2024 notes, ASM “delivers insights on assets that ultimately support business objectives, keep the lights on, generate revenue, and delight customers.”

At its essence, ASM involves continuously discovering, identifying, inventorying, and assessing the exposures of an organisation’s IT asset estate, a foundational step in maintaining a strong security posture.

Knowing your environment

Fundamentally, ASM helps organisations ‘know your environment’, highlighting gaps in defenses before attackers can exploit them.

Every threat actor or hacker begins with reconnaissance, mapping out your external-facing assets. This is why External Attack Surface Management (EASM) exists: it concentrates on what attackers can see. Without viewing your environment through this external lens, organisations cannot know which access points are visible or exploitable, leaving them unable to proactively detect or prevent threats before incidents occur.

First steps in protecting your attack surface

The first step in ASM is identifying external-facing touchpoints such as public IPs and domains. For instance, you might recognise your primary domain (e.g., mydomain.co.za), but visibility into similar domains, like mydomain.com, mydomain.net, mydomain.tech, or mydomain.ac.za, is also crucial. These can be targeted for domain squatting or cybersquatting, where attackers exploit similar names to mislead users and enable phishing attacks.

A strong ASM solution not only maps your current footprint but also identifies domains worth securing before malicious actors register them.

If a deceptive domain is registered, like mydomain-tech.co.za, you need an effective takedown process. International domain takedowns can be complex, requiring a partner capable of legally liaising with registrars across jurisdictions. With the right procedures and partnerships, such domains can often be removed within four to eight hours, limiting potential damage.

Keeping pace with today’s infrastructure

One of ASM’s biggest challenges is keeping up with the rapid growth and sprawl of modern IT environments. While multiple tools exist, none fully match the speed of change, even as vendors iterate frequently, often in weekly development sprints, to maintain relevant detection capabilities.

Beyond speed, perspective matters. While an organisation may have visibility from one viewpoint, attackers do not limit themselves to a single angle. To defend effectively against modern threats, you need to view your environment as attackers do and understand vulnerabilities exploitable from within. This is where distinguishing between external and internal ASM becomes crucial.

External ASM (EASM) focuses on publicly exposed digital assets, whereas internal ASM addresses vulnerabilities inside the network. Internal ASM uses network exposure activity tools to simulate real-world attack techniques, often following frameworks like MITRE ATT&CK, to identify weaknesses from the inside. These simulations test whether known attack methods bypass security controls, whether sensitive data can be exfiltrated, whether passwords are weak or compromised, and if lateral movement within the network is possible.

Combining internal and external ASM provides a more accurate view of your security posture, allowing organisations to close gaps before exploitation.

Making the business case for ASM

Cost is often a concern with ASM investments, but when weighed against the reputational and financial impact of a breach, or the risk of sensitive data appearing on the dark web, the case for prevention is clear.

The reality is simple. Without a combination of internal and external ASM, organisations remain essentially blind to vulnerabilities. The ability to identify, monitor, and remediate gaps before adversaries exploit them has become a business imperative.