book

Attack Surface Management

by Ron Eddings, MJ Kaufmann

May 2025

Intermediate to advanced

300 pages

9h 37m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who Should Read This BookWhat You Need to KnowWhy We Wrote This BookWhat You’ll LearnNavigating This BookHow to Use This BookConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgmentsRon EddingsMJ Kaufmann
I. Foundations of ASM
1. Laying the Groundwork: An Overview of Attack Surface Management
Attack Surface Management: What It Is and Why It MattersWhat Do We Mean by Attack Surface?Attack Vectors Versus Attack SurfacesWhat Is Attack Surface Management?The Components of ASMIdentificationClassificationPrioritizationRemediationAdaptingMonitoringThe Strategic Role of ASM in CybersecurityAdopting the Attacker’s PerspectiveChanging Your Point of ViewProactive Strategy: Playing AttackerASM Use Cases and Security ChallengesVisibility ChallengesAsset ManagementAsset IntelligenceShadow ITManaging RiskIncident Response and PrioritizationPolicy EnforcementCompliance and Regulatory PressuresSummary
2. Types of Attack Surfaces
The Ever-Expanding Organizational Attack SurfaceTraditional IT ComponentsLegacy VirtualizationModern IT ComponentsModern VirtualizationIoTWebsitesCertificatesCloudCloud ProvidersCloud WorkloadsContainersCloud-Based ApplicationsDataConfiguration ManagementSaaSSaaS ManagementIdentityUsersData Access Across PlatformsIdentity and Access Management ChallengesSupply ChainSoftware DevelopmentApplicationsCertificatesBYOD and MobileArtificial IntelligenceAI Models and Neural Network ArchitectureAI Pipelines and InfrastructureAI User Interfaces and APIsSummary
3. How the Attack Surface Relates to Risk
Measuring RiskQualitative RiskExamplesBenefitsChallengesQuantitative RiskExamplesWalkthrough: Practical Application of Quantifying RiskBenefitsChallengesDetermining the Right FitData and Complexity ConsiderationsResource and Capability ConsiderationsPurpose and Stakeholder ConsiderationsShould I Use a Mix?Example: Choosing the Right MethodRisk FrameworksNISTISOITIL v4COSO ERMOCTAVECommunicating Risk to Your Business TeamKnow Your AudienceTechnical Jargon Confuses Business TeamsHow to Translate Technical Risk to Business LanguageManaging Excuses for Poor CommunicationSummary
II. Identification and Classification
4. Identification and Classification of Assets
IdentificationAsset InventoryWhy Maintaining Inventory Is Foundational in ASMIdentifying Asset Inventory SolutionsDiscovery of AssetsClassification for Asset EnrichmentAsset Type DetailsConfiguration DataData ClassificationUsage InformationLocation and Environmental DataInterdependenciesSecurity PostureLife Cycle StatusIntegrating Asset Enrichment with Business StrategyBetter PrioritizationAccurate InventorySoftware Licensing TrackingCompliance Audit EvidenceSummary
5. Automating Asset Discovery
Importance of Automating Asset DiscoveryBreadth of EnterprisesCloud ComplicationsTypes of Automated Asset DiscoveryNetwork ScanningCloud AnalysisAPI IdentificationData DiscoveryChallenges in Automated DiscoveryFeatures That Deliver High ROISearch CapabilitiesData PresentationAnalytics and ReportingAdvanced FeaturesSummary
III. Prioritization and Remediation
6. Prioritization and Crown Jewel Analysis
Understanding PrioritizationComparisons to Other Strategic ProcessesImportance of PrioritizationPrioritization CriteriaValue to the OrganizationOperational ImpactData Sensitivity and ClassificationObtaining Business ContextMapping Business FunctionsTools and Techniques for MappingImpact AssessmentDetermining Actual PrioritizationDetermining Crown JewelsPeriodic Review and Update of Crown JewelsIdentifying Other High-Value AssetsRanking Everything ElseSummary

7. Measuring Attack Surface
Attack Surface AnalysisHow Does ASA Work?How ASA Enhances Security PostureInternal and External Attack SurfacesInternal Attack Surface AnalysisExternal Attack Surface AnalysisAreas of OverlapTools for Assessing Attack SurfacesThreat ModelingThreat Modeling Informs Risk ManagementThreat Modeling MethodologiesWhich to Use?Integrating Threat Modeling with Attack Surface MappingHow Threat Modeling Improves Attack Surface ManagementHow ASM Complements Threat ModelingSummary
8. Remediation
Assessing the Remediation NeedIdentifying the Severity of VulnerabilitiesAssessing Potential ImpactCost-Benefit Analysis of RemediationPrioritization of FindingsEase of ExploitationDiscoverabilityAttacker PriorityRemediation ComplexityRemediation StrategiesValidation of Remediation EffortsFeedback Loop with StakeholdersMonitoring for Unexpected Issues or Collateral DamageDocumentation and ReportingSummary
IV. Adapting and Monitoring
9. Minimizing Attack Surfaces
How to Minimize Attack SurfacesStrategic MethodsTactical TechniquesSummary
10. Continuous Monitoring and Management
The Dynamic Nature of Digital EcosystemsTechnological Shifts and New IntegrationsImpact of Organizational Changes on the EcosystemSetting Alert ThresholdsDifferentiating Between False Positives and Legitimate ThreatsCalibrating and Fine-Tuning ThresholdsIncorporating Contextual Awareness in AlertsIntegrating with Incident ResponseCoordinating Monitoring with Incident Response TeamsSimulating Breach ScenariosRapid Response and Mitigation StrategiesPeriodic Reviews and AuditsScheduling Regular Vulnerability ScansReevaluating Remediation Efforts and EfficacyReassessing Asset PrioritiesFeedback Loops and Continuous ImprovementEncouraging Cross-Team CollaborationLeveraging Lessons Learned from Past IncidentsAdapting Monitoring Strategies Based on FeedbackAutomation and AI in Continuous MonitoringBenefits of Automated Monitoring ToolsRole of AI in Threat Detection and AnalysisBalancing Automation with Manual OversightSummary
11. The Future of Attack Surface Management
Emerging Trends in Attack Surface ManagementAI and Machine Learning in ASMQuantum ComputingEdge Computing ChallengesEvolving Challenges in CybersecurityStaying Ahead in ASM Practices and TechnologiesContinuous Learning and Skill DevelopmentStay Hungry, Never Give Up
Index
About the Authors

Content preview from Attack Surface Management

Chapter 1. Laying the Groundwork: An Overview of Attack Surface Management

Attack surface management (ASM) is more than just a cybersecurity buzzword that can help you sound savvy in meetings. Respected industry analysts like Gartner have recognized ASM as a valuable framework for managing emerging threats and organizational attack surfaces since 2022. The US government, National Institute of Standards and Technology (NIST), and other regulatory bodies have increasingly emphasized the importance of reducing risk and minimizing your attack surface. ASM is designed to provide actionable insights that deepen visibility into the vulnerabilities and risks of your organization’s digital footprint. The purpose of ASM is to proactively identify threats and mitigate vulnerabilities before they become entry points for attackers. Doing this across multiple environments is complex, critical, and challenging. For this reason, it has emerged as a strategic imperative for security teams in organizations of all sizes.

Attack Surface Management: What It Is and Why It Matters

ASM plays an essential role in efficiently managing cybersecurity programs, reducing risk, improving compliance, and proactively improving your organizational security posture to ensure business continuity and build cyber resilience. This framework encompasses several aspects designed to help determine where attacks may occur and what kind of impact they may have. It does this through a process of identifying, classifying, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098165079Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Attack Surface Management

by Ron Eddings, MJ Kaufmann

Chapter 1. Laying the Groundwork: An Overview of Attack Surface Management

Attack Surface Management: What It Is and Why It Matters

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.