book

Attack Surface Management

by Ron Eddings, MJ Kaufmann

May 2025

Intermediate to advanced

300 pages

9h 37m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who Should Read This BookWhat You Need to KnowWhy We Wrote This BookWhat You’ll LearnNavigating This BookHow to Use This BookConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgmentsRon EddingsMJ Kaufmann
I. Foundations of ASM
1. Laying the Groundwork: An Overview of Attack Surface Management
Attack Surface Management: What It Is and Why It MattersWhat Do We Mean by Attack Surface?Attack Vectors Versus Attack SurfacesWhat Is Attack Surface Management?The Components of ASMIdentificationClassificationPrioritizationRemediationAdaptingMonitoringThe Strategic Role of ASM in CybersecurityAdopting the Attacker’s PerspectiveChanging Your Point of ViewProactive Strategy: Playing AttackerASM Use Cases and Security ChallengesVisibility ChallengesAsset ManagementAsset IntelligenceShadow ITManaging RiskIncident Response and PrioritizationPolicy EnforcementCompliance and Regulatory PressuresSummary
2. Types of Attack Surfaces
The Ever-Expanding Organizational Attack SurfaceTraditional IT ComponentsLegacy VirtualizationModern IT ComponentsModern VirtualizationIoTWebsitesCertificatesCloudCloud ProvidersCloud WorkloadsContainersCloud-Based ApplicationsDataConfiguration ManagementSaaSSaaS ManagementIdentityUsersData Access Across PlatformsIdentity and Access Management ChallengesSupply ChainSoftware DevelopmentApplicationsCertificatesBYOD and MobileArtificial IntelligenceAI Models and Neural Network ArchitectureAI Pipelines and InfrastructureAI User Interfaces and APIsSummary
3. How the Attack Surface Relates to Risk
Measuring RiskQualitative RiskExamplesBenefitsChallengesQuantitative RiskExamplesWalkthrough: Practical Application of Quantifying RiskBenefitsChallengesDetermining the Right FitData and Complexity ConsiderationsResource and Capability ConsiderationsPurpose and Stakeholder ConsiderationsShould I Use a Mix?Example: Choosing the Right MethodRisk FrameworksNISTISOITIL v4COSO ERMOCTAVECommunicating Risk to Your Business TeamKnow Your AudienceTechnical Jargon Confuses Business TeamsHow to Translate Technical Risk to Business LanguageManaging Excuses for Poor CommunicationSummary
II. Identification and Classification
4. Identification and Classification of Assets
IdentificationAsset InventoryWhy Maintaining Inventory Is Foundational in ASMIdentifying Asset Inventory SolutionsDiscovery of AssetsClassification for Asset EnrichmentAsset Type DetailsConfiguration DataData ClassificationUsage InformationLocation and Environmental DataInterdependenciesSecurity PostureLife Cycle StatusIntegrating Asset Enrichment with Business StrategyBetter PrioritizationAccurate InventorySoftware Licensing TrackingCompliance Audit EvidenceSummary
5. Automating Asset Discovery
Importance of Automating Asset DiscoveryBreadth of EnterprisesCloud ComplicationsTypes of Automated Asset DiscoveryNetwork ScanningCloud AnalysisAPI IdentificationData DiscoveryChallenges in Automated DiscoveryFeatures That Deliver High ROISearch CapabilitiesData PresentationAnalytics and ReportingAdvanced FeaturesSummary
III. Prioritization and Remediation
6. Prioritization and Crown Jewel Analysis
Understanding PrioritizationComparisons to Other Strategic ProcessesImportance of PrioritizationPrioritization CriteriaValue to the OrganizationOperational ImpactData Sensitivity and ClassificationObtaining Business ContextMapping Business FunctionsTools and Techniques for MappingImpact AssessmentDetermining Actual PrioritizationDetermining Crown JewelsPeriodic Review and Update of Crown JewelsIdentifying Other High-Value AssetsRanking Everything ElseSummary

7. Measuring Attack Surface
Attack Surface AnalysisHow Does ASA Work?How ASA Enhances Security PostureInternal and External Attack SurfacesInternal Attack Surface AnalysisExternal Attack Surface AnalysisAreas of OverlapTools for Assessing Attack SurfacesThreat ModelingThreat Modeling Informs Risk ManagementThreat Modeling MethodologiesWhich to Use?Integrating Threat Modeling with Attack Surface MappingHow Threat Modeling Improves Attack Surface ManagementHow ASM Complements Threat ModelingSummary
8. Remediation
Assessing the Remediation NeedIdentifying the Severity of VulnerabilitiesAssessing Potential ImpactCost-Benefit Analysis of RemediationPrioritization of FindingsEase of ExploitationDiscoverabilityAttacker PriorityRemediation ComplexityRemediation StrategiesValidation of Remediation EffortsFeedback Loop with StakeholdersMonitoring for Unexpected Issues or Collateral DamageDocumentation and ReportingSummary
IV. Adapting and Monitoring
9. Minimizing Attack Surfaces
How to Minimize Attack SurfacesStrategic MethodsTactical TechniquesSummary
10. Continuous Monitoring and Management
The Dynamic Nature of Digital EcosystemsTechnological Shifts and New IntegrationsImpact of Organizational Changes on the EcosystemSetting Alert ThresholdsDifferentiating Between False Positives and Legitimate ThreatsCalibrating and Fine-Tuning ThresholdsIncorporating Contextual Awareness in AlertsIntegrating with Incident ResponseCoordinating Monitoring with Incident Response TeamsSimulating Breach ScenariosRapid Response and Mitigation StrategiesPeriodic Reviews and AuditsScheduling Regular Vulnerability ScansReevaluating Remediation Efforts and EfficacyReassessing Asset PrioritiesFeedback Loops and Continuous ImprovementEncouraging Cross-Team CollaborationLeveraging Lessons Learned from Past IncidentsAdapting Monitoring Strategies Based on FeedbackAutomation and AI in Continuous MonitoringBenefits of Automated Monitoring ToolsRole of AI in Threat Detection and AnalysisBalancing Automation with Manual OversightSummary
11. The Future of Attack Surface Management
Emerging Trends in Attack Surface ManagementAI and Machine Learning in ASMQuantum ComputingEdge Computing ChallengesEvolving Challenges in CybersecurityStaying Ahead in ASM Practices and TechnologiesContinuous Learning and Skill DevelopmentStay Hungry, Never Give Up
Index
About the Authors

Content preview from Attack Surface Management

Chapter 3. How the Attack Surface Relates to Risk

Understanding the relationship between an organization’s attack surface and risk exposure is foundational for protecting valuable assets. This chapter explores the essential role of risk management in cybersecurity, guiding professionals through the various methods of identifying, measuring, and managing risks that endanger their organizations.

Together, we discuss qualitative and quantitative risk assessments and analyze widely used frameworks published by NIST and ISO. We’ll look at practical insights into selecting the right approach for different environments. We’ll dive into prioritizing risks based on impact and likelihood, ensuring that the most consequential vulnerabilities are addressed first. This information will equip you with the tools necessary to translate technical risks into actionable business strategies that non-technical business units can understand and act on.

Measuring Risk

Let’s begin with the concept of measuring risk. A threat is anything that has the potential to cause harm to an organization’s assets, including cyberattacks, natural disasters, internal access abuse or unintentional mistakes. Risk, on the other hand, is the possibility that a threat will exploit a vulnerability to harm an asset. Essentially, risk arises from the intersection of threats and vulnerabilities.

In ASM, we need to identify and classify assets, and then understand the various risks each one faces and the best methods to manage ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098165079Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Attack Surface Management

by Ron Eddings, MJ Kaufmann

Chapter 3. How the Attack Surface Relates to Risk

Measuring Risk

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.