book

Attack Surface Management

by Ron Eddings, MJ Kaufmann

May 2025

Intermediate to advanced

300 pages

9h 37m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who Should Read This BookWhat You Need to KnowWhy We Wrote This BookWhat You’ll LearnNavigating This BookHow to Use This BookConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgmentsRon EddingsMJ Kaufmann
I. Foundations of ASM
1. Laying the Groundwork: An Overview of Attack Surface Management
Attack Surface Management: What It Is and Why It MattersWhat Do We Mean by Attack Surface?Attack Vectors Versus Attack SurfacesWhat Is Attack Surface Management?The Components of ASMIdentificationClassificationPrioritizationRemediationAdaptingMonitoringThe Strategic Role of ASM in CybersecurityAdopting the Attacker’s PerspectiveChanging Your Point of ViewProactive Strategy: Playing AttackerASM Use Cases and Security ChallengesVisibility ChallengesAsset ManagementAsset IntelligenceShadow ITManaging RiskIncident Response and PrioritizationPolicy EnforcementCompliance and Regulatory PressuresSummary
2. Types of Attack Surfaces
The Ever-Expanding Organizational Attack SurfaceTraditional IT ComponentsLegacy VirtualizationModern IT ComponentsModern VirtualizationIoTWebsitesCertificatesCloudCloud ProvidersCloud WorkloadsContainersCloud-Based ApplicationsDataConfiguration ManagementSaaSSaaS ManagementIdentityUsersData Access Across PlatformsIdentity and Access Management ChallengesSupply ChainSoftware DevelopmentApplicationsCertificatesBYOD and MobileArtificial IntelligenceAI Models and Neural Network ArchitectureAI Pipelines and InfrastructureAI User Interfaces and APIsSummary
3. How the Attack Surface Relates to Risk
Measuring RiskQualitative RiskExamplesBenefitsChallengesQuantitative RiskExamplesWalkthrough: Practical Application of Quantifying RiskBenefitsChallengesDetermining the Right FitData and Complexity ConsiderationsResource and Capability ConsiderationsPurpose and Stakeholder ConsiderationsShould I Use a Mix?Example: Choosing the Right MethodRisk FrameworksNISTISOITIL v4COSO ERMOCTAVECommunicating Risk to Your Business TeamKnow Your AudienceTechnical Jargon Confuses Business TeamsHow to Translate Technical Risk to Business LanguageManaging Excuses for Poor CommunicationSummary
II. Identification and Classification
4. Identification and Classification of Assets
IdentificationAsset InventoryWhy Maintaining Inventory Is Foundational in ASMIdentifying Asset Inventory SolutionsDiscovery of AssetsClassification for Asset EnrichmentAsset Type DetailsConfiguration DataData ClassificationUsage InformationLocation and Environmental DataInterdependenciesSecurity PostureLife Cycle StatusIntegrating Asset Enrichment with Business StrategyBetter PrioritizationAccurate InventorySoftware Licensing TrackingCompliance Audit EvidenceSummary
5. Automating Asset Discovery
Importance of Automating Asset DiscoveryBreadth of EnterprisesCloud ComplicationsTypes of Automated Asset DiscoveryNetwork ScanningCloud AnalysisAPI IdentificationData DiscoveryChallenges in Automated DiscoveryFeatures That Deliver High ROISearch CapabilitiesData PresentationAnalytics and ReportingAdvanced FeaturesSummary
III. Prioritization and Remediation
6. Prioritization and Crown Jewel Analysis
Understanding PrioritizationComparisons to Other Strategic ProcessesImportance of PrioritizationPrioritization CriteriaValue to the OrganizationOperational ImpactData Sensitivity and ClassificationObtaining Business ContextMapping Business FunctionsTools and Techniques for MappingImpact AssessmentDetermining Actual PrioritizationDetermining Crown JewelsPeriodic Review and Update of Crown JewelsIdentifying Other High-Value AssetsRanking Everything ElseSummary

7. Measuring Attack Surface
Attack Surface AnalysisHow Does ASA Work?How ASA Enhances Security PostureInternal and External Attack SurfacesInternal Attack Surface AnalysisExternal Attack Surface AnalysisAreas of OverlapTools for Assessing Attack SurfacesThreat ModelingThreat Modeling Informs Risk ManagementThreat Modeling MethodologiesWhich to Use?Integrating Threat Modeling with Attack Surface MappingHow Threat Modeling Improves Attack Surface ManagementHow ASM Complements Threat ModelingSummary
8. Remediation
Assessing the Remediation NeedIdentifying the Severity of VulnerabilitiesAssessing Potential ImpactCost-Benefit Analysis of RemediationPrioritization of FindingsEase of ExploitationDiscoverabilityAttacker PriorityRemediation ComplexityRemediation StrategiesValidation of Remediation EffortsFeedback Loop with StakeholdersMonitoring for Unexpected Issues or Collateral DamageDocumentation and ReportingSummary
IV. Adapting and Monitoring
9. Minimizing Attack Surfaces
How to Minimize Attack SurfacesStrategic MethodsTactical TechniquesSummary
10. Continuous Monitoring and Management
The Dynamic Nature of Digital EcosystemsTechnological Shifts and New IntegrationsImpact of Organizational Changes on the EcosystemSetting Alert ThresholdsDifferentiating Between False Positives and Legitimate ThreatsCalibrating and Fine-Tuning ThresholdsIncorporating Contextual Awareness in AlertsIntegrating with Incident ResponseCoordinating Monitoring with Incident Response TeamsSimulating Breach ScenariosRapid Response and Mitigation StrategiesPeriodic Reviews and AuditsScheduling Regular Vulnerability ScansReevaluating Remediation Efforts and EfficacyReassessing Asset PrioritiesFeedback Loops and Continuous ImprovementEncouraging Cross-Team CollaborationLeveraging Lessons Learned from Past IncidentsAdapting Monitoring Strategies Based on FeedbackAutomation and AI in Continuous MonitoringBenefits of Automated Monitoring ToolsRole of AI in Threat Detection and AnalysisBalancing Automation with Manual OversightSummary
11. The Future of Attack Surface Management
Emerging Trends in Attack Surface ManagementAI and Machine Learning in ASMQuantum ComputingEdge Computing ChallengesEvolving Challenges in CybersecurityStaying Ahead in ASM Practices and TechnologiesContinuous Learning and Skill DevelopmentStay Hungry, Never Give Up
Index
About the Authors

Content preview from Attack Surface Management

Chapter 4. Identification and Classification of Assets

The first step for any organization implementing ASM is the identification and classification of assets. This is an integral step because many organizations don’t have a complete understanding of them, leaving unidentified risks that skew their perception of their overall security posture. Throughout the chapter we’ll cover this topic in-depth, offering a detailed, business-centric approach to discerning various assets, their business roles, and their importance within an organizational context. While we’ll address many important variables, the primary goal of this step is to accurately categorize assets to inform and enhance ASM practices.

As you’ll learn, we emphasize the development of a comprehensive asset inventory utilizing asset enrichment. These are vital for understanding the full scope of your organization’s attack surface. By accurately identifying and classifying assets, from hardware and software to data and human resources, we lay the groundwork for ASM.

This process is not just about listing assets. A detailed inventory and classification of assets enables us to better understand the potential vulnerabilities and security gaps that each one may introduce. Understanding all of their interconnections, dependencies, and the possible risks they pose allows you to prioritize security measures and allocate resources effectively.

Identification

Before you can start managing your attack surface, it is important to ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098165079Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Attack Surface Management

by Ron Eddings, MJ Kaufmann

Chapter 4. Identification and Classification of Assets

Identification

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.