book

Attack Surface Management

by Ron Eddings, MJ Kaufmann

May 2025

Intermediate to advanced

300 pages

9h 37m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who Should Read This BookWhat You Need to KnowWhy We Wrote This BookWhat You’ll LearnNavigating This BookHow to Use This BookConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgmentsRon EddingsMJ Kaufmann
I. Foundations of ASM
1. Laying the Groundwork: An Overview of Attack Surface Management
Attack Surface Management: What It Is and Why It MattersWhat Do We Mean by Attack Surface?Attack Vectors Versus Attack SurfacesWhat Is Attack Surface Management?The Components of ASMIdentificationClassificationPrioritizationRemediationAdaptingMonitoringThe Strategic Role of ASM in CybersecurityAdopting the Attacker’s PerspectiveChanging Your Point of ViewProactive Strategy: Playing AttackerASM Use Cases and Security ChallengesVisibility ChallengesAsset ManagementAsset IntelligenceShadow ITManaging RiskIncident Response and PrioritizationPolicy EnforcementCompliance and Regulatory PressuresSummary
2. Types of Attack Surfaces
The Ever-Expanding Organizational Attack SurfaceTraditional IT ComponentsLegacy VirtualizationModern IT ComponentsModern VirtualizationIoTWebsitesCertificatesCloudCloud ProvidersCloud WorkloadsContainersCloud-Based ApplicationsDataConfiguration ManagementSaaSSaaS ManagementIdentityUsersData Access Across PlatformsIdentity and Access Management ChallengesSupply ChainSoftware DevelopmentApplicationsCertificatesBYOD and MobileArtificial IntelligenceAI Models and Neural Network ArchitectureAI Pipelines and InfrastructureAI User Interfaces and APIsSummary
3. How the Attack Surface Relates to Risk
Measuring RiskQualitative RiskExamplesBenefitsChallengesQuantitative RiskExamplesWalkthrough: Practical Application of Quantifying RiskBenefitsChallengesDetermining the Right FitData and Complexity ConsiderationsResource and Capability ConsiderationsPurpose and Stakeholder ConsiderationsShould I Use a Mix?Example: Choosing the Right MethodRisk FrameworksNISTISOITIL v4COSO ERMOCTAVECommunicating Risk to Your Business TeamKnow Your AudienceTechnical Jargon Confuses Business TeamsHow to Translate Technical Risk to Business LanguageManaging Excuses for Poor CommunicationSummary
II. Identification and Classification
4. Identification and Classification of Assets
IdentificationAsset InventoryWhy Maintaining Inventory Is Foundational in ASMIdentifying Asset Inventory SolutionsDiscovery of AssetsClassification for Asset EnrichmentAsset Type DetailsConfiguration DataData ClassificationUsage InformationLocation and Environmental DataInterdependenciesSecurity PostureLife Cycle StatusIntegrating Asset Enrichment with Business StrategyBetter PrioritizationAccurate InventorySoftware Licensing TrackingCompliance Audit EvidenceSummary
5. Automating Asset Discovery
Importance of Automating Asset DiscoveryBreadth of EnterprisesCloud ComplicationsTypes of Automated Asset DiscoveryNetwork ScanningCloud AnalysisAPI IdentificationData DiscoveryChallenges in Automated DiscoveryFeatures That Deliver High ROISearch CapabilitiesData PresentationAnalytics and ReportingAdvanced FeaturesSummary
III. Prioritization and Remediation
6. Prioritization and Crown Jewel Analysis
Understanding PrioritizationComparisons to Other Strategic ProcessesImportance of PrioritizationPrioritization CriteriaValue to the OrganizationOperational ImpactData Sensitivity and ClassificationObtaining Business ContextMapping Business FunctionsTools and Techniques for MappingImpact AssessmentDetermining Actual PrioritizationDetermining Crown JewelsPeriodic Review and Update of Crown JewelsIdentifying Other High-Value AssetsRanking Everything ElseSummary

7. Measuring Attack Surface
Attack Surface AnalysisHow Does ASA Work?How ASA Enhances Security PostureInternal and External Attack SurfacesInternal Attack Surface AnalysisExternal Attack Surface AnalysisAreas of OverlapTools for Assessing Attack SurfacesThreat ModelingThreat Modeling Informs Risk ManagementThreat Modeling MethodologiesWhich to Use?Integrating Threat Modeling with Attack Surface MappingHow Threat Modeling Improves Attack Surface ManagementHow ASM Complements Threat ModelingSummary
8. Remediation
Assessing the Remediation NeedIdentifying the Severity of VulnerabilitiesAssessing Potential ImpactCost-Benefit Analysis of RemediationPrioritization of FindingsEase of ExploitationDiscoverabilityAttacker PriorityRemediation ComplexityRemediation StrategiesValidation of Remediation EffortsFeedback Loop with StakeholdersMonitoring for Unexpected Issues or Collateral DamageDocumentation and ReportingSummary
IV. Adapting and Monitoring
9. Minimizing Attack Surfaces
How to Minimize Attack SurfacesStrategic MethodsTactical TechniquesSummary
10. Continuous Monitoring and Management
The Dynamic Nature of Digital EcosystemsTechnological Shifts and New IntegrationsImpact of Organizational Changes on the EcosystemSetting Alert ThresholdsDifferentiating Between False Positives and Legitimate ThreatsCalibrating and Fine-Tuning ThresholdsIncorporating Contextual Awareness in AlertsIntegrating with Incident ResponseCoordinating Monitoring with Incident Response TeamsSimulating Breach ScenariosRapid Response and Mitigation StrategiesPeriodic Reviews and AuditsScheduling Regular Vulnerability ScansReevaluating Remediation Efforts and EfficacyReassessing Asset PrioritiesFeedback Loops and Continuous ImprovementEncouraging Cross-Team CollaborationLeveraging Lessons Learned from Past IncidentsAdapting Monitoring Strategies Based on FeedbackAutomation and AI in Continuous MonitoringBenefits of Automated Monitoring ToolsRole of AI in Threat Detection and AnalysisBalancing Automation with Manual OversightSummary
11. The Future of Attack Surface Management
Emerging Trends in Attack Surface ManagementAI and Machine Learning in ASMQuantum ComputingEdge Computing ChallengesEvolving Challenges in CybersecurityStaying Ahead in ASM Practices and TechnologiesContinuous Learning and Skill DevelopmentStay Hungry, Never Give Up
Index
About the Authors

Content preview from Attack Surface Management

Part I. Foundations of ASM

In these early chapters, we’re setting the stage for understanding attack surface management (ASM), a concept that has become essential in the industry. Whether you’re just starting out in the field or have been in it for years, the first three chapters cover ASM basics everyone needs to know. They ensure we are all on the same page before diving deeper. We start by answering the key question: What exactly is an attack surface?

You’ll discover the answer is not just about networks and servers anymore—attack surfaces include everything from software and hardware to people and processes. Essentially, attack surfaces are all the entry points that someone could use to access your systems, and managing them is about knowing where those points are, what risks they pose, and how to protect them.

We’ll dive into the details of how IT environments have evolved, including cloud services, IoT devices, and even employee smartphones. So many advances have expanded attack surfaces in ways we couldn’t have imagined a decade ago. This shift introduces new security challenges, and we’ll break down how organizations can address them. We’ll also introduce you to risk management strategies, which help you prioritize the vulnerabilities you tackle first based on their potential impact. By the time you finish Part I, you’ll have a strong understanding of ASM fundamentals and be well equipped to move forward, no matter your experience level.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098165079Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Attack Surface Management

by Ron Eddings, MJ Kaufmann

Part I. Foundations of ASM

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.