Attack Surface Management: Why Maturity Models Matter

Dan Schoenbaum
7 min readApr 5


The challenges of asset discovery, the unknown, and ad-hoc vulnerability scans

Attack surface management gets adopted because security leaders have the mandate to know their attack surface, measure and manage digital risks, and improve defense against persistent threat actors. Like most, you have adapted some of the attack surface management tenets; for example, you must “know thyself “and that means having a good handle on assets that need to be protected.

You’ll never secure your attack surface if you don’t start with discovery and triage of all assets.
You’ll never secure your attack surface if you don’t start with discovery and triage of all assets. Photo by Jason Blackeye on Unsplash

Most start out with the assets they know about: crown jewel assets that represent significant revenue to the company. This should be the very beginning of the road to discovery, as the business is always changing. You must evolve your efforts to uncover a wide range of new asset possibilities. Most vexing is that you must know what it is that you currently do not know. This is no small challenge; you must come to terms with how to keep up with business units (think: shadow IT and well-meaning marketing teams) as well as applications that spin up faster than you could ever record in a spreadsheet.

It’s a given that business units are going to go rogue and implement their own systems, cloud data repositories, and grant access to outside or untrusted third parties; without ever talking to you. Nevertheless, you must discover and defend these unknowns, identify application owners, and justify the very important cybersecurity actions that must take place to keep things secure by reducing digital risk.

You may have an idea of what your attack surface is made of, but every customer walks away from viewing a risk report or a POC with us learning something significant that they did not know.

To highlight the Shadow IT challenge, our ASM customers typically discover between 30% more assets than what they thought made up their attack surface, this figure has risen as high as 500%. Rogue applications, forgotten web servers, historical portals — for an attacker they all count as legitimate targets Other times, customer POC results are truly startling and enlightening to them in equal measure. Large environments continuously breed new applications and other unknowns that get stood up every day.

You already know Step One is discovery, but how do you understand where you are overall?

Maturity models pinpoint your place in time and justify elevating your capabilities. You can look at where you are now, and know the capabilities needed to get where you need. Your end game; so to speak

But this isn’t easy, especially if you are beginning with a legacy spreadsheet that has been passed down with little context. If you are a mid to large sized organization with applications being stood up all the time, heavy M&A activity, and or a supply chain a mile long, the unknown becomes a more acute challenge.

If discovery is the ‘what’, then the ‘how’ you go about discovering assets is another capability on the maturity model for attack surface management. Often, companies start by contracting with a company to perform quarterly scans. This is a good start. But if you work in an environment that has applications being continuously stood up, a dynamic supply chain, and consistent M&A activity, then you are constantly behind the curve ball and are acting on yesterday’s news.

When you factor in the multitude of vulnerabilities being introduced on the regular, threat actor techniques and targets changing on a whim, you quickly realize how out of touch efforts from quarterly scanning can become.

To break through, you must get ahead of what is happening to your attack surface (all of it) and react faster. With this thought in mind, our customers quickly realize that only continuous real-time monitoring will help them keep up. It must be passive, must not affect service levels and above all, it must be continuous and supply you with information on new instances and possible malicious intent in real time.

It’s not an easy transition for any team to meet these objectives and groom their analysts to take on an offensive security posture. Even with the benefit of working with real-time tools. Without a roadmap and the right intelligence, anyone would be off to a rough start. That is why it is important to look at a maturity model to give you outside perspective and a path to get from one end of the capability spectrum to the other.

Now let’s talk about discovering and prioritizing vulnerabilities across the external threat landscape. Then we will discuss contextualizing digital risk with your business counterparts and how a maturity model can help you communicate risk and justify the business case.

Managing your response to vulnerabilities is a whole other part of attack surface management, but first you must discover them. Your approach to discovering assets is likely to correlate with your method of identifying vulnerabilities. From manual, occasional and sporadic all the way to automated, continuous, and structured, the knowledge you gain from differing methods can vary widely. How you discover vulnerabilities today is another useful data point to map to the Attack Surface Maturity Model. It will enable you to understand where and how you need to improve, or if what you are doing is already optimal.

To improve your responses to emerging and newly discovered vulnerabilities, you must expand your knowledge of external risks and threats, then pair that knowledge with your critical assets. This is how you build the contextual knowledge to prioritize vulnerabilities by digital risk, weed out what is not critical for another time, and quickly identify false positives.

Resolving vulnerabilities by deciphering quarterly scanning reports and creating service tickets is a less than optimal way to address vulnerabilities, it takes time. Time is an advantage to attackers, as the longer you leave gaps, the more they will be exploited and help adversaries achieve their objectives. CVSS scores help, but only when you know that vulnerability matches something in your environment. You can prioritize high ranking vulnerabilities, but without continuous scanning you are still operating several months too late, and in some cases your assets may not even be exploitable.

And if that were not enough, then you must meet with business stakeholders to plan for scheduled downtime of applications. At least if you could communicate vulnerabilities in real time, it would cut out at least two or three weeks of time for potential threats to dwell before being identified and managed. The good news is that if you are already prioritizing vulnerabilities, you are on the way towards benefitting sooner from new attack surface management capabilities and improving communication.

Realizing the top end of the spectrum of capabilities of ASM maturity will not only support continuously scanning, but it will automatically prioritize response based on the digital risk involved. No manual intervention is involved except for one-time tasks of rating existing and newly discovered assets by digital risk.

Ultimately you need to answer the question of what should I preemptively be looking for? This can seem like a near Houdini-like feat, but there is no reason why you can’t get there by evolving your practice with real-time threat intelligence.

Another important area of attack surface management that is difficult to navigate is understanding and applying knowledge of external attacks. To catch up to the top range of capabilities, you must factor in what is being actively exploited and understand what is going on in the external threat environment. You need to be able to have an answer for; Who is attacking us? What is their infrastructure? What is currently being exploited by threat actors?

Finally, you need to take this newfound knowledge and apply it to your supply chain partners and M&A targets. We don’t have to tell you that your supply chain offer a key opportunity for exploiting business systems to siphon-off data or money to threat actors. They represent another, much wider and deeper attack surface that must become a part of your security strategy. The top end of the ASM maturity model scale requires the capability to discover assets and scan your business partners and M&A infrastructure.

These newfound capabilities and insights must be contextualized for the business. Part of that is accomplished by measuring your results against industry standards. Gauge your efforts and benchmark it against your framework of choice, (NIST, FEDRAMP, PCI, CIS Top 18, etc.) This offers you a way to start conversations with business counterparts, so they operate with a clear picture of risk. It will help you justify remediation actions, budget, and your overall security strategy in your conversations.

Beyond these capabilities, a mature attack surface management program saves you time. It should enable you to evolve your prioritized response to include automated communications for real-time stakeholder notification. Integration with IT Ops platforms like ServiceNow or Agile platforms like JIRA can pay back further dividends towards reducing manual processes, remediation scheduling, and help your team focus on strategic initiatives.

By following a model to mature your attack surface management practice, you will find opportunities to further consolidate tools, optimize communication, respond faster, and reduce digital corporate risk.

To start maturing your knowledge of the risks and threats external to your organization, we would be happy to create a free assessment of your attack surface, click this link to do so. We will even give you a cool t-shirt to go along with it. If you prefer to tinker with products and want to personally assess your attack surface, sign up here for a free trial of our Attack Surface Management platform.



Dan Schoenbaum

2x CEO, 2x COO. Fractional Exec, Turnaround leader, Growth expert, GTM & PLG Expert, marathoner, Former IDF Sniper.