What is ASM in security?

Last Updated on March 15, 2023 by Dave Farquhar

What is ASM in security? ASM stands for attack surface management. It solves a real security problem. But it may not be the security problem that you think it solves, and it also doesn’t solve it as completely as it sounds like it may. Let’s talk about what ASM does and whether you might want it.

How ASM works

ASM sounds like a miracle. You give the tool your registered domain name, and it finds your public facing internet presence. Like magic. And then it scans them for vulnerabilities and reports back to you. And the best tools of this kind even correlate what they find with threat intelligence, to help you figure out what to fix first.

Did I say it sounds like a miracle?

Of course, there is a catch. And it is significant.

The problem with ASM

The problem with this approach is how much it misses. It can only scan what is visible from the internet, which isn’t necessarily a full picture of the machines attack service. It works off the assumption that all attacks come from your public facing presence. In reality, a significant number of attacks come over other means, such as email. When someone asks me how I would hack their company, I never say through their web presence. If I wanted to hack someone, I would apply for a job there.

The other problem, since ASM scans are not authenticated, is the number of false positives and false negatives. The findings that your prioritizing may not be real. Also, the data will have only vague advice on how to fix the issue. It won’t be able to tell you what file the vulnerability exists in, making it difficult to figure out how to fix it. In order to fix what the ASM tools find, you will have to scan those systems from the inside with a traditional VM tool, such as Qualys or Nessus.

The problem ASM tools solve

ASM sounds like a replacement for traditional VM and a penetration test all in one. But really it is neither. The problem it does potentially solve is the problem of external asset inventory .

Nobody knows how many computer systems they own and where they reside. The sounds like an absurd assertion, but anytime someone tells me they have an elite security program, the look on their face when I ask them about their asset inventory tells me everything. You can only protect what you know about.

And if you have rogue systems in your public facing IP space, that can be a huge problem. What’s running on those systems? What information is on those systems? Who vetted all of it? Just getting it done and cutting through red tape is a very American way of doing things and very much admired here, and it’s great until something goes wrong. And that thing going wrong might not necessarily be a breach or a lawsuit. Those are the two most obvious things, and perhaps the most costly things, but what if that improperly set up system fails? Now that system you were depending on has no fail safes and you’re losing money. The red tape exists to partly to ensure the system is getting back ups and has some way to deal with other general failures.

Why not use your existing VM scanner?

It turns out that traditional VM tools aren’t real good at building an inventory of your external space, at least not quickly. I can use those tools to tell you what has come and gone over the course of a long period of time, say 30 days, and maybe I can scale down to 7, but I absolutely can’t scale down to 24 hours. I’ve tried.

If the ASM tools can tell you what new IP addresses and ports went live in the last 24 hours, they solve a problem no one else has. But the risk is also that they don’t scale down to a 24-hour period any better than the vulnerability scanners. If that’s a requirement for you, make sure you figure that out during the proof of value phase, before you’ve spent any money.