X-twitter Linkedin Youtube Facebook-f Instagram
DevOps Online logo

Attack surface management

anton-maksimov-5642-su-yUikXZrloQc-unsplash
Enter the AI Awards here.

Attack surface management: you can’t protect what you can’t see

By Marios Kyriacou 

Wikipedia defines the attack surface of a software environment as “the sum of the different points where an unauthorised user can try to enter data, extract data, control a device or critical software in an environment.” It goes on to say. “Keeping the attack surface as small as possible is a basic security measure.”

This is not easy. The attack surface in any corporate IT environment can be huge, and the rapid rise of remote working brought on by COVID-19 massively increased the attack surface of many organisations.

Any CISO trying to rein in the ever-expanding attack surface of their IT environment is likely to be facing a losing battle. They will devote significant resources to making penetration as difficult as possible, stress testing their systems and identifying potential threats.

Those activities are essential, of course, but a comprehensive understanding of that attack surface would enable other security initiatives to be deployed more efficiently and make them more effective.

A decade ago, I ran a specialist penetration testing business called The Security Bureau. What soon became clear was that our customers could not tell us what should be tested: they were unsure which of their assets were exposed to the Internet.

Since then the challenge of identifying the Internet-facing attack surface, let alone the entire attack surface—which is much larger—has increased enormously for almost every organisation.

It’s an adage that you cannot protect what you cannot see. Being able to identify every external facing asset is an essential first step in protecting them.

There was a need back then, and therefore a business opportunity. So, in 2018 I launched Informer and the Informer External Attack Surface Management (ASM) Service, which combined asset discovery with penetration testing of those external facing assets. The service continually scanned and mapped an organisation’s digital footprint—including web domains, subdomains, IPs, and cloud services—and tracked changes over time, providing valuable intelligence for enhanced human-driven offensive testing (eg, penetration and crowdsourced testing).

And we’ve been evolving Informer ASM ever since. Earlier this year the company was acquired by Bugcrowd, the leading provider of crowdsourced security. There are strong synergies between the two companies, and we are exploiting these to help organisations meet the ever-growing challenges of ASM.

When I launched Informer, ASM was in its infancy. Back in 2021, according to Straits Research, the ASM market was worth about $0.5bn. At that time less than 10% of organisations had formal ASM programmes in place. It’s estimated that 60% will have them by 2026. And the ASM market has grown to $1.4bn in 2024. Straits Research forecasts a 27.7% CAGR to 2032, taking the value of the market to $9.1bn.

It is not difficult to see why the ASM market is experiencing such growth. It reflects the growth, not only in size but in complexity, of attack surfaces in corporate IT.

I mentioned that COVID-19 induced remote working. Another factor increasing the number of entry points even faster than Covid-era remote workers is IoT. According to one report, there will be 18.8bn connected devices by the end of 2024 and 41bn by 2030. The disconnect between operational technology and information technology in many organisations has long made securing these a challenge.

The growth of remote work and connected devices has massively increased the number of entry points. Other developments present much more sophisticated challenges for ASM. The use of AI by both corporate IT and cybercriminals is possibly the most significant and challenging development. It creates new attack surfaces whose vulnerabilities can be difficult to assess and that can be difficult to protect. And of course, AI is being exploited by cybercriminals to accelerate their efforts and craft more complex attacks.

Every year for the past several years Bugcrowd has surveyed the ethical hacker community to gather its views on a variety of IT security issues and challenges. Bugcrowd publishes its findings in its annual Inside the Mind of a Hackerreport. Not surprisingly AI features prominently in the 2024 edition, as both a security tool and a security threat.

Seventy-seven per cent of those surveyed are already leveraging AI in their hacking activities, and 82% believe the AI threat landscape is evolving too fast to adequately secure. While security vendors are racing to provide security solutions that secure the AI attack surface, ethical hackers responding to Bugcrowd’s survey were split almost 50/50 on whether existing security solutions meet the needs and risks of AI.

Meanwhile, 50% say AI has already had a positive impact on their hacking activities and 77% are already leveraging AI in their work.

Almost half of the hackers surveyed believe AI will never beat them in value or effectiveness, because AI is still only as good as the human creativity that drives it. Humans are truly creative, and good hackers bring a level of creativity that AI lacks. They think outside of the box, which gives them an advantage over machine learning models and predictive AI.

However, AI can be an enormous help. A task that could have taken hours can take just a few minutes. As one respondent said: “AI is great for helping to understand error conditions in binary protocols that I’m not as familiar with.”

AI could also help organisations to get a clearer picture of the ever-expanding attack surface and potential weaknesses in their defences. Expect significant developments as ASM tools leverage AI to address the new challenges that AI will create. We intend to leverage AI to shrink the effective attack surface faster than the bad guys can exploit AI to open it up.

Get in touch

For event sponsorship enquiries, please get in touch at olliver.toke@31media.co.uk or calum.budge@31media.co.uk
For media enquiries, please get in touch with vaishnavi.nashte@31media.co.uk

Digital Transformation Awards 2025
Enter the Digital Transformation Awards 2025 here.

 

You have been successfully Subscribed! Ops! Something went wrong, please try again.
Linkedin X-twitter Youtube Facebook Instagram

Say Hello

  • 95 Ditchling Road | Brighton | BN1 4ST
  • Hours: Mon– Fri 9:00 am – 5 pm
  • Email: letstalk@31media.uk

Important Links

LEGAL & PRIVACY

Recent news

  • All Post
  • AI
  • Automation
  • Big Data
  • CI/CD
  • Cloud
  • Data
  • DevOps
  • DevOps & Cloud
  • DevOps Culture/Practices
  • DevSecOps
  • Digital Transformation
  • education
  • Expert POV
  • Featured
  • Finance
  • Interviews
  • News
  • Security
  • Smart cities
  • software testing
  • Sub DevOps
    •   Back
    • Industry Events

31 Media Limited or its affiliated brands. All rights reserved.