Experts Opinion
Attack surface management
Attack surface management: you can’t protect what you can’t see By Marios Kyriacou Wikipedia defines the attack surface of a software environment as “the sum of the different points where an unauthorised user can try to enter data, extract data, control a device or critical software in an environment.” It goes on to say. “Keeping the attack surface as small as possible is a basic security measure.” This is not easy. The attack surface in any corporate IT environment can be huge, and the rapid rise of remote working brought on by COVID-19 massively increased the attack surface of many organisations. Any CISO trying to rein in the ever-expanding attack surface of their IT environment is likely to be facing a losing battle. They will devote significant resources to making penetration as difficult as possible, stress testing their systems and identifying potential threats. Those activities are essential, of course, but a comprehensive understanding of that attack surface would enable other security initiatives to be deployed more efficiently and make them more effective. A decade ago, I ran a specialist penetration testing business called The Security Bureau. What soon became clear was that our customers could not tell us what should be tested: they were unsure which of their assets were exposed to the Internet. Since then the challenge of identifying the Internet-facing attack surface, let alone the entire attack surface—which is much larger—has increased enormously for almost every organisation. It’s an adage that you cannot protect what you cannot see. Being able to identify every external facing asset is an essential first step in protecting them. There was a need back then, and therefore a business opportunity. So, in 2018 I launched Informer and the Informer External Attack Surface Management (ASM) Service, which combined asset discovery with penetration testing of those external facing assets. The service continually scanned and mapped an organisation’s digital footprint—including web domains, subdomains, IPs, and cloud services—and tracked changes over time, providing valuable intelligence for enhanced human-driven offensive testing (eg, penetration and crowdsourced testing). And we’ve been evolving Informer ASM ever since. Earlier this year the company was acquired by Bugcrowd, the leading provider of crowdsourced security. There are strong synergies between the two companies, and we are exploiting these to help organisations meet the ever-growing challenges of ASM. When I launched Informer, ASM was in its infancy. Back in 2021, according to Straits Research, the ASM market was worth about $0.5bn. At that time less than 10% of organisations had formal ASM programmes in place. It’s estimated that 60% will have them by 2026. And the ASM market has grown to $1.4bn in 2024. Straits Research forecasts a 27.7% CAGR to 2032, taking the value of the market to $9.1bn. It is not difficult to see why the ASM market is experiencing such growth. It reflects the growth, not only in size but in complexity, of attack surfaces in corporate IT. I mentioned that COVID-19 induced remote working. Another factor increasing the number of entry points even faster than Covid-era remote workers is IoT. According to one report, there will be 18.8bn connected devices by the end of 2024 and 41bn by 2030. The disconnect between operational technology and information technology in many organisations has long made securing these a challenge. The growth of remote work and connected devices has massively increased the number of entry points. Other developments present much more sophisticated challenges for ASM. The use of AI by both corporate IT and cybercriminals is possibly the most significant and challenging development. It creates new attack surfaces whose vulnerabilities can be difficult to assess and that can be difficult to protect. And of course, AI is being exploited by cybercriminals to accelerate their efforts and craft more complex attacks. Every year for the past several years Bugcrowd has surveyed the ethical hacker community to gather its views on a variety of IT security issues and challenges. Bugcrowd publishes its findings in its annual Inside the Mind of a Hackerreport. Not surprisingly AI features prominently in the 2024 edition, as both a security tool and a security threat. Seventy-seven per cent of those surveyed are already leveraging AI in their hacking activities, and 82% believe the AI threat landscape is evolving too fast to adequately secure. While security vendors are racing to provide security solutions that secure the AI attack surface, ethical hackers responding to Bugcrowd’s survey were split almost 50/50 on whether existing security solutions meet the needs and risks of AI. Meanwhile, 50% say AI has already had a positive impact on their hacking activities and 77% are already leveraging AI in their work. Almost half of the hackers surveyed believe AI will never beat them in value or effectiveness, because AI is still only as good as the human creativity that drives it. Humans are truly creative, and good hackers bring a level of creativity that AI lacks. They think outside of the box, which gives them an advantage over machine learning models and predictive AI. However, AI can be an enormous help. A task that could have taken hours can take just a few minutes. As one respondent said: “AI is great for helping to understand error conditions in binary protocols that I’m not as familiar with.” AI could also help organisations to get a clearer picture of the ever-expanding attack surface and potential weaknesses in their defences. Expect significant developments as ASM tools leverage AI to address the new challenges that AI will create. We intend to leverage AI to shrink the effective attack surface faster than the bad guys can exploit AI to open it up. Get in touch For event sponsorship enquiries, please get in touch at olliver.toke@31media.co.uk or calum.budge@31media.co.ukFor media enquiries, please get in touch with vaishnavi.nashte@31media.co.uk
How 5G and AI are revolutionising industries for the next billion users
As the insurance industry navigates a rapidly evolving landscape, Fadata looks ahead to 2025 and
The partnership that will prevent vape sales to minors
Johnston Retail Services has partnered with Privately SA to bring the AgeAI app to Ireland,
Winners Announced for the North American Software Testing Awards 2024
Toronto, Canada – The winners of the North American Software Testing Awards 2024 have been officially
Adapting Security Strategies for the Gen AI Era
Generative AI is Evolving—Is Your Security Strategy Keeping Pace? Generative AI has quickly become a
Enhancing organisational sustainability with carbon management dashboards
With net zero and carbon reduction increasingly becoming a focal point for organisations, support through
Winners Announced for The European Software Testing Awards 2024
London, November 20, 2024 – The winners of the European Software Testing Awards 2024 have
Bitcoin will reach $100k before Trump takes office
As Donald Trump heads back to the White House, a University of Sussex professor who
2025 Ireland Salary Guide reveals latest emerging employment trends
Generative AI adoption accelerates – nearly 70% of businesses encourage their staff to use AI
Tricentis launches qTest Copilot to empower QA Organisations to Ship Quality Software Faster
Tricentis, a global leader in continuous testing and quality engineering, today announced the expansion of
AI decreases human-generated content, limiting data for training AI
The use of ChatGPT has led to a decrease in human-generated content with people asking
How open-source is shaping the future of innovation
Open-source technology has significantly shaped how industries approach complex technical challenges and foster innovation. It
How AI is transforming businesses
This article is published in collaboration with the AI Awards & Summit. Enter the awards