Vulnerability Management vs Attack Surface Management
These two management programs can often get confused. After all, both generally deal with the same things and aim to solve and optimize the same problems. Before we dive in, let’s look at what each program is encompasses.
What is an attack surface?
An attack surface in cybersecurity is any point or asset — physical or digital — from which an unauthorized person may try to breach or extract data. This is not limited to technology-based surfaces like laptops, servers, or workstations, but also includes things like phishing scams — which inherently take advantage of the human attack surface through social engineering and other exploits.
Sometimes, the terms “surface” and “vector” get confused, but they are not the same thing. The surface is the exposed element that has the potential to be attacked (the asset), and the vector is the means by which a threat actor is attacking that surface (the action or exploit).
What is a vulnerability?
In terms of cyber, a vulnerability is a ‘weak spot’ on a piece of surface that has the potential to be exploited — likely a cyber asset that can be reached with an IP address.
So, a vulnerability management program considers that singular piece of surface as an independent asset and doesn’t necessarily consider how it interplays with the rest of the organization’s environment via people, processes, and technology.
So, how are they fundamentally different as concepts?
Vulnerability management is a subset of attack surface management. Attack surface management is concerned with a more holistic and strategic view of the entirety of an organization’s cyber solution programs, taking into account everything that’s both inward and outward facing. These programs take into account everything that might pierce through the veil of security including all technology surfaces as well as things like the human surface (phishing scams). These programs understand the interconnectedness of cyber assets and how they may affect each other if a breach occurs. An organization’s attack surface grows through things like IoT and BYOD.
Vulnerability management on the other hand essentially zooms into a section of the environment and focuses more on the internal, software-based cyber landscape and individual assets that may be targeted by threat actors. It doesn’t really concern itself with understanding the interconnectedness of systems and devices but can figure it out if action is needed.
For more discussion on vulnerability management and attack surface management, listen to Kirk Hogan, CIO (Iceberg) and Allan Liska, CSIRT (Recorded Future) further break down the two programs in our Ask the Expert video.
Additionally, tune into our webinar on maturing vulnerability management: Sweeten up your approach: Vulnerabilities and knowing exactly where to look taking place on Wednesday, November 10th at 1:30 pm Eastern.
See all the ‘Ask the Expert’ videos in this series related to vulnerability management:
Ask the Expert Part 1: Why CVSS isn’t enough?
Ask the Expert Part 2: How can I make my vulnerability solution more responsive?
Ask the Expert Part 3: How do you level up your vulnerability management?
Ask the Expert Part 4: What is the difference between vulnerability management and attack surface management?