
IF MANAGED SERVICES were a carnival tent, you might imagine a boisterous MSP in a top hat harkening through a blowhorn at SMB passersby to “step right this way,” inviting them inside to witness with their own eyes the amazing magic of “attack surface management.”
Of course, ASM isn’t snake oil―it is, in fact, a strategic approach to holistic data security. But the term itself is a bit of a marketing-communications innovation. “See it for yourself, folks! The incredible shrinking attack surface!”
The National Institute of Standards and Technology describes the attack surface as the “set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.”
That sounds to many seasoned security experts a lot like the threat landscape we’ve been discussing for a number of decades now. While it may not necessarily be a novel way of thinking, the new(ish) buzzword provides a renewed context for positioning and selling security services to SMB owners and decision makers.
“We’re full of terms, and sometimes I wonder what they actually mean,” quips Oli Thordarson, CEO of Alvaka Networks, an Irvine, Calif.-based MSP with a specialty service in ransomware recovery. “But I see so many IT departments looking to buy the silver bullet,” he says. “And they have no business buying them if they don’t get the basics done, like patching software and the firewall.”
Still, the more MSPs can talk about the “big picture” of security, Thordarson says, the better off everyone will be.
Lawrence Cruciana, president of Charlotte, N.C.-based Corporate Information Technologies, a cybersecurity-focused MSP, agrees. With a long career managing security in highly regulated markets, Cruciana can definitely appreciate a channel jargon joke. “‘Zero trust’ is another great word,” he notes. “There are a lot of vendors that made a lot of money selling zero trust.”
At the end of the day, though, Cruciana concurs with Thordarson that clients need to have a good understanding of their ecosystem as well as the attack surface.
Types Of Attack Surfaces
The attack surface is all-encompassing, but it can be helpful to break all areas of potential attack into categories:
- Technical―Sometimes called the “digital” surface, this refers to the configurations and vulnerability management of the underlying systems.
- Physical―The hardware, office space, server room, etc.
- Social engineering―The people and the information about them and available to them.
These categories have soft, blending boundaries, with their characteristics sometimes overlapping as in a Venn diagram. Network access is a good example. A user’s login (social engineering) may enable access to a certain area, but it’s important to think about the limits within the network that that login should provide (technical).
The term “zero trust” is born of this interdependent relationship among attack surface types. “‘Conditional access’ was once the buzzword,” Cruciana says. “But, essentially, it means letting people do what they need to do—and defining when and where that might be—without being overly permissive.”
ASM 101
For many SMBs, the attack surface can feel like a sprawling void of overwhelming endlessness. This is where the MSP can be the voice of reason in helping them to shrink that threat.
“In the MSP and security space, we’re in the business of surprise elimination,” says Cruciana. “We can be proactive in eliminating surprises by understanding and thinking about the entire attack surface.”