Attack Surface Management – Is it just another buzzword or is it something more>
Tales from a Security Professional – Richard De Vries
The SANS Institute and Gartner drafted already various documents, reports, and guides on Attack Surface Management. Therefore, one might think it is crucial to implement, and that you should invest in it.

On the website of IBM, you can read Attack Surface Management consists of 3 fundamental components. Digital surface, Physical surface, and Social engineering surface. Before you can start thinking about Digital Attack Surface Management, you need to know and understand your network. Is your CMDB trustworthy and are all assets correctly registered in the CMDB? Do you conduct vulnerability scanning on all your assets at regular intervals? Once you add live monitoring data to the equation, you are in the position to identify where a possible adversary is attacking you. However, this is also the moment where you will be hammered by the data avalanche that comes with adding live monitoring data.

When you have decided to go for Digital Attack Surface Management, you might want to follow this maturity approach. Level 1: know your network Level 2: know your assets Level 3: know your known vulnerabilities Level 4: know your events Level 5: Let’s hunt Physical Attack Surface Management As important as Digital Attack Surface Management is Physical Attack Surface Management. When you harden each asset according to the CIS-Benchmark standard, you also are addressing the Physical Attack Surface Management when you are disabling physical ports on an asset. Yes, implementing the CIS-Benchmark standard is a lot of work. Social Engineering Attack Surface Management Social Engineering Attack Surface Management is about raising the level of awareness and running frequent user awareness campaigns.
Link: https://tales-from-a-security-professional.com/attack-surface-management-is-it-just-another-buzzword-or-is-it-something-more-70d4501e2cd8