5 min reading Wed Mar 29 2023
Attack Surface Management or Penetration testing, which one do I need?
"I don't think we need your solution because we already perform penetration testing annually." This is something we often hear during an initial meeting with a potential customer. And that's a good thing because it helps improve your cybersecurity defenses.
Both penetration testing and attack surface management solutions are proactive cybersecurity measures that give customers visibility into risks that can be remotely exploited by hackers. But pen tests have some important limitations that you need to be aware of. And that's where attack surface management comes in.
Let’s start with some definitions.
What’s attack surface management
Attack surface management (ASM) is the continuous process of discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization's attack surface. Like penetration testing and ethical hacking, ASM is performed from a hacker's perspective. It identifies targeted IT and network assets and assesses security risks based on the opportunities they present to a malicious attacker.
ASM solutions automate asset discovery and security analysis, using many of the same methods and tools used by hackers. Many ASM tasks and technologies are also used by (and designed by) pen testers to reduce the amount of manual work.
What’s penetration testing
Penetration testing, also known as "pen testing" or "ethical hacking," is a method of gaining assurance about the security of an IT system in which an expert in cybersecurity attempts to breach all or part of the security of that system in a predetermined time frame (ranging from a few days to several weeks), using the same tools and techniques as a hacker.
Key differences between penetration tests and attack surface management
They have a different purpose
Penetration testing should be regarded as a method of gaining assurance in a company's vulnerability assessment and management processes, not as a primary method of detecting vulnerabilities. A penetration test can be viewed as a financial audit. While the internal financial team tracks costs and revenues on a daily basis, an audit by an external party ensures that your internal processes and controls are adequate.
Attack surface management solutions, on the other hand, help internal security teams continuously detect vulnerabilities.
They have a different scope
Pentests are performed on a small, predefined number of assets. On these selected assets a broad array of tests are executed, some manual, some automated. But while penetration tests go deep, their scope is usually limited to a handful of, usually critical, systems. The main reason of the limitation of scope is the significant cost of a pentest.
An attack surface scan uncovers the entire landscape of externally visible IT and network systems, also referred to as the digital footprint of a company. On the assets detected, the attack surface solution runs a series of automated tests to detect vulnerabilities and other security risks.
They have a different timeframe
Pen tests give you a picture of the risks at a given point in time. However, a company's IT is constantly changing. New applications are launched, new network systems are introduced, updates to existing applications and systems are made, old resources are decommissioned, administrative privileges are changed.... Penetration tests will not detect security issues resulting from these changes until the next pen test is performed.
ASM platforms continuously scan for changes in the digital footprint and detect vulnerabilities resulting from these changes.
The tests are different
ASM testing is automated and focuses on detecting vulnerabilities, not exploiting them. The tests do not disrupt the operation of IT and network systems or trigger intrusion detection alerts.
While ASM testing is usually non-intrusive and can be used to scan and monitor production environments, for pen tests it is recommended that the tests be performed on pre-production or staging environments because they can be intrusive. Penetration testers try to exploit vulnerabilities with "human creativity," revealing more details about the vulnerabilities and how exploitable they are. Pentests are more thorough.
Passive ASM scanning can be supplemented by targeted active vulnerability scans. Active vulnerability scanners perform many more tests than passive scanners and thus are more accurate, but also more intrusive. Thus, as with pen tests, they must be targeted to specific assets and their execution must be planned. Active scans can be considered a low-cost alternative to pen tests. Although they lack the "human touch," they can expose most vulnerabilities at a fraction of the cost of pen tests.
The costs are different
Penetration testing is performed by experienced cybersecurity experts, who require regular training to stay abreast of the latest threats and techniques. This translates into a high daily rate. The total number of days and cost of a pen test depends on the number of applications selected. The average pen test takes between 5 and 10 business days and costs between 3 500 and 10 000 euros per test.
Attack surface management solutions have a recurring fee, as the service consists of a series of recurring automated tests, starting at 2 500 euros per year.
Which one should you choose?
Both services have their place in the ecosystem of cybersecurity solutions. Attack Surface Management services are used to map an enterprise's digital footprint and identify externally identifiable vulnerabilities, possibly using an active vulnerability scanner. They are used as a starting point for internal security teams to identify vulnerabilities that are then fixed. They are also used by pentesters to find entry points to begin their work, and they are used by hackers as a starting point for their malicious activities. By remediating the risks made visible by an ASM service, hackers are discouraged from continuing their attempts. Read more about the benefits of attack surface management here.
If you want to be as confident as possible that specific mission-critical solutions are properly secured, or if you want to test whether your preventive and protective cyber security defense mechanisms and procedures are properly defined, implemented and executed, then an ad-hoc pen test is what you need.
Dries leads the marketing and product management activities at Ceeyu. Before joining Ceeyu, he worked in similar roles at Voxbone (now Bandwidth.com) and Orange. Dries also worked in management consulting (at Greenwich, now EY Parthenon). He is a B2B marketer at heart, with a very strong affinity for technology.