SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Data Protection
#
DevOps
#
IoT

You need to see your attack surface if you want to manage it

Yesterday
By Marios Kyriacou, Director of Product Management, Bugcrowd

One of the most basic security measures is to make the attack surface as small as possible. This is obvious and sensible, but while "shrinking the attack surface" is attractive, it's not easy to achieve.

The attack surface in any corporate IT environment can be huge and growing for many organisations. In a connected world, organisations have no choice but to expose their systems to the Internet, suppliers, partners, customers, and remote devices. In the post-COVID environment, the rapid rise of remote working means that even your staff are inadvertently contributing to the problem. 

So, any CISO trying to rein in the ever-expanding attack surface of their IT environment is likely facing a losing battle. They will devote significant resources to making penetration as tricky as possible, stress testing their systems and identifying potential threats.

Those activities are essential, of course, but a comprehensive understanding of that attack surface would enable other security initiatives to be deployed more efficiently and make them more effective.

You can't protect what you can't see

A decade ago, I ran a specialist penetration testing business. What soon became apparent was that our customers could not tell us what should be tested: they were unsure which of their assets were exposed to the Internet. 

Since then, the challenge of identifying the Internet-facing attack surface, let alone the entire attack surface—which is much larger—has increased enormously for almost every organisation.

You cannot protect what you cannot see. Identifying every external facing asset is an essential first step in protecting them.

Giving organisations a clearer view of their attack surface presented a business opportunity. So, in 2018, I formed a new company, Informer, selling an external attack surface management (ASM) service that combined asset discovery with penetration testing of those external facing assets. The service continually scanned and mapped an organisation's digital footprint—including web domains, subdomains, IPs, and cloud services—and tracked changes over time, providing valuable intelligence for enhanced human-driven offensive measures such as penetration and crowdsourced testing.


And we've been evolving Informer ASM ever since. Earlier this year, the company was acquired by Bugcrowd, the leading provider of crowdsourced security. There are strong synergies between the two companies, and we are exploiting these to help organisations meet the ever-growing challenges of ASM.

The IoT factor 

When I launched Informer, ASM was in its infancy. Back in 2021, according to Straits Research, the ASM market was worth about $0.5bn. At that time, less than 10% of organisations had formal ASM programmes. It's estimated that 60% will have them by 2026. And the ASM market has grown to $1.4bn in 2024. Straits Research forecasts a 27.7% CAGR to 2032, taking the value of the market to $9.1bn.

It is not difficult to see why the ASM market is experiencing such growth. This reflects the increase not only in size but also in the complexity of attack surfaces in corporate IT.

The COVID-induced remote working pandemic was one factor, but another development that increased the number of entry points even faster than changing working practices is IoT. According to one report, there will be 18.8bn connected devices by the end of 2024 and 41bn by 2030. The disconnect between operational and information technology in many organisations has long made securing these challenging.

AI, for better or for worse

The growth of remote work and connected devices has massively increased the number of entry points. Other developments present much more sophisticated challenges for ASM. The use of AI by both corporate IT and cybercriminals is possibly the most significant and challenging development. It creates new attack surfaces whose vulnerabilities can be difficult to assess and that can be difficult to protect. And, of course, cybercriminals are exploiting AI to accelerate their efforts and craft more complex attacks.

Every year for the past several years, Bugcrowd has surveyed the ethical hacker community to gather its views on a variety of IT security issues and challenges. Bugcrowd publishes its findings in its annual Inside the Mind of a Hacker report. Not surprisingly, AI features prominently in the 2024 edition as both a security tool and a security threat.

Seventy-seven per cent of those surveyed are already leveraging AI in their hacking activities, and 82% believe the AI threat landscape is evolving too fast to adequately secure. While security vendors are racing to provide security solutions that ensure the AI attack surfaces, ethical hackers responding to Bugcrowd's survey were split almost 50/50 on whether existing security solutions meet the needs and risks of AI.

Meanwhile, 50% say AI has already positively impacted their hacking activities, and 77% already leverage AI in their work. 
Almost half of the hackers surveyed believe AI will never beat them in value or effectiveness because AI is still only as good as the human creativity that drives it. Humans are genuinely creative, and good hackers bring the creativity that AI lacks. They think outside the box, giving them an advantage over machine learning models and predictive AI.

Battle for the attack surface

However, AI can be an enormous help. A task that could have taken hours can take just a few minutes. As one respondent said: "AI is great for helping to understand error conditions in binary protocols that I'm not as familiar with." 

AI could also help organisations to get a clearer picture of the ever-expanding attack surface and potential weaknesses in their defences. Expect significant developments as ASM tools leverage AI to address the new challenges that AI will create. We intend to use AI to shrink the effective attack surface faster than the bad guys can exploit AI to open it up. 

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
DeepSeek: The AI game changer shaping the future of innovation
Remote workers logging longer hours than office peers
Kaspersky enhances security access for smaller developers
Telecom industry to invest USD $6 billion in QKD by 2030
CrowdStrike wins third AAA Award for ransomware defence
Top stories
Experts warn of security risks as DeepSeek limits new sign-ups
How A Passwordless Future Can Become A Reality
Cybersecurity in 2025: A Landscape of Evolving Threats and Strategic Shifts
Key Cyber Security Trends to Watch in 2025
Tenable to acquire Vulcan Cyber for USD $147 million