If you’re not managing your attack surface, someone else is. And spoiler: they’re not on your side.
Attack Surface Management (ASM) is one of the most foundational, yet most misunderstood, practices in cybersecurity today. In a recent livestream Hacker Valley hosted, Brian Markham, CISO at EAB Global, and Kendra Valle, Risk and Compliance Manager at Legato Security, shared their hard-earned lessons and tactical advice on getting ASM right.
Whether you’re starting with a spreadsheet or already investing in enterprise tools, strong ASM practices start with seeing the full picture.
What Is Attack Surface Management (ASM) and Why Does It Matter?
ASM means knowing what you own and securing what you find. That includes all internet-facing assets, cloud environments, internal systems, and anything an attacker might discover and exploit.
There are two distinct categories:
EASM (External Attack Surface Management): Public-facing assets like websites, IPs, and cloud environments.
CAASM (Cyber Asset Attack Surface Management): Internal, behind-the-firewall visibility of IT systems and data assets.
The stakes are high. As Kendra emphasized, “Some organizations don’t prioritize ASM until something bad happens and by then, it’s too late.” Brian added, “There’s no excuse not to be really good at this anymore. The tools exist, and the problem isn’t going away.”
Inadequate ASM leads to shadow IT, forgotten infrastructure, and open doors for attackers. “We had no idea if we were a palace or a dumpster fire,” Brian said about a previous organization’s environment. “This tool helped us find out.”
ASM and Asset Inventory: You Can’t Secure What You Can’t See
Every ASM journey begins with visibility. Without an inventory of assets, any security strategy is guesswork.
“Start with what you’ve got, even if it’s just a spreadsheet,” Brian advised. “But you have to aspire to get better every single day.”
Open-source tools like Google Dorking, WHOIS lookups, and Hacker Target offer scrappy ways to begin. Brian recounted late-night hacking sessions at George Washington University: “I’d Google ‘login’ in our domain to find rogue systems bypassing SSO. It wasn’t fancy, but it worked.”
Kendra shared a sobering client experience: “We found a Server 2003 system online, still running after a merger. No one knew it was there, but it was open, exposed, and vulnerable.”
Continuous ASM Monitoring: Turning Firefighting into Fire Prevention
Once you’ve mapped your environment, the goal is to monitor it continuously. ASM is not a checklist, it’s a practice.
“You can’t stop at inventory,” Kendra noted. “You need constant awareness, especially with fast-changing environments like cloud or M&A.”
Brian emphasized prioritization: “The first thing I want to know is what’s running RDP on the public internet. If I can’t answer that in seconds, that’s a problem.”
Automation plays a pivotal role. “When Log4Shell hit, I knew in minutes where we were exposed,” said Brian. “Same with the CrowdStrike outage. I had the answers, fast, and with confidence.”
Kendra highlighted alerting priorities, “End-of-life systems, open random ports, critical CVEs, or unexpected assets in foreign geolocations, we configure for all of it.”
Telling the Right Story to Get Buy-In for ASM
ASM isn’t just technical, it’s a strategic narrative. One that aligns with business goals like cost savings, risk reduction, and operational resilience.
Brian shared his go-to mantra: “Don’t do things to people, do things with them.” By involving stakeholders and speaking their language, security leaders can align priorities.
“Finance doesn’t care about ports, they care about surprises,” Brian explained. “If I can show how ASM prevents surprises, that’s a story that gets funded.”
Kendra echoed this approach, “I don’t want to waste a customer’s time. ASM gives me validated, prioritized data I can bring to the table, and that builds trust.”
From Spreadsheet to Strategy: Starting and Scaling Your ASM Program
Many organizations begin with a spreadsheet. But the leap to strategy requires validation, enrichment, and integration.
“Step two is verifying what’s in the spreadsheet,” said Kendra. “Assets change constantly. We work with clients to validate and prioritize before integrating with tools.”
Brian’s advice? Focus on progress, not perfection. “You don’t need a production-ready system on day one. Just keep leveling up. Talk to your IT teams, ask questions, and use what you’ve got.”
And most importantly: don’t stall. “You can’t let being at step one psych you out,” he said. “Start. Today.”
The Road Ahead: Future of ASM and the Tools That Power It
The ASM space is evolving with broader integrations and more efficient scans. But it’s not about flashy AI, it’s about better coverage and clarity.
Brian sees convergence as the future: “Bringing EASM and CAASM together is where we’re headed. Unified views, real-time insights, that’s the path forward.”
Kendra is excited about integration with account-based systems. “Seeing user behavior alongside infrastructure is a game changer. Identity, access, assets, it’s all connected.”
Beyond the tech, ASM is an emerging career accelerator. “Owning visibility earns trust,” said Brian. “You become the go-to person who knows what’s going on, and that’s leadership material.”
Conclusion: Tame the Fire Before It Burns You
You don’t need enterprise tools to get started with ASM. You need curiosity, a willingness to ask tough questions, and the courage to begin.
Start with the inventory. Use the free tools. Tell the story. Get better every day.
And remember what Kendra said: “Someone is looking at your environment full-time. Shouldn’t you be doing the same?”
Find your attack surface before the next breach finds you.
Follow Brian Markham, Kendra Valle, and NetSPI on LinkedIn!