Home Podcast ThreatTank – Episode 3 – Attack Surface Management

ThreatTank – Episode 3 – Attack Surface Management

About The Author


Stay ahead of cyber threats with the latest insights from our security experts.


Subscribe now to receive:

An Introduction to ThreatTank – Episode 3: Attack Surface Management

Tom Gorup: Welcome to Threat Tank, a podcast covering the latest threat intelligence, threat response and insights about security landscape around the globe. I’m your host, Tom Gorup, Vice President, Security Services at Edgio. And joining me today are Jeff Patzer and Chris Herrera. Welcome, Jeff and Chris.

Jeff Patzer: Yeah, thank you.

Chris Herrera: Thank you for having us.

Tom Gorup: Yeah, man, this is going to be a great conversation. We’re going to be digging into Attack Surface Management, the value of it, what is it, all that kind of great stuff. But as we’re building a tradition here on the ThreatTank Podcast, I like to open up with an icebreaker question. Now if this is your first time tuning in, I don’t tell the guests these questions. So, they have no idea what I’m about to ask. And this one actually made me laugh out loud when I initially read it.

The question is, Chris and Jeff, if you’re ready for this, if you were a fruit, what fruit would you be and how would you avoid being eaten?

Chris Herrera: Oh gosh. Well, if we’re defining it as being eaten by average person, then I suppose maybe a durian. My understanding is that those smell pretty foul when you cut into them and they don’t even look that appetizing. But that could just be me speaking from ignorance, since I’ve never actually seen one.

Tom Gorup: So, you would be a durian because the one you’d avoid being eaten, you would look, look bad and smell bad, look bad and smell bad and presumably taste bad.

Chris Herrera: Yeah, taste bad.

Tom Gorup: All right, Yeah.

Jeff Patzer: They don’t even like durian on the subways in most places where they actually grow when it’s during the season because they smell so terrible. But they get eaten very heavily, Chris, so I’m not sure you can avoid that. They’re tasty. It’s kind of like, how are you going to avoid it?

Tom Gorup: Yeah, I imagine it’s like jalapenos, everybody like they’re so hot, but there’s still a market for people that want to eat like the hottest pepper. So, what do you get, Jeff?

Jeff Patzer: I’m just going to go with fig. I’d be a fig and I wouldn’t try to avoid being eaten because, you know, the whole point of being a fruit is to actually be consumed.

Tom Gorup: The reason you want to be consumed is because that’s how you get spread and grow more fruit trees essentially, right?

Jeff Patzer: So you get to go on the interesting journey through a digestive system of any type of animal and also figs are absolutely delicious and the trick is yeah, getting them where you can actually get them fresh because most places you have to buy them like in the store and they’re just not picked fresh. But if you live in a place where you get them fresh there’s like no fruit better.

Tom Gorup: I can guarantee you I’m mostly intrigued that you described it as an interesting journey through something.

Jeff Patzer: I mean, what was it like the magic school bus, right, where you get to join, you know the trip through the digestive system? Same. I’m thinking that maybe not everyone gets that reference.

Chris Herrera: A bit less PG version of Rick and Morty when they do very similar type of episode.

Tom Gorup: It’s good.

Jeff Patzer: Exactly. Exactly.

Tom Gorup: So, I’ll play along with this as I was thinking about it, as I was thinking maybe a strawberry. But I’d make my seeds like little BBS. So they’re so hard that you could like, if you bite into them you’re gonna chip a tooth, so nobody would want to eat it. But then to your point I may not be spread as widely and vastly.

Chris Herrera: Interesting you have one issue with that answer, which is that they’ll decide they don’t want to eat you after they’ve already taken a bite, though.

Tom Gorup: Oh, because you stink. They wouldn’t want to eat you, I think.

Chris Herrera: And I look bad.

Tom Gorup: That’s great. That’s good. All right. Let’s get started. Hopefully the icebreaker is as fun for everybody else as it is for us to discuss. But we have to get on topic, and this one is again Attack Surface Management. Chris, I was wondering if you could explain to us like what is Attack Surface Management abbreviated as ASM.

Chris Herrera: I’m gonna give what I hope and think is a pretty accurate definition. But as always when you’re speaking in front of other security folk, other experts, anyone else who’s in your field, you’re always or you should be terrified that you’re gonna say something wrong or lightly off.

So please correct me if I’m wrong at any point here, but ASM, Attack Surface Management is in a nutshell, it’s incorporates different aspects of identifying, prioritizing, monitoring and analyzing digital assets. And by digital assets that would be things like web servers, IP addresses, API endpoints, applications, anything that is digitally within sort of an environment that might be exposed via the Internet or something along those lines. And then ASM comes into play.

The Attack Surface Management, you can think of this, those individual words. Part of that is that you’re managing the attack surface. So, what is available to be seen or pinged or probed or anything from the Internet that is considered your attack surface. ASM allows you to determine what’s available, what’s there. You might find things that you didn’t even know were there. And then it goes a further step and it can tell you ideally what types of applications, what servers, what versions are running behind there. Then even an additional step where it can tie those to different vulnerabilities like CVSS’s (Common Vulnerability Scoring System) and Zero-day vulnerabilities and things like that and give you a much better idea of your attack surface within your digital assets. So there’s a lot more to it than that. Obviously, that’s what we’re going to be discussing today, but hopefully, that is a good kicking-off point to what Attack Surface Management is.

Tom Gorup: Yeah. Kind of like in the most basic way to say a tool that scours the Internet for Internet. Well, Internet facing assets of yours and kind of aggregates them in some sort of tool.

Chris Herrera: Yeah, exactly.

Tom Gorup: Most basic description.

Chris Herrera: Yeah. So, I was trying to think of a metaphor of how to visualize this. And really the best thing I could think of would be a very techie kind of thing where I’m imagining like Star Trek or Star Wars or something along those lines where you have your ship monitor on a screen and it’s got all the different components on there and it’s monitoring every single element of your ship that’s in outer space that can potentially be shot down by lasers or weapons or anything along those lines. And in addition to telling you what’s there, it’s also telling you the status of them.

It’s telling you how they’re doing it. It may give you some additional information as well. And you know, to your point, you can then, if you want to know more about other assets as well, send a probe out, send some scans out, get some information about someone else, and it may not be useful to others. But for me, that was a good way of getting a mental picture of at least tying ASM to not real-world examples because of Star Trek and Star Wars. But you know something along those lines.

Tom Gorup: Anything missing in that definition, Jeff?

Jeff Patzer: Yeah, you know, I have come from maybe more of like the developer background, engineering background. I also think of it as much as the building blocks of like the inner workings of the thing you’ve got. So, when you’re thinking about what is my attack surface  look like, the things you’ve built it out of are also actually attack vulnerabilities, right? So if you’re thinking about the things that you’re choosing to add from like a library perspective or something like that into the code that you’re then using to expose, you know it’s not just about how the Internet can reach you, It’s how once something has the things, it can do within your system as well, right?

To extend your Star Trek analogy, monitoring the status of the engine, is just as important as knowing you know what your field you know your laser-protecting field is doing, right? So I come at it thinking like hey, if you’re using some external libraries, which if you’re using any sort of software at this point you’re guaranteed to be using some sort of open source library to build those like larger pieces of software. Knowing what’s inside of those and possible vulnerabilities they might have is also just as important as the external facing pieces that people would interact with.

Tom Gorup: My next question is why you said it’s just as important to monitor as why it is valuable. What is the value of running an ASM?

Chris Herrera: My first thought is that a lot of security teams if we’re talking specifically about companies or you know, even individuals at home, it’s easy. Well, not necessarily easy. It’s straightforward to secure the things that you know you have and that you’re familiar with. But exactly to Jeff’s point, you are building up these tools, these environments out of a lot of individual pieces. And each of those individual pieces is also contributing to the attack surface, your overall surface. I can’t think of a better word for that now. I’ll try to think of it by the end of this.

Each of those individual pieces, it can become the weak link or, you know, the slowest marching member of the army. And in addition to making sure that’s all enumerated an Attack Surface Management tool, inventory technology can also prioritize those and tell you, hey, these are your most important ones in terms of if these go down, the whole system’s going down or they can prioritize them in terms of, hey, these are your most vulnerable ones in terms of the software’s most out of date or they’re open to the most recent zero-day vulnerability.

And or you can even prioritize them in terms of, hey, these are the simplest ones to patch if you want to get some low-hanging fruit or some, you know, just get your feet wet. In terms of not necessarily dispatching but increasing your security posture overall.

Jeff Patzer: Yeah. You know, I might add to this, like, to me, the value is that it’s essentially becoming impossible to stay on top of everything without some sort of monitoring system, right? Is that systems are becoming more complex. You know, the analogy I always was thinking of for ASM is, you know, back in the old days, what did we do to, you know, protect against invading armies as you’d build a castle? The only way to get through the wall around was a couple of doors, right? And so, in a way, ports are like doors for the Internet. You need to be able to, you know, that it’s kind of simple, like the castle is simple, right? Like it’s got walls and maybe a moat and maybe a couple places you can come in and out. But as you build in complexity, being able to monitor those, you need more than just like a couple runners who are telling generals. Like, this is the status of that door, right?

You are at the point where, with software, you can actually federate control into the hands of team members, right? So anyone can build a door at this point. Anyone can extend the capabilities. And if you’re going to rely on people to have to manage all that, keep track of that complexity, it’s just going to break down over time. So, to me, it’s like the value is that it allows you to grow in complexity but keep maybe a little bit of a handhold on, like being able to allow people to do things but also monitor those things that are happening as the things they’re exposing and keeping track of that. Because otherwise, as things get more complex, there’s just no way humans can keep track of those types of systems. Nor should we be.

Tom Gorup: Yeah, yeah, 100%. Some of you used to say that the castle analogy is the perimeter. Castle defense is kind of dead; there is no perimeter, right? We are in various multi-cloud hybrid environments, some data centers, some in Azure, some in AWS, some in GCP, and Digital Ocean; we’re kind of all over the place. Do we know everything that’s out there?

When I look at what I think about security posture, I put it into 3 pillars: Visibility, Exposures, and Threats. I can’t protect what I can’t see. I need to understand where my vulnerabilities are and I need to understand how I’m being attacked. What I’m hearing is Attack Surface Management really gives us a lot of the first two, especially visibility and the things that I didn’t know existed. Open ports, API technology that I’m using in my app, but also kind of highlighting what vulnerabilities exist within my environment which I could be attacked from. So, it seems like extremely powerful. But, like, what teams typically run these sorts of tools? Do we only see it in security teams that should run an AMS?

Chris Herrera: Historically, I think that’s accurate to say that the security teams are responsible or have been responsible for procuring the ASM tools, getting them up and running, using them consistently, interpret interpreting the results, taking those results to the different teams within the organizations. In the event of maybe they’re discovering assets that they didn’t know existed or host names that they didn’t know were still up and running or anything along those lines.

But I don’t necessarily know if that means that that’s how it needs to be moving forward. It’s interesting how technology increases in complexity but also in terms of what it can do for us, it kind of in a way blurs the lines between different teams. That’s why historically, you know, we the terms like dev SECOPS or DevOPS or things like that, those terminologies and the way that we refer to the people who are building applications. Just as a specific example, that has changed over time just over the last 5-10 years. And I think that may be a sign of how security is in a way sort of seeping into the lives of everybody.

Now, It’s not necessarily just a security team anymore. I know in my experience, obviously I won’t even know what I do, but security isn’t a thing that I do every single day. But I’m interacting with other members of other teams who nominally have nothing to do with security, but they know a lot simply because they have to in order to do their job.

Jeff Patzer: Well, yeah, I really like the way you put that, Chris. I really like the way you put it in the sense that everybody is interacting with security in some form or another, whether that’s if you’re opening e-mail at this point, you’re interacting with the security issue. Like, are you being phished? Are you being, you know, checked for things? Technically, that’s a type of surface that someone could attack you through.

So, I think that when you’re asking what teams use it, I do feel like historically you’ve got like IT and developers right, like they’re using that for very specific reasons. But overall it’s growing, right? And as I was saying, you know, at this point, let’s say you want to build a form that’s intake for you’ve got partners that are registering something or whatever, right? I can build automations that take that information and I can send it to anyone within the org or outside of the org.

Like I said there’s the ability for team members to start doing things that maybe aren’t historically like building a web server that does specific web-based things but are still parts of data gathering for that organization. It really becomes as we tread forward everybody kind of if you’re online in some sense of what other way whatever way you’re, you’re exposed, right. You’re interacting in some form or another, yeah.

Chris Herrera: And I think, Tom to your question from just a minute ago about the teams that are maybe typically or expected to be responsible for these tools. I think it makes sense that security has had that responsibility in the past and right now as well. But considering that ASMs can do more than just provide security information, it’s also can be used as we said before an inventory tool, I can see why that would be very useful for non-security teams. Working in security, I often work with different teams and different customers and doing my analysis of logs and whatnot.

I present to them, hey, here’s some domains that have been seeing some attacks and it’s always interesting to me when I come across a case where the response from them is oh wow, I thought we’d turn that domain off 12 months ago and it turns out it’s still on. It’s still very much open to the Internet. It’s still seeing a lot of attacks. So the inventory aspect of it can very much be used regularly by non-security folks and, in fact, maybe should depending on how easy it is to use.

Tom Gorup: Yeah, I love that and, Jeff, talking about the attack surface is much larger than just stay in open port tying that into domains. We have, you know, subdomain takeovers. You leave a domain that was hooked up to some third party, and three years later, it’s being hijacked and now serving malware that then gets your domain blacklisted right. That’s everybody’s problem. That’s a business problem as a whole. But going further and looking at you know emails coming in that’s intact factor.

Although there are tools for Attack Surface Management, the attack surface itself is a broader conversation that involves every aspect of the business and can’t be just limited to what the security team is monitoring, right? IT needs to be involved, engineering needs to be involved, and marketing needs to be involved. All these teams need to have a conversation with each other to effectively protect the business.

Jeff Patzer: A quick question for you, Tom, on this and Chris as well. Chris, you’re talking about, hey, I’m looking at logs like I’m reviewing logs. I mean a lot of people, they’re not looking at log lines, right? Like you show them that and they’re like now that’s the matrix, I don’t do that stuff. What are your thoughts on the types of data visualizations that can be used to better communicate the attack surface to people who you know, they maybe don’t come from an engineering background. They don’t come from an IT background where, you know, they get up and look at log lines every day where you can give them something that is like explains the matrix underneath, right. What do you, what are your guy’s thoughts on ways that can, you know, effectively do that?

Chris Herrera: Oh man, that’s such a good and interesting question. My first thought is I was never very good at data visualization, but I know it when I see it, and I know a good data visualization when I see it. In my head I’m seeing this ephemeral sort of idea of I want to be able to see visually what it looks like when I have all from like a web application perspective. I want to see which domains I have available to the Internet. I want them grouped accordingly, whatever that means. I want to then be able to go in there and see which versions of which software they’re running. In an ideal world, click on and off and be able to see which vulnerabilities might be applicable to those different endpoints. But mostly, I want a visual view to see at a high level what exactly is going on and then be able to drill in from there.

Tom Gorup: Yeah. I would double tap on that and say a node graph is super powerful and I see that on a number of different facets like on one angle it’s like an incident response process to be able to show the progression of an attacker. Log4j was a great example of this. Log4j from an incident response perspective, an MDR standpoint is post-compromise activity because it’s a zero-day attack; you don’t have signatures for it, right? When log4j came out, nobody had a signature for a log4j exploit because, well, nobody knew about it. But what we picked up on was outbound command and control traffic.

If you could start picking up on myriad assets reaching out to single command and control servers, you mean more quickly pick up on compromised assets, but then what did they connect to? And that’s where, like node visualization I think helps create those connections that you otherwise couldn’t do through logs by themselves. I always imagine it is like Batman sonar, right? Kind of giving getting these views in the corners and places and seeing connections where you otherwise wouldn’t have seen them through node graphs. I can nerd out on node graphs all day long.

Chris Herrera: I mean, who can’t?

Jeff Patzer: Yeah, if you ever want to see like what a very opinionated DataViz guys would be, Chris Edward Tufte is the guy. He’s got like the seminal works on this is what it should look like. He’s very opinionated but he’s got some good stuff.

Tom Gorup: Love it. I’ll check that out. So, this all sounds great to me. I deploy this tool, we call it Attack Surface  Management, and all of a sudden I’ve got an inventory of all the assets open to the Internet, port numbers, APIs, application services, everything. I know how they’re going to be vulnerable and how they can be attacked. And it’s all presented in a pretty no graph, right? So what could go wrong? What challenges would businesses have at this point?

Chris Herrera: Well, nothing. You’re done at that point.

Tom Gorup: Yeah. Right. Hang it up.

Chris Herrera: No, I think it’s very similar to some of the topics we were talking about before where a lot of these teams, they all work together, even though each individual team is doing such different type of work and obviously there are a lot of local experts in different areas. But the type of output from these ASMs that we’re discussing today and again as we talked about before, the type of output is very useful to a lot of different teams. I guess this sort of goes back to, you know, any teams working together need to be able to share information and collaborate.

This is a tool that can not only make that significantly more efficient, but it can also, you know, raise the water for everyone by increasing everyone’s knowledge of what’s going on under the hood behind the scenes and delineating a path forward for making sure that your security posture doesn’t get worse and ideally will get significantly better.

Jeff Patzer: Yeah, I mean one thing I think about is how do you divvy up the discrete pieces of work that have to happen for this? It’s tough because to me when you say, OK, I need to go address security, posture stuff like some of that can be easy. Some of that could be harder like go up upgrade your version of WordPress. I don’t know, maybe that’s easy, maybe it’s not. But like upgrading code packages, especially between like a major version, like it takes a lot of work to look at those things and say, you know in doing this, am I going to break something that is already in production, right? Like from a developer’s perspective, like it sounds simple enough, yes, just go update this minor version stuff, not so bad major version stuff. It can be really hard to do that effectively. So, I don’t know.

To me it’s almost like the security posture. Work that comes in is almost like refactor work or dealing with like old code that you need to go take care of, right? It’s almost like a chore in some senses or it’s not the creative aspect of like building. It’s going back and looking at what you did and like shoring things up and repairing and doing things like that. And so, I think that any tool that you have should help to break that discrete work down to allow you to federate it to the owners, to assign people that can take charge of it. Because at the end of the day, if you have, like I said, a complex system, you’re gonna have a lot of different things that have to happen. And being able to make sure you can manage that and then audit it and keep track of like your projects on that, like the actual process of doing the work becomes as important as knowing that you have to do it, I believe.

Tom Gorup: Yeah, yeah. The first thing that comes to mind is measurable outcomes. It’s what I often hear from customers. There are two questions I hear from customers all the time: How can you make me more secure in a measurable way? How can you measure this It made me better, made me stronger. And then what’s the next most important thing I need to work on? Effective prioritization.

Alright, so you know, thinking that through because I think to your point you have is like a lot of that work can be obscure too. How do I actually solve this problem? Is it a code change? Is it a configuration change? Maybe I can’t solve it at all. Maybe we have to accept this risk. What does that process look like? So yeah, that’s good advice.

Jeff Patzer: And I think a good thing that you just made me think of is noise, like noise-to-signal ratio. So, it’s like making sure that the tool is telling you is helping you figure out what’s the most important thing. And if it’s over-indexing on too much stuff that’s like not that big of a deal. That’s more like a warning-type thing. Like, hey, this could be maybe something you should be concerned about, like helping to distinguish that noise-to-signal ratio. It’s just as important because knowing what to focus on is, is what you need to start with, right?

Chris Herrera: Right. If you get 1000 notifications that are all low priority, then it may cause you to think that you are in a much worse spot than you actually are.

Tom Gorup: I feel like that’s your strike zone, right Chris? Active prioritization with customers. Any scenarios come to mind where it’s like, man, they should have worked on this, or you know, or maybe you made a bad recommendation. I’d love to hear that.

Chris Herrera: That’s good. No, I’ve never made a bad recommendation. So, your first question, going through the analysis, is a little bit of background for me when I talk about working with my customers, I’m helping them secure their web applications. And a lot of times when I am presenting my review, my recommendations, and any fine-tuning adjustments that I think they should make to their security products, a lot of times that is because their applications were not written with security in mind from the first from the get-go. But not only that, were also not written in a way that is easy to make changes to from their side.

That’s why it’s from our perspective, from my security team’s perspective, we can do virtual patching within the application by making custom security rules, anything along those lines. I think that sort of answers the question with regards to doing security reviews and how that can illuminate how customers can do better. And you know, with regards to my making bad recommendations, I’ve never, I’ve never mistakenly identified a false positive.

Jeff Patzer: Never done it. It never happened.

Chris Herrera: I think earlier in my career I might have been a little overzealous in terms of recommending or maybe blacklisting certain IP addresses. As you become more comfortable with it, it’s sort of a last line of defense at this point. But yeah, that’s probably the worst decision ever made, small errors like that.

Tom Gorup: I think you’re speaking to kind of the power of an ASM is being able to look at the risks that your business, your attack surface and the risks that your business is taking on and in finding ways to mitigate those risks with the tools that you have available. Sometimes patching isn’t something you can accomplish today. I worked on an incident I don’t know maybe a decade ago there’s a forensics investigation in one of their most critical assets got infected with Conficker.

I don’t know if you remember Conficker and that machine might still be compromised today because their response to it was this machine is making us too much money per minute. It was doing some process which was making them too much money. Their decision was to air gap it just to take it off the network, let it continue to work, but it remained infected. As a matter of fact, I think they put a sign up on it like do not connect to network and that’s how they that’s how they resolved it. Because from a business standpoint, it wasn’t worth taking down that machine and risking the revenue associated with it. They’d rather just kee it processing in a compromised state.

I’m sure there’s plenty of Windows XP machines out there still in production to some degree, right. In the same way where like we’re having the right tool in place though the WAF is  great, the virtual patching I think is an awesome example where hey, we can’t patch this right now. What do we do in the interim? How do we solve that and leveraging your expertise, I think that’s a great, great recommendation, kind of nuanced question.

I was thinking like with an ASM would be there a difference between on-prem and cloud? Would the outcomes change, would the value of the tool change? What would he expect different between those two solutions?

Chris Herrera: Oh, wow. Immediately I’m thinking of, so there could be so many changes. At the end of the day, they’re just sort of doing the same thing as far as the goal, which is to identify inventory, figure out where the vulnerabilities are, etcetera. But on-premise versus cloud-based, that is sort of; I mean, it’s similar to a lot of security products and the evolutions they’ve all taken over the last decade or so.

To your point, regarding WAFs, at least those used to be completely on-premise only. It’s very expensive multi-hundred-thousand-dollar machines that were limited to you know as much processing power as that one machine can handle and now most of them are cloud-based and the users don’t need to worry about how much traffic they can inspect or anything along those lines. So, with an ASM cloud-based versus on-premise, that would have a lot of the same similarities with regards to technical capabilities and computing capabilities.

But not only that. It would have the dichotomy of who is responsible for making the changes for the underlying architecture. You buy the piece of hardware, and then you have to make sure all those things are working. Whereas if it’s a cloud-based solution, it may fall into the purview of whoever you’re purchasing or using and paying the rights to use the service from. Also, they would have different capabilities, very similar again to on-premise versus cloud-based other security products.

So, a cloud-based ASM presumably would have significantly more capabilities in terms of proactively scanning outside of its own network and scanning across the Internet across the entire globe. Whereas in my mind at least, an on-premise solution might be limited to its own environment. Which might make sense if that’s all you care about. But if you want to see what else is out there or what is available to attackers from their perspective against your environment, that would also be a consideration.

Jeff Patzer: I’d add to that, Chris. I think sometimes people think on prem is, you own hardware, you run your own hardware. I think it has been that way for a long time. But there can also be this idea of a prem where you’re running your own software, you own the ownership of that. So, let’s take like an open source package of some type, right, where you’ve decided that you know, rather than building something from scratch on your own, you’re going to take an existing open source thing, you’re going to run it within your own cloud network of some type, but you’re managing it being run, right.

The overall intent is that rather than you know you buying a third-party service that you pay for, and they manage, you’re actually owning the management of it, even if it’s still running on a cloud scaler. To me, the outcome is still the same, like you still need to do the same things that you were doing, whether you are using a third-party thing or whether you’re running your own open source package of whatever piece of software that that might be. I think at this point to try to distinguish it, it’s not a great use of time because at the end of the day, they’re all just exposed in some form or another and it can go from super simple to very complex and anything that captures that is important.

Tom Gorup: Yeah, it’s interesting. The one difference, and it was kind of standing out in my mind, was the distributed nature of the cloud and the ability to scan from different places in the globe. What does my network look like from China? What does it look like from Russia? What does it look like from Latvia, by comparison to maybe where my customers are? What does it look like from their standpoint? Maybe being able to slice up the world in that way and manage it differently could be interesting. But at the same time, you know, with the growing use of ORB networks, and operational relay boxes, and you know, geofencing is effectively dead. It shouldn’t matter. We should be locking it down regardless of where it’s coming from.

This has been great. Jeff, let me open any final thoughts on an Attack Surface Management. Final thoughts.

Jeff Patzer: At the end of the day I view ASM as another tool to give you insight into things that you’re building, things that you need to be aware of. I’ve said this before, I’ll say it again, I’ll say it right now. No tool is a substitute for critical thinking. At the end of the day, you need to look at what it’s telling you and you have to understand that to be able to do something that makes sense with it. You can buy all the tools in the world, but if you’re not going to sit there and think about what is it that I’m trying to accomplish then at the end of the day, that’s not going to be of any use to you.

Chris Herrera: Yeah. My final thoughts are going to be that some people might think of it as a little bit of a cop-out, but AI is obviously not going anywhere anytime soon, and if anything, it’s just gonna have more of a foothold everywhere you go. To Jeff’s point where he mentioned there’s no substitute for critical thinking, I use AI specifically chat, ChatGPT almost every single day for my job and obviously it can’t do my job for me, but it definitely gets me in the right direction. The reason I’m bringing this up is for ASM, in terms of recommendations, in terms of steps forward, but also in terms of the sheer volume of data that can be presented in the output of a tool like that. I think that it’s going to be almost imperative that AI, it takes some type of role, whether it’s huge, whether it’s small in terms of presenting that to humans and making it humanly relatable.

Tom Gorup: Yeah, I love that. I love that thought process, especially when we’re combining various data sets. Again, I come back to the security posture, visibility, exposures and threats. Attack Surface Management gets us a lot of the visibility, a lot of the exposures, tying that in with your threats, these become inputs to help you make decisions and adjust your security posture as a whole. But to Jeff’s point, critical thinking is a requirement. You can’t just set it and forget it. Like any tool. And to your point, AI is not always on point, like you can’t do your job for you, but it can help guide you.

I think this is an awesome conversation, a lot of fun, and I could probably spend another 30-40 minutes talking about Attack Surface Management and digging down all the rabbit holes. But we do have to stop. So that’s all we have for today. Thanks for joining us on ThreatTank.

To stay up to date with the latest threat intelligence from Edgio, you can subscribe online at edg.io. Jeff and Chris, thanks for coming again. This was awesome. I appreciate your time.