What Is Attack Surface Management?
ASM is a continuous cybersecurity discipline that focuses on identifying the systems, services and digital assets that attackers can potentially access from outside an organization.
Hayun says ASM extends beyond traditional asset discovery by uncovering vulnerabilities, misconfigurations, shadow IT, shadow AI and third-party exposures that may otherwise remain hidden.
“Attackers gain initial access largely through internet-facing assets, including public-facing IP addresses, domains, third-party integrations, cloud services and web apps,” Hayun says.
That attacker-focused perspective is one reason ASM has gained traction among government cybersecurity leaders.
Sheldon says the discipline reflects a broader shift in cybersecurity strategy as organizations seek visibility across increasingly distributed environments.
“External attack surface management is one that makes sense,” Sheldon says. “It captures basically internal vulnerability management and external internet exposure.”
For state and local governments, the ability to understand what is exposed to the public internet has become increasingly important as agencies adopt more cloud services, digital applications and connected technologies.
How Does ASM Differ From Traditional Vulnerability Management?
While ASM and vulnerability management are closely related, the two disciplines address different aspects of cybersecurity risk.
Traditional vulnerability management focuses on known systems. Security teams scan assets they already manage and work to remediate known vulnerabilities.
Attack surface management starts with discovery.
Hayun says vulnerability management focuses on scanning known internal assets for Common Vulnerabilities and Exposures, while ASM actively searches for unknown internet-facing assets across an organization’s external perimeter.
“The two approaches are complementary,” Hayun says. “Doing only one is the equivalent of locking your doors but leaving your windows open.”
Sheldon says the distinction between the disciplines has evolved over time.
“I think you could view attack surface management as having consumed a lot of what was traditionally vulnerability management,” Sheldon says.
Rather than treating internal and external exposures separately, organizations increasingly want a unified view of risk across their environments, he says. That means understanding not only what vulnerabilities exist but also what assets are exposed and how attackers might exploit them.
READ MORE: Cities must consider operational technology when assessing their attack surface.
Why Do State and Local Agencies Have Uniquely Challenging Attack Surfaces?
Every organization faces visibility challenges, but state and local governments often contend with particularly complex environments.
Hayun says public sector organizations frequently operate modern cloud services and AI technologies alongside decades-old legacy systems. At the same time, agencies and departments often procure and manage technology independently, creating significant visibility gaps.
“State and local government environments face deep structural challenges that complicate asset visibility,” Hayun says.
Sheldon points to the scale and federated nature of government environments as another challenge.
“This is the type of problem within cybersecurity that often gets more challenging the larger your scale is,” Sheldon says.
Different agencies may have different technology stacks, procurement histories and operational requirements while still relying on shared cybersecurity resources, he says. As a result, maintaining visibility across the entire environment can be difficult even for well-resourced IT teams.
For cybersecurity leaders, however, visibility remains essential.
“Visibility is the foundational thing that security practitioners need to attain,” Sheldon says. “Without that, you really have a challenging time understanding a full story of what attacks might be targeting you at any moment in time.”
