Attack Surface Management FAQ

An attack surface comes from the network perspective of an adversary, the complete external asset inventory of an organization including all actively listening services (open ports) on each asset.

Attack Surface Mapping is the process of discovering and documenting the complete attack surface of an organization. An Attack Surface Map includes the hostnames and IP addresses of each externally facing asset, the listening ports on each, and as much meta-data about each asset as possible. Meta data may include software distribution and version information, IP geolocation, TLS stack information, and so on.

Tenable Attack Surface Management automatically discovers all domain names, hostnames, and IP address for each asset in an organization’s attack surface map. Tenable Attack Surface Management may collect over 120 columns of data about each asset. These assets may be located on-premises, in the cloud, hosted services, and more.

An asset is a combination of four values: IP address, Fully Qualified Domain Name (FQDN), Record Type, and Record Value. If any of the values differ, it is considered as a separate asset.

Record types in Tenable Attack Surface Management are Domain Name System (DNS) records.

An organization can only secure what they know they own. Most companies have no documented Attack Surface Map at all. For those who do, it is common for the attack surface map to be highly incomplete and out-of-date, possibly leaving thousands of assets unidentified. The security team cannot protect these unidentified assets, often referred to as shadow IT, resulting in lost data and frequent cyber attacks. Tenable Attack Surface Management fills in the gaps in your data and gives you a high-fidelity view of your entire attack surface.

Tenable Attack Surface Management platform sends alerts in real time whenever an inventory changes such as when new servers are brought online, new ports open, and server software needs patching. Tenable Attack Surface Management continually monitors your attack surface and lets you know as it constantly evolves and changes.

Tenable Attack Surface Management also offers advanced technology fingerprinting by identifying CVEs, open ports, running services, thousands of software versions, geolocation, login forms, secret keys, ASNs, programming frameworks, HTML, and much more. Tenable Attack Surface Management can do all of this within minutes as opposed to days with a competitor.

The increased interest in Attack Surface Mapping is easy to explain. The adversary has been targeting an organization’s secondary and tertiary assets for exploitation, many unknown to the organization and not just the well-known primary systems. Often these unknown assets are legacy, long forgotten, and not adequately secured. These assets often connect to other sensitive areas of the network where a breach of highly sensitive data may be achieved.

In Tenable Attack Surface Management, archiving and deleting are two distinct actions with different targets and outcomes.

• Archiving is an action performed on individual assets. You should archive an asset when you want to stop tracking it but want to continue monitoring the source it belongs to. The archived asset is removed from your active inventory, but the source remains unaffected.

• Deleting is an action performed on sources. A source is a domain, IP address, or ASN from which assets are discovered. When you delete a source, you permanently remove the source and all of its associated assets from your inventory. You should only delete a source when you are no longer interested in monitoring any of the assets related to it.

No, you cannot delete an individual asset. The delete action only applies to an entire source.

Archive an asset when you want to stop tracking that specific asset but need to continue monitoring its parent source. For example, if Tenable Attack Surface Management discovers a temporary server asset (tmp.my-company.com) that you do not want to track, you can archive it. This action removes the asset from your active view but does not affect the my-company.com source or its other assets.

Delete a source when you are no longer interested in monitoring that source or any of the assets associated with it. Deleting a source permanently removes the source and all its related assets from your inventory.