14 Oct 2022
by Scott Haddow

Risk Prioritisation with Attack Surface Management (Guest blog by IBM)

Guest blog by Scott Haddow, Security Client Exec at IBM #Cyber2022

Cyber Security loves buzzwords, but they get over-exposed faster than Kevin Hart.  Looking at you, Zero-Trust.

If you haven't heard about Attack Surface Management (ASM) yet, you will.  But bear with me, because that's not a bad thing. 

ASM is still on the 'shiny and new' slope of Gartner's hype cycle, but it's already real and out in the wild keeping organisations safer. 

From cloud migrations to IoT integration and hybrid working, IT environments are changing fast – and that’s also true for their attack surfaces, leading to poor visibility of risk in real-time.

Q/ When is the best time to find weaknesses?

A/ Before an attack happens. 

It’s a beautiful concept that may seem naïve when measured against the daily reality of a SOC.  Cyber-nirvana is the goal but hard to get there if you’re stamping out fires all day.  

And this is where we approach the paradox at the heart of cyber security today, having largely abandoned the concept of the completely defensible perimeter.  Almost all the technologies in the SOC are designed to spot things after they happen; that is – after the threat actor is doing something we don’t want them to do inside our network.  AI and machine learning driven uber-suites of clever code that spot, correlate and jump on those trails before they snowball into a full-blown cyber heist.   I’m not suggesting that we don’t need all of that and a perimeter – because we do, but threat actors understand our defenses and are finding ways to slip under the radar of reactive security tooling in a never-ending game of cat and mouse. 

There’s a lot of different numbers for the average dwell time of an attacker before an event like ransomware detonation – but broadly the numbers agree that it’s more than 100 and less than 300 days.  That’s a long time to give someone to figure out how your operation works.

Add to that that only about 1 in 5 enterprises can monitor their attack surfaces for changes in real time, or to put it another way, four fifths of the world’s enterprises can’t.    

The old question of how you would break into your own home if you were locked out is useful here but falls short when describing the cyber-attack surface, because you’d need to talk about windows you didn’t know you had and prevent an attacker from getting in through a plughole. 

The typical attacker has a laptop, some tools and an internet connection when they begin looking for a way in.  But it’s best not to underestimate our adversary – marketing shows us a lot of people in hoodies hunched over laptops, but it would be scarier to show a 24x7 Ransomware-aaS operation in the C2C marketplace.   This is organized and profitable crime, but regardless of the maturity of the organisation or individual attacking you, they begin on the outside of your environment.  What they look for is internet facing services, IPs, domains, networks, hostnames and so on.    In the process they will uncover your shadow IT, forgotten assets (like that test/dev environment everyone assumed someone else tore down), and other blind-spots and process failures, for example a brute-forceable and exposed login applet, or down-rev web server.  Those are the chinks in the armour offering a route in, and because they face out into the internet, they are highly tempting.  But (of course) they can’t be fixed until you know about them – which means that we need to wait for the lights to blink on the big reactive dashboard, and then you’ve got another fire to stamp out.

If we want to move to a proactive posture, using an Attack Surface Management tool like IBM Randori which scopes your attack surface like an attacker is a smart move.  If we can see what they see when they look at us from the outside, then we have a prioritized inventory of attack risk. 

That’s important because the last thing anyone needs is a report with an overwhelming list of to-do items on it, because we’re already putting out fires as it is.  Having issues ranked by their ‘temptation score’ lets the SOC team focus on the urgent fixes, and then schedule work on the less urgent stuff.  And because Randori only looks at your attack surface from the outside, it’s agentless and doesn’t need appliances.

Having a prioritized inventory of risk let’s you find those open windows and close them, which makes it harder for the attacker to get in. 

Nobody wants to be over exposed, not even Kevin Hart.

IBM has acquired Randori, a leading Attack Surface Management provider and recently named a cool vendor by Gartner.  Although ASM is an emerging technology IBM has never been afraid to be at the forefront of innovation. Find out more here https://www.randori.com/

Help to shape and govern the work of techUK’s Cyber Security Programme

Did you know that nominations are now open* for techUK’s Cyber Management Committee? We’re looking for senior representatives from cyber security companies across the UK to help lead the work of our Cyber Security Programme over the next two years. Find out more and how to nominate yourself/a colleagues here.

*Deadline to submit nomination forms is 17:00 on Tuesday 18 October.

Upcoming events 

Cyber Innovation Den

On Thursday 3 November, techUK will host our fourth annual Cyber Innovation Den online. This year we’ll explore efforts being made to realised the ambition set out in the National Cyber Strategy, with speakers taking a look at the progress we’ve seen to date, including the foundation of the UK Cyber Security Council, the reinvigoration of the Cyber Growth Partnership and the continued growth in the value of the sector to the UK economy.

Book now!

Cyber Security Dinner

In November techUK will host the first ever Cyber Security Dinner. The dinner will be a fantastic networking opportunity, bringing together senior stakeholders from across industry and government for informal discussions around some of the key cyber security issues for 2022 and beyond.

Book now!

Get involved

All techUK's work is led by our members - keep in touch or get involved by joining one of the groups below.

The Cyber Management Committee sets the strategic vision for the cyber security programme, helping the programme engage with government and senior industry stakeholders.


The CSSMEF is comprised of SME companies from the techUK membership. The CSSMEF seeks to include a broad grouping of different SME companies working in the Cyber Security (CS) sectors.




Scott Haddow

Scott Haddow

Security Client Exec, IBM