The Confusion Between Attack Surface Reduction and Vulnerability Management 

March 22, 2023

Attack surface reduction was recently covered in an episode of Cybersecurity America with Josh. In his work with clients, Josh explains that there’s a lot less people focused on attack surface reduction and more on vulnerability management. He says vulnerability management is a shallower stage of a cybersecurity maturity journey in that it simply uses scanners to show which IP addresses are vulnerable, those that should be patched, and so forth. It’s also very specific. If you use Microsoft versions, for example, it only has Microsoft vulnerabilities, not all the vulnerabilities for every product out there.  

Problems can arise when this approach is used as infrastructure risk management. Josh explains, “The router jockey guys will see there’s an iOS vulnerability and make that a part of their next patch cycle.” With this approach, it’s only viewed as software or hardware maintenance and likely missing the perspective that these vulnerabilities are exactly what the attackers are seeing, using, and trying to exploit. 

When focusing on vulnerability management instead of attack surface reduction, Josh suggests key questions are not being addressed, such as:

Which vulnerabilities are the ones that are easy for attackers to exploit?  

Should the focus be on remediation or mitigation?

The team at DeepSeas are guiding clients as they mature their security programs by going deeper into risk-based attack surface reduction and evolving from that shallower vulnerability management type stage. Listen to his full episode covering this important cybersecurity topic and the major impacts of machine learning on cyber threats: