The Confusion Between Attack Surface Reduction and Vulnerability Management 

March 22, 2023

Attack Surface Reduction was recently covered in an episode of Cyber Security America with our own Deep, Josh Nicholson, who serves as Vice President of Professional Services & Customer Success at DeepSeas. In his work with clients, Josh explains that there’s a lot less people focused on attack surface reduction and more on vulnerability management. He says vulnerability management is a shallower stage of a cyber security maturity journey in that it simply uses scanners to show which IP addresses are vulnerable, those that should be patched, and so forth. It’s also very specific. If you use Microsoft versions, for example, it only has Microsoft vulnerabilities, not all the vulnerabilities for every product out there.  

Problems can arise when this approach is used as infrastructure risk management. Josh explains, “The router jockey guys will see there’s an iOS vulnerability and make that a part of their next patch cycle.” With this approach, it’s only viewed as software or hardware maintenance and likely missing the perspective that these vulnerabilities are exactly what the attackers are seeing, using, and trying to exploit. 

When focusing on vulnerability management instead of attack surface reduction, Josh suggests key questions are not being addressed, such as:

Which vulnerabilities are the ones that are easy for attackers to exploit?  

Should the focus be on remediation or mitigation?

Josh and his team at DeepSeas are guiding clients as they mature their security programs by going deeper into risk-based attack surface reduction and evolving from that shallower vulnerability management type stage. Listen to his full episode covering this important cyber security topic and the major impacts of machine learning on cyber threats: