* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [Cloud Security Posture Management](https://www2.paloaltonetworks.com/blog/category/cloud-security-posture-management/) * Why You Need ASM ASAP # Why You Need ASM ASAP [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fesg-asm-value-drivers%2F) [](https://twitter.com/share?text=Why+You+Need+ASM+ASAP&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fesg-asm-value-drivers%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fesg-asm-value-drivers%2F&title=Why+You+Need+ASM+ASAP&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/esg-asm-value-drivers/&ts=markdown) \[\](mailto:?subject=Why You Need ASM ASAP) Link copied By [Michael Heller](https://www.paloaltonetworks.com/blog/author/michael-heller/?ts=markdown "Posts by Michael Heller") and [Dena De Angelo](https://www.paloaltonetworks.com/blog/author/ddeangelo/?ts=markdown "Posts by Dena De Angelo") Jun 02, 2022 6 minutes [Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown) [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [ASM](https://www.paloaltonetworks.com/blog/tag/asm/?ts=markdown) [Attack Surface Management](https://www.paloaltonetworks.com/blog/tag/attack-surface-management/?ts=markdown) [Cost of Cybersecurity](https://www.paloaltonetworks.com/blog/tag/cost-of-cybersecurity/?ts=markdown) [ESG](https://www.paloaltonetworks.com/blog/tag/esg/?ts=markdown) [Security Budget](https://www.paloaltonetworks.com/blog/tag/security-budget/?ts=markdown) "Attack Surface Management" sounds like it could be the name of a heavy metal rock band. While ASM isn't something you'll see at Riot Fest, it should be something you find in your SOC, especially given what it provides. With ASM, you get an attacker's "outside-in" view of your organization's attack surface. That's right, an attack surface management (ASM) solution can provide a continuous discovery, monitoring, and assessment of an organization's external, internet-facing attack surface that could be at risk from threat actors who are scanning it for weaknesses at seemingly breakneck speeds. And scan they will---ad nauseum, as we discovered. Attackers can scan the entire internet in under an hour to find exposed assets, and what they find is troubling. In our report,[*2022 Cortex Xpanse Attack Surface Threat Report: Lessons in Attack Surface Management*Based on Observable Data](https://start.paloaltonetworks.com/2022-asm-threat-report.html), we outlined some key findings from our research of the public-facing internet attack surfaces of some of the world's largest businesses: * \*\*Low-Hanging Fruit Continues to Hang.\*\*Nearly one out of every four issues we found on the attack surface was related to exposed RDP servers, a key vector for ransomware attacks. Even looking at the next most common issues, the end result was often an exposed administration login portal. * **End-of-Life Software Means End-of-Life for Your Security.** When looking at fundamental issues of poor security, we discovered a troubling amount of exposures in administrative login pages as well as in internet-facing end-of-life (EOL) software. Across the following applications below, we saw, on average, around 30% of organizations were running EOL software versions: * Apache Web Server: ~32% running EOL versions * Microsoft Exchange Server: 29% running EOL/unsupported versions * \*\*The Unmanaged Attack Surface Is Growing.\*\*EOL software is often an indicator of an unmanaged asset. But risks and exposures are persistent not only because of asset leak leading to unmanaged assets, but because modern attack surfaces are inherently dynamic, constantly shifting, moving, and growing. This means that as attack surfaces grow, so too does the number of unmanaged assets on those surfaces. ## **The Urgency is Real and Increasing** Let's face it, perimeter-centric strategies for network security don't work anymore. Location of security infrastructure and systems extend beyond the traditional internet perimeter to the cloud, an increasingly remote and mobile workforce, and every connected device or endpoint---each requiring some level of visibility and control to prevent compromise. The modern threat landscape has become an environment that knows no bounds in our hyper-connected digital world. As companies migrate more and more data resources and applications to the cloud, and it becomes easier for any employee with a credit card to create a new cloud instance outside of security controls, asset leak becomes inevitable. If companies don't know what they have, that lack of visibility leads to a multitude of issues, including an inability to maintain regulatory compliance, cloud app data theft, and inability to monitor data to and from cloud apps. And while cybersecurity pros take advantage of cool new tools to combat these challenges, advancements in scanning technologies allow threat actors to locate attack vectors quickly and easily, revealing abandoned, rogue, or misconfigured assets that can become backdoors for compromise. ![attack surface diagram](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/word-image-9.png) A critical step to informing any risk management function is to have a clear understanding of one's attack surface---you can't protect what you can't see. In ESG's new whitepaper, [*Value Drivers for an Attack Surface Management (ASM) Program*,](https://start.paloaltonetworks.com/value-drivers-for-an-attack-surface-management-program.html) they outline proof-points for organizations, providing a high-level overview of the value that Attack Surface Management brings to increasing security maturity and reducing risk. In a no-nonsense approach, Jon Oltsik, ESG Senior Principal Analyst and Fellow, describes why current ASM is inadequate, continuing to lag, handicapped by manual processes, inconsistent discovery cycles, and incomplete or partial monitoring of an attack surface. **"69% of organizations surveyed report that they've experienced a cyber-incident resulting from an unknown, unmanaged, or poorly managed internet-facing device.^1^"** ## **What's it Going to Cost?** As with reviewing any new security solution, determining the benefit-to-cost ratio may help determine if and when a solution is implemented and deployed. In the case of ASM, the ESG paper makes a clear case of the *absence*of an ASM program coming at a cost. When ASM best practices are neglected, traditional manual processes cannot keep up with modern ever-changing attack surfaces, leading to increased risks, breach-related costs, and even higher cyber insurance premiums. As stated in the paper: ESG research reveals that organizations have discovered an assortment of vulnerable assets like sensitive data in a previously unknown location, websites with a direct or indirect path to their organizations, employee credentials (that may be misconfigured), previously unknown SaaS applications, and applications with zero users. In fact, unknown attack surface assets tend to be the rule rather than the exception. ESG has seen that when organizations use automated attack surface management discovery tools, security teams regularly find that their attack surface is at least **40% greater than they perceived**. These exposures represent easy targets for cyber-adversaries and create significant risks for organizations. It is these types of revelations that should be a wake-up call for security practitioners who are even remotely concerned of missing one iota of attack surface coverage during discovery. Any potential exposure can become an easy target for threat actors to gain a foothold, move laterally, and create significant compromises and/or full breaches. ## **Show Me the Money! How to Allocate Budget for ASM** According to ESG, 80% of organizations will increase security hygiene and posture management overall in 2022, and that includes direct investments in attack surface management^2^. However, finding budget can be a creative exercise in knowing how to position a request. In *Value Drivers for an Attack Surface Management (ASM) Program,* ESG*s*hares strategies organizations are implementing to do just that including: * Creating discretionary budgets. * Rerouting point-in-time ASM analysis budgets. * Establishing a preventative security budget. * Justifying ASM spending to lower cyber-insurance premiums. * Turning ASM spending from capital expenditure to operational expenditure. * Sharing the cost of ownership across multiple teams > **"Moving forward, ASM should be considered a critical security** **safeguard deserving a dedicated budget."** **-Enterprise Strategy Group (ESG)** Suffice it to say, advocating for and adopting a sound ASM strategy should be a part of security hygiene best practices. And if it's not, it should be on your shortlist of solutions to explore and consider. Learn more about the benefits to security and budgets offered by ASM by downloading [*Value Drivers for an Attack Surface Management (ASM) Program*](https://start.paloaltonetworks.com/value-drivers-for-an-attack-surface-management-program.html)*by ESG.* 1 Source: ESG Research Report,[*Security Hygiene and Posture Management,*](https://research.esg-global.com/reportaction/SecurityHygieneAndPostureManagement/Marketing) January 2022. All ESG research references and charts in this white paper have been taken from this research report, unless otherwise indicated. 2 Source: ESG Complete Survey Results, [Security Hygiene and Posture Management](https://research.esg-global.com/reportaction/SecurityHygieneAndPostureManagementCSR/Marketing), January 2022. *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Protected: What's New in Cortex](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex-2/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### What's New in Cortex](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Securing Shadow AI with Cortex Xpanse](https://www2.paloaltonetworks.com/blog/security-operations/securing-shadow-ai-with-cortex-xpanse/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### How Cortex Defends Against Microsoft SharePoint "ToolShell" Exploits](https://www2.paloaltonetworks.com/blog/security-operations/how-cortex-defends-against-microsoft-sharepoint-toolshell-exploits/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [#### Defending against Phantom Taurus with Cortex](https://www2.paloaltonetworks.com/blog/security-operations/the-rise-of-phantom-taurus-unmasking-a-stealthy-new-threat-to-global-security-with-cortex/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### What's New in Cortex: The Latest Innovations for the World's #1 SecOps Platform (Feb '25 Release)](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex-the-latest-innovations-for-the-worlds-1-secops-platform-feb-25-release/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language