On traditional infrastructure (laptops, servers, workstations, on-premises network infrastructure), the attack surface was the closest match to true perimeter-based defense we could get. The network infrastructure gave access to the systems within (crunchy outside; gooey, cubicle, khakis, and blue button-downs inside). As such, detection of attacker activity was relegated to network-based activity, endpoint-based activity, and maybe Active Directory. Straightforward, right? (It wasn’t, but that’s a different blog).

All of that changed with significant advancements in different technologies, which, for the purposes of this blog, we will oversimplify to “the transition to the Cloud Era.” The Cloud Era is the time where we broke away from the traditional perimeter with IaaS, PaaS, SaaS, cloud workloads, identity, serverless, IoT, and anywhere work.

Long story short, the transition changed one thing in a major way: We have a lot more variety and number of attack surfaces to defend than we did before. The term “attack surface” rose in popularity over the last few years to describe the growing IT asset estate.

Monolithic Security Terms Aren’t Descriptive Enough

However, we have no parallel to attack surface to describe where we can detect and, optionally, directly and automatically respond to attacker activity. This is a problem — a problem exemplified by terms like “cloud detection.”

If you talk to our colleague, Andras Cser, he will describe the current and growing complexity of cloud security that encompasses far more than a monolithic, singular tool to defend all clouds.

Terms like “cloud detection” can include anything from CSG, CASB, CWS, SSPM, SaaS detection … and the list goes on. There are too many technologies to fit into this broad term. This can have substantial impact to how detection occurs and why.

Overly Granular Detection Categories Aren’t Necessary (Or Wanted)

And no matter how much security vendors might want us to, we can’t keep adding “term + detection” forever.


Detection Surface Describes Where Detection Of Attacker Activity Takes Place

All of these reasons are why we are introducing the term “detection surface” today. Forrester defines detection surface as:

The IT asset type upon which detection of attacker activity occurs.

Detection surface directly parallels attack surface. It describes the IT assets upon which we can detect attacker activity, much like attack surface describes the IT assets within an estate.

Take endpoint detection and response (EDR) as an example. Detection on Windows, Mac, Linux, iOS, Android, and IoT devices are not the same — yet they are all endpoints. You can detect attacks on all of them, and some vendors call detection on all of them EDR. They each represent different detection surfaces that a particular EDR may or may not detect on.

To put this into practical terms, consider the following:

  • A question you likely often ask vendors in contention for EDR adoption: “What detection surfaces do you have coverage for?” They may answer: Windows, Mac, Linux, iOS, Android. Or they may get more specific: Windows 11 21H2, 10 21H2, 10 Redstone 5, 8.1, 8, 7, Server 2022, Server 2019, etc.
  • A question you likely often ask vendors when discussing cloud detection: “What detection surfaces do you have coverage for?” They may answer: containers, an AWS instance, an identity, a SaaS application, etc.
  • A question you may ask vendors when discussing security analytics or UBA: “What detection surfaces do you have coverage for?” They may answer: The detection surface can be a combination of aspects based on what logs you bring into the SIEM — AD, Azure AD, Windows 11, and an Azure instance, for example.


Use Detection Surface To Better Understand Where Detection Takes Place

This term has come up organically in conversation with practitioners, vendors, and others, especially as we explore detection on new and emerging technologies.

The cloud is the most potent example of this — many vendors say they do “cloud detection,” when in reality, there are a LOT of things that can be detected on to protect the cloud, from containers to IaaS to SaaS to identity.

Logging Is Not Detection

Detection surface bridges visibility and detection. It breaks the myth that logging is the same as detection — it is not. Logging (when it’s actually in place) is visibility. Detection surface goes beyond logging and visibility. It’s about utility of detection, not presence of visibility.

Forrester clients who have questions about detection surface or building a detection engineering function can reach out to me or Jeff via inquiry or guidance session. Also, check out this new report on building a detection engineering function!