Using Surface Command

Surface Command breaks down data silos by combining comprehensive attack surface visibility across hybrid environments to build a dynamic 360-degree view of your entire attack surface in one place. External scans provide an adversary’s perspective on the attack surface, detecting and validating exposures while highlighting areas attackers are most likely to target.

Surface Command combines these external scans with a detailed inventory of your internal assets, no matter the security or IT tool used to scan them. This process delivers complete visibility into your attack surface without the risk of blind spots, unprotected assets, and ungoverned access. Understanding how assets are configured assists in quickly identify and address misconfigurations, shadow IT, and compliance issues. This integrated approach gives you a holistic view of your digital landscape, enabling proactive risk mitigation, threat prevention, and rapid response.

Key concepts

Before getting started with using Surface Command, you should review the following key concepts:

  • Connectors - An interface that allows an information source to collect information about the objects in their environment. Each Connector interfaces with 1 information source. An information source is an existing system or data source that has information about any object of interest. Common information sources include vulnerability scanning tools, endpoint protection technologies, and cloud infrastructure, such as AWS, Azure, and GCP. Surface Command provides Connectors for most major security tools, but custom Connectors can be built for your enterprise-specific systems.
    • Outpost - A remote Kubernetes Cluster that can access and collect data from information sources and execute operations. An Outpost is installed in the customer’s environment when the Surface Command platform cannot access an information source, such as an application behind a firewall, or when an application's APIs reside on a private cloud network. Once deployed, an Outpost is paired to the platform. 1 or more Connectors are then assigned to the Outpost.
    • Data Zone - A defined area where the Connector operates, such as a specific network, physical location, or country. Surface Command uses data zones to manage distinct areas of your environment and correlates data from each data zone separately. This means Assets show only those relationships to other assets within the same data zone. You can configure a Connector to operate in multiple data zones. For example, a Connector is designed to ingest data from a Command Platform instance located in the USA data zone and a Command Platform instance located in the Europe data zone. Some types of data are considered global. For example, a vulnerability, such as a description of a CVE, is always in the global zone and accessible by a Connector in any data zone.
    • Import Feed - A scheduled software job that performs a specific process like importing data from an information source. Connectors can have multiple associated Import Feeds.
  • Asset - A representation of 1 or more data records that pertain to a single object in your environment. A data record can be for a physical object in your environment, such as a laptop, printer, or server. It can also be an object that is typically not considered an asset, such as a person, business application, or vulnerability. Surface Command creates the representations of assets automatically when data is ingested into the system by a Connector.
    • Asset Type - Describes the structure of the data for a specific type of asset. Every data record is associated with an exact technical description of the structure and semantics of its properties. Each Connector defines its own set of asset types. Surface Command unifies all the asset types that pertain to the same class of object, such as a Machine or a Vulnerability, into a set of pre-defined unified asset types. For example, different information sources might provide information about a single device from the perspective of an EC2 Instance, CrowdStrike Device, SentinelOne Agent, and Tenable.io Asset. They all pertain to the same device and the unified asset type would be a Machine. You can use unified asset types, each information source’s asset types, or both when writing queries to select specific results. For more information on the Unified Asset Model, see Assets.
  • Query - A tool used to select and display specific data that was ingested by Connectors. A query cannot add or change data. Some queries are included with Surface Command by default or included with a given Connector. You can also write your own queries to retrieve the data of interest to you. Queries are written in Cypher, which is a standards-based graph query language. Surface Command also provides a graphical interface for building basic queries without needing to understand Cypher.
  • Dashboard - A user-created collection of widgets. You can use and organize dashboards to present and monitor any aspect of your security posture.
    • Widget - A component that displays a specific dataset in a dashboard. A widget retrieves data from a query, filters the results to show specific data, and presents that data in a customized chart or graphic. You can configure the type of graph and how it calculates values. Since a widget filters the results from a query, you can have several different widgets based on a single query. The Surface Command home page has a set of pre-defined widgets, where each widget provides a count of assets of a specific unified type. These are not editable.
  • Workflow - A set of steps that perform 1 or more actions driven by query results that define a repeatable process. You can associate workflows with queries to generate automatic responses to specific changes or invoke them manually as needed.
    • Function - Code that interacts with a remote application or program to retrieve data or perform an action. It is used as a building block for workflows. When creating workflows, you can leverage functions and chain them together to achieve comprehensive operations. Functions are provided with the Connectors by default.
  • Reference list - Enterprise or industry data that is not accessible by a Connector but is collected from Microsoft Excel (.xlsx) or CSV files. For example, it could be a spreadsheet that maps network addresses to physical locations or business owners. Reference lists let you combine this data with other information pulled from information sources when building queries.

Using Surface Command

The Surface Command Home page is accessible from the Solutions sub-navigation menu on the Command Platform. You can also navigate directly to points of interest within Surface Command by interacting with the Attack Surface Overview or the other Attack Surface-related navigation menu items. If you're not sure where to get started, check out the following menu:

Looking for Surface Command Access Control?

For detailed information on Surface Command entitlements and access control, visit Role-Based Access Control.