If you add up all of the ways an attacker can approach you and probably multiply by 10 to account for the things you didn't think of, you'd have a fairly good idea of what your attack surface is.
Like all things in security, your attack surface is ever-changing and must be constantly monitored and massaged. Like laundry, the job is never really done, but it needs to be attended to anyway.
Anything that's exposed to an attacker is vulnerable. Most of us have a pretty good perimeter wall and moat set up for the corporate network. But remote work has changed the way to look at this. Office work has accelerated towards work anywhere, so the wall and moat paradigm no longer fits.
A new map of the attack surface needs to be created. This will include everything that will interact with your assets in any way.
Normalize. Analyze. Act.
The average security operation has several tools that overlap. Some will catch an issue, and some won't. Often, one will catch an issue and mark it one way, and another will classify it some other way.
How do we know what needs to be attended to and what is just noise?
Attack surface management has always been needed. It's just now getting a foothold in our brains in a widespread manner.
Buzzword? Maybe. Important? Yes.
We need a way to take these tools and create a single picture. If one tool calls something one thing and another calls it something else, standardizing the way we see these is the first step. After all, most of us can't look at the Matrix and see a blonde or brunette by looking at the code, so why would we expect to look at several noisy tools at once and "see" a problem developing?
Only after creating a standardized "single pane of glass" (I know, I know, tired old buzzwords) can operations get a stronghold on what needs to be analyzed so it can be acted on.
The tricky part
The hardest thing about your attack surface is the users. You can have all of the greatest tools in the world, but if someone lets the monsters in because they asked nicely, then the whole thing is a silly exercise. Constant training is nice, but it's better to be active participants in your security and attack surface posture.
This is possible by recruiting them onto your team. Clear vision and transparency of the process can help. Users that know why they should act a certain way are empowered to make good choices when it really counts.