External attack surface management [Q&A]
The external attack surface -- those assets which face the internet -- is attracting a lot of attention at the moment, with Gartner naming it as a top security risk.
To find out more about external attack surface management (EASM) and why organizations need to take it seriously, we spoke to Rickard Carlsson, CEO of Detectify.
BN: In very basic terms, can you describe EASM?
RK: External attack surface management (EASM) is the continuous practice of discovering and assessing Internet-facing assets, assessing their security posture and looking for their vulnerabilities and anomalies, and prioritizing remediation efforts. Mapping out an organization's external attack surface via EASM helps companies not only maintain an accurate inventory of all their internet-facing assets, but gain an understanding of which assets are vulnerable to attack and how a malicious actor might exploit them. The intelligent adoption of EASM enables security teams to see their entire external attack surface environment and identify the risk hotspots.
The EASM space is still in a shaping phase. Many products are either glorified discovery engines that identify all internet-facing assets but do little to manage their security state, or identify any and every possible anomaly but don’t help security teams prioritize their remediation efforts. The reality is: EASM should actually help security teams manage the entire external attack surface. You can't do that without discovery, assessment, and prioritization. Just discovering assets or burying a team in false positives shouldn't qualify as true external attack surface management. Organizations need not only discovery but also accurate assessments that help them prioritize.
BN: What shortcomings in existing solutions does EASM address?
RK: Most cybersecurity problems are problems of time and resources. Company leaders are well aware of the risk that security shortcomings represent to their business, but they can’t fix everything. As organizations accelerate the pace of digitalization to meet their business goals, they’re inevitably bringing more Internet-facing assets online. Increasing the pace of development to keep up with digitalization expands the attack surface, creating further opportunities for attackers. Managing the expanding and evolving external attack surface requires time and resources that security teams don't really have.
This is part of what has made the EASM space so hot -- many cybersecurity incumbents recognize the challenge of external attack surface management and are attempting to buy their way in. However most EASM products, whether from standalone vendors or part of larger platform plays, primarily focus on discovery capabilities. Their testing capabilities amount to little more than vulnerability scanning. EASM tools that use vulnerability management as their base and CPE/CVE matching often yield high false positive rates and are thus more trouble than they're worth.
The best EASM solutions do more than just discover assets and scan for vulnerabilities -- they continuously test the external attack surface with real payloads, and they allow security teams to customize policies and rules, focusing on those issues that matter the most to them. A vulnerability scan might uncover a few gaps in the perimeter, but that is not necessarily indicative of how a bad actor would actually attack you. A real payload-based test however, which not only identifies a vulnerability but outlines how an attacker could exploit it, can help you identify and prioritize the issues that actually put your business at risk. And the best tools enable you to input policies or tools that trigger if or when particular risks are detected.
BN: What are the primary use cases for EASM?
RK: EASM offers a wide range of benefits, starting from the basis of alleviating the resource and time constraints faced by security teams by enabling efficient asset discovery and inventory across different environments.
In terms of use cases, EASM assists in managing third-party risks by continuously monitoring external assets for vulnerabilities and enhancing security coverage. It can also bring great value in M&A scenarios by automating the discovery and inventory of inherited assets, ensuring prompt risk assessment and mitigation. Additionally, EASM supports organizations during digital transformation initiatives, helping identify vulnerabilities within cloud services, such as server misconfigurations, thus ensuring a secure transition to the cloud. In short, the ideal EASM product should help organizations see their current state of security, understand what they are exposing in their attack surface, help them quickly resolve vulnerabilties and issues, and help them validate that they are following security policies. EASM should also be enabling frictionless integrations to accelerate remediation and let organizations use EASM data whatever way best fits them so they can keep their business secure while continuing shipping products and features.
BN: What are the benefits of an outside-in approach to security rather than trying to catch everything in development?
RK: To actually manage your external attack surface, you need a solution that tests your entire environment and yields an accurate summary of how and where a malicious actor could exploit the organization. You aren't going to catch every single vulnerability before it goes live. Plus, things change as new vulns in lines of code are identified and new exploit paths emerge. Gaining a hacker-eye view enables organizations to identify risk hot spots and remediate them before they are exploited.
Not all vulnerabilities are created equal. The trouble with working on a granular level is you can easily fall into the habit of hunting vulnerabilities just for the sake of it. Regardless of the CVSS score there isn't much point in remediating a vulnerability that doesn’t have an associated attack path.
This is why looking at your environment from an outside-in perspective and gaining an attackers-eye-view is so important. Ideally you'd like to have no vulnerabilities in production, but that’s not realistic. Therefore it is important to understand which vulnerabilities an attacker will actually use to exploit and prioritize those. The best EASM solutions do much of this work for you, identifying vulnerabilities with a low false positive rate and flagging those that represent the most risk depending on your unique business context.
BN: There has been a lot of activity in the EASM market lately. In your opinion, what does that say about the space?
RK: I see it as validation. The EASM space is volatile because the struggle of attack surface management is very real.
Cybersecurity incumbents clearly recognize that their customers are struggling to manage their attack surfaces and are looking to buy their way into the market. There are obviously different aspects of any EASM solution that a buyer might find attractive, but the overall use case is clear -- attack surfaces are expanding, getting harder to defend, and security teams need help managing.
The question is will bolting an existing EASM feature onto a larger platform play deliver the same value as a standalone solution? In my view the customer is better served by a solution that is truly focused on this use case.
Image Credit: rosedesigns / Shutterstock