You know you need to look at your attack surface the way attackers do and invest in external attack surface management (EASM), right?
Excellent.
Good choice.
Now you’ve got to decide how to make it happen. There are a few options: (1) build your own tools and field your own team, (2) cobble together a number of legacy tools and have your team (“human glue”) manually fill in the integration and orchestration gaps, or (3) buy a solution custom-built for the challenge. I talked about some of the results- and benefits-based considerations by answering these questions in my earlier blog about the Build Vs. Buy decision.
Now let’s dive deeper into why it’s important to think about one of the factors you need to consider—cost. It is important to have a good idea of how expensive manual efforts (or solutions requiring a lot of manual effort to maintain) really are when it comes to EASM and compare that with an automated solution like the CyCognito platform. Some of the things to think about may surprise you. As I highlight these sometimes-hidden expenses, bear in mind that some of these are costs you will pay even using some legacy commercial tools.
A good guideline is to share with you what our team has uncovered about the hidden cost of siloed tools. These are the considerations that we used when developing our own Total Cost of Ownership (TCO) calculator as you’ll see as you read on. Or, if you like, instead you can schedule a 1x1 meeting with our team we'll be happy to do the calculations for you in our TCO calculator to showcase how much your existing tools cost, how much a set of tools that give the equivalent benefits of CyCognito would cost, and how cost-effective CyCognito really is.
How Many Things?
Figuring out the Total Cost of Ownership (TCO) of your EASM solution starts with two big questions that are usually the most difficult and most basic:
- How many subsidiaries does your company have?
- How many assets does your company have?
That’s it.
The first question is pretty easy, if available we just open a U.S. Security and Exchange Commission (SEC) Exhibit 21.1; for a private company. And for most government agencies the information is predictably public. For clarity, I’ll just say that in this context “subsidiary” includes business entities, business units, and any of the other names companies use to talk about entities that are subsidiary to a parent company. Based on what we’ve seen with our prospects and customers, tracking those down can often be tricky because not every organization keeps good records. That’s why it can be helpful to have a way of collecting that information automatically, as our platform does, using natural language processing to help map your attack surface.
The second question is tougher because it begs the question: what do you consider an asset? Most organizations have a fair idea of how many alive IP addresses they have, most of the time, because they scan them monthly with a vuln scanner or NMAP or something similar. They often know the number of web applications they consider important, because they are constantly wrangling with penetration testing firms to test a dozen or so for yearly compliance purposes. And larger organizations are almost always using one or more security ratings services because they are trying to figure out how to reduce their cyber insurance rates, and those services might report potential assets and subsidiaries that the organization would not otherwise know about.
Number of Organizations | Subsidiaries | M&A Events per YEAR | 25 | Subsidiaries |
Estimated Number of TOTAL EXTERNAL ASSETS* | 150,000 | Assets |
*EXTERNAL ASSETS = IP addresses (Alive and Inactive), Domains, Certificates, and Web Apps
Figure 1. Screen capture from CyCognito’s External Attack Surface Management
TCO Calculator showing the two questions with sample answers
about the number of subsidiaries and assets.
With those basics, we can usually create a pretty good estimate of what we are going to actually find, and we will talk about that later. SPOILER: The CyCognito platform will find unexpected assets, and there MAY be issues on those that your security team had no idea about!
The Smaller Questions
But I digress. After you’ve asked the two big questions, the smaller questions to ask are about current processes, because ultimately we want to compare your current processes for external attack surface management with what the CyCognito platform will do. Questions here are about how often you are doing discovery and attribution of assets to your external attack surface, and what percentage of that attack surface you are actually covering. If you say “100%,” well we have some news...
The next questions are about security testing coverage and cadence. How many external assets are you scanning and how frequently? How many assets are you doing penetration testing on and how frequently? And finally, we look at your processes and tools for prioritization, validation, and reporting on remediation, risk, and security posture improvement.
CURRENT PROCESSES | CADENCE | COVERAGE | COVERAGE # |
Asset Discovery, Classification and Business Attribution | Monthly | 70% | 105,000 |
Vulnerability Scanning | Monthly | 40% | 60,000 |
Penetration Testing | Annual | 2% | 3,000 |
High Level Reporting | Quarterly | 80% | 120,000 |
Figure 2 - Screen capture from CyCognito’s External Attack Surface Management
TCO Calculator showing example estimates of coverage and cadence of current processes.
Assume Nothing, errrr, Assume Some Things…
From these few inputs, we’ve found that we can accurately predict things about how an organization is currently managing their external attack surface. The first assumptions are around how long it takes to discover assets and contextualize them, and also what tools are used. As it turns out there are A LOT of tools used for discovery. I did a SANS Webinar in May 2021 about this subject if you are curious.