External Attack Surface Management, or EASM, has become a necessary component of a proactive cybersecurity strategy. According to research from Enterprise Strategy Group, over 65% of breaches stem from a compromised, externally exposed asset, so knowing your attack surface is key to avoiding breaches. Gartner, for this reason, is recommending EASM as a key pillar in the new approach to proactive security they call Exposure Management.
As a new item in the cybersecurity stack, many teams have no context for how and how much to budget for EASM. This post will give you some basic guidance.
What is EASM and how does it fit into a security program?
EASM refers to the process of identifying, analyzing, and mitigating the vulnerabilities and risks associated with an organization’s external-facing digital assets, such as websites, applications, cloud environments, and network infrastructure. It involves monitoring and securing the exposed attack surface to prevent breaches and unauthorized access by threat actors, and most closely aligns with vulnerability management.
How much should you budget?
On the low end, basic security ratings tools and vulnerability scanning add-ons may cost in the $25-50K range, sometimes more. These, however, are not truly EASM, and require manual effort, miss assets, have high false positives, struggle with discovering cloud assets, and do not perform any testing.
Modern EASM products are typically priced per asset under management. An average enterprise has over 50,000 assets, according to CyCognito’s State of External Exposure Management report. Mid-market customers have 20,000 on average. Large enterprises may have hundreds of thousands of assets, even up to millions for some industries like telecommunications. Importantly, don’t budget based on your current understanding of your assets; most customers significantly undercount if they do not have EASM in place and are using manual methods to keep track of their assets.
So, the cost of EASM depends on the number of assets you have. It will also vary depending on whether you are simply discovering assets or actively testing those assets, which typically is an added cost. Mid-market customers can expect to pay in the $25-75K range. Large enterprises can expect $100-200K on average. Of course, if your organization has lots of assets based on the business you are in, the price may be higher.
Which budget should it come from?
More and more enterprises are creating Exposure Management teams. Some have dedicated EASM staff. Companies with Exposure Management teams would hold the budget there.
If not, EASM is usually part of the Security Operations Center (SOC) budget, often specifically from the vulnerability management budget. If you are including testing in your EASM license, some of the budget may come from the AppSec team.
How many people will it take to implement?
Advanced EASM products typically run autonomously and staff is only needed to determine whether unknown assets are part of their asset inventories and help triage assets at risk. For smaller organizations, this can just be 4-8 hours a week, depending on findings that week. Larger organizations may have a small team of 1-2 analysts focusing on EASM, often working on other teams, like VM, as well. Many MSSPs also offer EASM as a managed service.
How do you justify the cost?
The cost of EASM can be justified in terms of risk reduction, labor savings and efficiency gains, and software license and insurance premium cost reductions.
Risk Reduction
- Breach avoidance – two-thirds of breaches come from unknown or unmanaged assets.
- M&A risk assessment – understanding the digital risk of a pending acquisition.
- Attack surface reduction – reduce the scope of unknown risks and assets
Labor Savings and Efficiency Gains1
- Manual asset discovery – saves 60% of analyst time spent per week
- False positive triages – reduces hours manually validating alerts by 90%
- MTTR improvement – shortens MTTR by more than 50%
- Zero-day advisories – tracked and managed in minutes rather than days or weeks
Premium and License Cost Reduction
- Software license consolidation – EASM with testing can replace a bug bounty license and bounty pool entirely, and partially replace external pentesting spend.
- Cyber insurance premium reduction—With improvements in security posture ratings, organizations are able to reduce their premiums, reduce their deductibles, and increase their coverage.
For more information on CyCognito’s license costs, please visit our pricing page. Or contact us to set up a time to discuss your specific requirements.
1 Statistics from Forrester Total Economic Impact report and CyCognito customer analysis.