The Platform

Enable your security and operations teams to proactively identify, prioritize, and remediate exposures to stay ahead of attackers.

Watch a Demo
GigaOm Radar for Attack Surface Management

The expansion of an organization's attack surface continues to present a critical business challenge. Download the GigaOm Radar for Attack Surface Management to get an overview of the available ASM solutions, identify leading offerings, and evaluate the best solution for you.  

Use Cases

The CyCognito platform helps you identify all of the attacker-exposed assets in your IT ecosystem for a complete view of your attack surface.

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk. 

Our Customers

External attack surface management is advancing cybersecurity into a new era. Learn how security experts across all industries benefit from using CyCognito’s platform.

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

About CyCognito

We believe all organizations should be able to protect themselves from even the most sophisticated attackers.

Contact us
Resources

The knowledge you need to manage and protect your attack surface.

What's New Blog
Products

Three Approaches to External Attack Surface Management

Rob-Gurzeev
By Rob Gurzeev
CEO & Co-Founder
February 5, 2024

Attack surfaces today are incredibly large and complex. According to our research team, the size of a company’s attack surface fluctuates up and down by as much as 10 percent a month.

Only two decades ago, a typical company had a single server connected to the Internet. Today, they have thousands of networks connected to the internet—filled with unknown and unmanaged assets and subsidiaries—that an attacker can use to exfiltrate IP and/or breach into their network and systems. 

In short, attack surfaces are moving targets rife with security gaps ready to be exploited. How can CISOs effectively secure these dynamic environments?

The answer: External Attack Surface Management (EASM). But there are various approaches to carrying out an EASM strategy—some less effective than others.

An effective External Attack Surface Management approach requires a solution that can:

  • Discover all exposed assets and blind spots. 
  • Attribute Assets to the correct owner in the organization.
  • Contextualize assets to understand what the asset is and its purpose
  • Prioritize the threat based on that context. 
  • Prioritize the threat so the security team always knows the critical attack paths into their networks.

With this in mind, let’s dive into three common approaches. 

Approach One: Scan what you already know

Most legacy EASM tools—still commonplace today—operate on a foundation that requires explicit input, such as IP ranges or domain names, or hinges on integrations designed to supply such information. This traditional method inherently limits their scope to scanning assets that are already identified or directly connected to them—for instance, a specific domain name that is associated with a known IP range.

It’s important to understand the characteristics and limitations of these vendors when considering this approach. These include:

  • Over-dependence on Inputs: The solution requires the security team to supply foundational data such as IP ranges and domain names, or to establish integrations with existing databases like a Configuration Management Database (CMDB). 
  • Inability to Discover Severe Blind Spots: The vendor lacks a clear method for uncovering unknown networks—those not visibly connected or related to your acknowledged networks, such as those of subsidiaries. Since risk accumulates where you’re not looking—this beats the purpose of such tools.
  • Inability to Provide Evidence and Context: The vendor lacks a probabilistic methodology. The assets discovered are either owned/related to your organization, or not. It’s binary. There’s no nuance or evidence to back it up.
  • Inability to Attribute Assets to Owners: The vendor doesn’t provide a model (like a graph data model) that maps the interconnections between the organization, its environments, and its assets. Generally these solutions’ de facto methodology is to simply scan known / easy-to-find IP ranges (just like Nmap since the 90’s). If you can’t tell who owns the asset – how can remediation ever take place? 

Approach Two: Layer In Human Reconnaissance

Approach One relies on technology-driven scans based on specified datasets, such as known IP ranges and domains. 

The second approach has the same limitations but integrates analysts who engage in active reconnaissance to uncover additional networks and assets. Pentesting companies and small startups tend to fold this into their offerings.

Analysts can enhance the discovery process by employing manual tactics, such as scouring RIPE NCC (Réseaux IP Européens Network Coordination Centre) for IP range allocations, conducting Google searches for subsidiary web applications, and delving into SSL certificate databases. 

However, this approach is extremely resource- and cost-intensive, taking weeks, if not months, for a single assessment. 

A solution that is overly reliant on analyst work will lack a comprehensive model, such as a graph data model, to visualize connections between an organization and its environments. It will solely focus on IP addresses and domains, and only scan predetermined targets. 

Ultimately, for an unwary buyer, this approach can be misleading because what is presented as automated and scalable might actually hinge on unsustainable manual processes.

Approach Three: Automated Reconnaissance EASM

The holy grail. A unified platform like CyCognito that can continuously meticulously map the entire attack surface beyond the corporate core to encompass subsidiaries, acquisitions, joint ventures, and brand operations—and attribute each to its rightful owner. 

CyCognito EASM platform:

  • Operates without the need for input or ‘seeds,’ thus emulating the tactics used by attackers themselves. This offers the most authentic perspective of an organization’s vulnerabilities, which is essential for mitigating cyber risk.
  • Leverages Natural Language Processing (NLP) and heuristic algorithms to accelerate asset classification.  Given the cost and resource implications of manual classification and the insufficient data in existing databases like CMDBs—where a mere 5%-30% of assets are properly categorized and attributed—this technology becomes indispensable.
  • Provides the business context necessary to prioritize risks effectively. Even if a vulnerability affects a thousand machines, CyCognito can identify the most critical one by providing insight into exposure level, business significance, and exploitability.

An EASM approach transcends the trap of treating all critical issues with equal urgency, allowing for the recognition that, realistically, there may only be a handful of truly critical vectors that could lead to an immediate breach.


Topics





Recent Posts








Top Tags



CyCognito Research Report

State of External Exposure Management

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk.

Dummies Book

External Exposure & Attack Surface Management For Dummies

External Exposure & Attack Surface Management For Dummies

As your attack surface has grown to cloud infrastructures and across subsidiaries, attackers are looking for and finding unknown and unmanaged assets to serve as their entry points.

Interactive Demo

Ready to Rule Your Risk?

Request a personalized walkthrough of the CyCognito platform to see how we can help your company identify all its internet-exposed assets, focus on which are most vulnerable to attacks, and accelerate your time to remediating critical risks.