The Platform

Enable your security and operations teams to proactively identify, prioritize, and remediate exposures to stay ahead of attackers.

Watch a Demo
GigaOm Radar for Attack Surface Management

The expansion of an organization's attack surface continues to present a critical business challenge. Download the GigaOm Radar for Attack Surface Management to get an overview of the available ASM solutions, identify leading offerings, and evaluate the best solution for you.  

Use Cases

The CyCognito platform helps you identify all of the attacker-exposed assets in your IT ecosystem for a complete view of your attack surface.

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk. 

Our Customers

External attack surface management is advancing cybersecurity into a new era. Learn how security experts across all industries benefit from using CyCognito’s platform.

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

About CyCognito

We believe all organizations should be able to protect themselves from even the most sophisticated attackers.

Contact us

The knowledge you need to manage and protect your attack surface.

What's New Blog

Vulnerability Scanners Are No Match for Modern Threats

By Rob Gurzeev
CEO & Co-Founder
October 15, 2019

In today’s asymmetrical warfare between cybercriminals and organizations, the cards are stacked against the good guys. While attackers only have to find one weak spot, security teams have to monitor and protect everything at all times, which in many instances dictates only one, virtually predestined, outcome of the battle.From Facebook to Yahoo, to Equifax, it is increasingly clear that these types of crippling cyberattacks have become the new normal. Although this “era of insecurity” began more than 10 years ago, it has become more and more extreme in recent years.

There are three main factors that exacerbate the current situation:

1. Organizations have digitized a significant portion of their processes and services, expanding and diversifying their attack surface both on-premises and in the cloud.

As organizations have to manage thousands of servers, applications, and data centers, it becomes exponentially more difficult to continuously monitor and debug everything in a timely fashion.

2. Current risk assessment solutions rely on user input to specify where they should look and commonly require complex integrations.

But requiring user input is a pitfall, as organizations are often unaware of various assets that are part of their IT ecosystem — such as closely related third-party assets, DevOps components, and old environments .  The result is that blind spots are frequently created, and become potential attractive targets, waiting to be exploited by attackers.

3. Offensive scanning and exploitation tools have become cheaper, more automated, and widely available to hackers.

Cybercrime has an extremely high ROI; criminals rarely get caught and current legal systems do not pose significant deterrence for these crimes. Moreover, given that the median monthly income in some countries is under $500 per month, it comes as no surprise that cybercrime is on the rise.

Equifax data breach

In the case of the Equifax data breach, which exposed the financial and personal data of 143 million people, criminals exploited a vulnerability in one of its web applications and siphoned sensitive customer data for more than two months without detection.

To change this trend of crippling cyberattacks, I believe one must first realize how attackers actually operate. Working for intelligence organizations and assisting them in establishing new infrastructure for offensive security, I’ve learned that, for attackers, the road to glory is the path of least resistance. Unlike penetration testers and security researchers, attackers do not seek medals or bonuses for solving complex challenges. This is true for both state-level actors and individual cybercriminals. Their sole objective is to act in a cost-effective, stealthy manner in their pursuit of information or money.

Clearly, organizations should always strive to eliminate potential threats as early as possible in the cyber kill chain, ideally, even before the reconnaissance and probing phases. To do that, organizations must invest significant resources in trying to understand how attackers see their attack surface and what is most exploitable, as opposed to simply scanning their known assets for security issues that, even if found, are often of minimal or no interest to attackers. This requires a mindset shift from tracking Common Vulnerabilities and Exposures (CVEs), which date back to the 1990s, and Common Vulnerability Scoring System (CVSS) scores that ignore the most relevant information for a security team: the attacker’s process and the path of least resistance.

A security team’s mission is to identify critical vulnerabilities and eliminate them in a timely manner. Legacy scanners and solutions completely ignore the data that highlights the attacker’s easiest points of entry and instead return a list of thousands of critical security issues that the security team cannot effectively manage and remediate.

A better approach than relying on legacy security solutions developed in the ’90s is to focus on attack vector discoverability, attractiveness and exploitability. Once you understand this, it becomes clear which issues should be remediated first. And this understanding of discoverability, attractiveness and exploitability can only be executed by an external actor or system that receives no prior input regarding the target IT ecosystem or cooperation from the organization.

Correspondingly, black-box penetration testing, in which white-hat hackers are paid by organizations to try and gain access to data, is indeed starting to regain popularity in security. Chief information security officers (CISOs) now speak more and more about the importance of external red teams. Bob Lord, the former CISO of Yahoo and director of security at Twitter, has been quoted as acknowledging that he learned the hard way how critical it is to understand what attackers do and how they do it. He even proposed the use of ex-cybercriminals to better understand how adversaries act.

While this type of awareness points in the right direction, executing on it poses a number of significant challenges. High-quality penetration testing is very expensive, and every change within the organization’s network (new applications, servers, configurations, etc.) requires a new penetration testing process, practically starting from zero. It’s not scalable at all.

Only a product efficiently incorporating a black-box approach in an automatic and scalable fashion can become a game changer in the inherently asymmetrical race between attackers and defenders, improving the odds in the latter’s favor.

Although an extreme case, Equifax is a classic example of how cybercrime operates and will continue to operate, unless organizations adopt a more offensive mindset. Organizations must ask themselves:

  • Can they can assess their attack surface from the attacker’s perspective?
  • What is being done to continuously identify and eliminate blind spots critically endangering the organization? 
  • What can be done today to ensure they don’t become the next notable breach in the news?

The answers to those questions define what organizations need to do next to defend themselves against well-armed cyber attackers.


Recent Posts

Top Tags

CyCognito Research Report

State of External Exposure Management

State of External Exposure Management

Download CyCognito’s State of External Exposure Management Report to learn key recommendations that your Security teams can implement to improve their exposure management strategy and minimize risk.

Dummies Book

External Exposure & Attack Surface Management For Dummies

External Exposure & Attack Surface Management For Dummies

As your attack surface has grown to cloud infrastructures and across subsidiaries, attackers are looking for and finding unknown and unmanaged assets to serve as their entry points.

Interactive Demo

Ready to Rule Your Risk?

Request a personalized walkthrough of the CyCognito platform to see how we can help your company identify all its internet-exposed assets, focus on which are most vulnerable to attacks, and accelerate your time to remediating critical risks.