![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-6-1280x794.webp\")
<\/figure>\n\n\n\nFigure 1. CyCognito Organizational Discovery Graph automatically attributes assets to organizations.<\/p>\n\n\n\n
Do they know their false positive rate? What is it?<\/h2>\n\n\n\n
Basic EASM products – especially those that rely on open source intelligence – has a false positive rate as high as 70%. Seven out of ten issues found are false alarms. That means more headaches and wasted time for IT and security teams, and a low success rate for an EASM project.<\/p>\n\n\n\n
CyCognito has a false positive rate of 5%. On top of that, CyCognito lists a confidence score, from 0 to 100, for each issue, so teams can judge for themselves. CyCognito determines confidence using a blend of proprietary techniques, including active security testing modules, risk validation modules, attacker chatter, heuristic models, and assessment of user behavior,, and more. The nature of the detection method can influence its accuracy, making our multi-method approach invaluable for accurate issue prioritization.<\/p>\n\n\n\n
Do they scan for vulnerabilities or test vulnerabilities?<\/h2>\n\n\n\n
While many people use the terms scan and test interchangeably, in the context of information security, they are significantly different. Scanning, sometimes called passive scanning, compares software versions to a database of known vulnerabilities (CVEs), to know if there might<\/em> be an issue. For example, CVE-2018-11776 – Apache Struts 2, versions before 2.3.34 and 2.5.16 permits SQL injection. This is where a lot of false positives come from. Without actually testing that particular instance of a server using Apache Struts 2, whether the vulnerability is real or theoretical isn\u2019t known.<\/p>\n\n\n\n CyCognito actively tests assets and validates risk to see if they are exploitable. This is also called active testing or security validation. The CyCognito test engine uses the database of known vulnerabilities to configure tests that are likely to be successful, and then only reports a vulnerability if the test exploit is successful. Common exploits like SQL injection and credential stuffing are also performed regardless of the software version. The platform also annotates the vulnerability with evidence \u2013 the script, the result \u2013 that can be passed along to a security analyst or developer.<\/p>\n\n\n\n Figure 2. Evidence for a software vulnerability in a Microsoft server, including CVE, description and external references.<\/p>\n\n\n\n Basic EASM vendors do not discover your organizational structure, as mentioned above. They do allow for manual or semi-automated tagging, but that means a human needs to understand which organization each asset belongs to (a midsize attack surface has 5,000 assets; 50,000 assets is typical of a large enterprise) and either add tags by hand or create rules that assign tags with minimal mistakes. There is also no grouping by function, like ecommerce servers or physical security devices like cameras. Most cannot automatically tell you about important assets, like applications that handle PII.<\/p>\n\n\n\n CyCognito allows you to view your attack surface in three key ways. First, the attack surface can be viewed by organization, e.g., only the assets of a subsidiary. Second, it can be viewed by the type of asset. Perhaps you want to see only servers or cloud instances. Last, you can view the attack surface by business importance – ecommerce servers, systems that handle PII, corporate crown jewels. Gartner has coined the term \u2018scope\u2019 to describe this kind of asset organization. CyCognito allows for multiple scopes, each with role based access control.<\/p>\n\n\n\n There are a lot of basic EASM products on the market. Many of them will cause headaches and heartburn, not to mention a false sense of security. So ask your EASM vendor these five questions. If they don\u2019t get back to you, that\u2019s telling you something.<\/p>\n","protected":false},"excerpt":{"rendered":" With EASM becoming essential to security operations, many vendors are jumping on board, but not all solutions are enterprise-grade. Basic EASM products can waste time, undermine security teams, and offer a false sense of protection. To avoid these pitfalls, ask your vendor these five critical questions\u2014if they can\u2019t answer, it\u2019s a red flag.<\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[19,185,17],"class_list":["post-1138","post","type-post","status-publish","format-standard","hentry","category-perspectives","tag-active-security-testing","tag-attack-surface-discovery","tag-external-attack-surface-management"],"yoast_head":"\n![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1-3.webp\")
<\/figure>\n\n\n\nCan you view your attack surface by organization, function, or importance?<\/h2>\n\n\n\n