Every business is a digital business. And because of that, you have an ever-expanding IT presence exposed to the entire world via the internet. Your internet-exposed assets and their potential risks define your external attack surface.
This paper evaluates different external attack surface management (EASM) capabilities that serve the needs of the business, enable digital transformation, and securely connect your organization to your customers, employees and partners through the internet. Specifically, the capabilities of a true external attack surface management solution should provide.
Accurate inventory of every internet-exposed asset and business relationship across your organization
Asset context to help identify business owner, function and purpose
Continuous testing at scale to uncover all risks across your entire external attack surface
Prioritization of risk based on meaningful evaluation of several factors
Accelerated remediation with actionable guidance, efficient validation and streamlined workflows
LET’S EXAMINE EACH OF THESE POINTS BELOW
The foundation of security is knowing what you have so you know what to protect. However, most security teams are working off of asset inventories and business maps, including all subsidiaries and business units, that are out of date and incomplete. These gaps are often due to manual processes, human error and the ease with which assets can be procured or spun up, especially in the cloud.
Many organizations augment manual processes by using tools that monitor their internal networks for unknown or previously unseen devices that should be in their inventory. But these technologies do not have the ability to discover assets which may be connected directly to the internet and not a part of the internal networks being monitored. This is especially important for assets in the cloud.
An external attack surface management solution should be able to automate this external discovery and provide an inventory of everything that belongs to your organization, including your acquired companies and joint ventures, that is connected directly to the internet. That’s critical because you must prioritize those exposures and vulnerabilities that can be accessed directly by attackers.
The depth of information ASM vendors discover or create about your assets is another key item to consider when evaluating platforms, especially with the goal of reducing your attack vectors efficiently and effectively.
Security teams need the context of incidents and issues that they’re presented with. Given security team staffing constraints, organizations need all the security intelligence they can get.
By providing deep insight into what triggered an alert, how that system is connected into your organization, and what group is responsible for it, your security teams can operate faster and with less manual effort to determine context around incidents.
Different groups within an organization may have different
risk tolerances given their business function, initiatives or leadership. In addition, different assets and attack paths may be more attractive to attackers based on the data and business processes associated with those attack paths. This means that the attack surface risk of different areas of the business can be different from one another.
Once your internet-connected assets are understood at this depth, prioritization and system-level remediation or evaluation of enterprise-wide policies can begin.
Attackers will choose “the path of least resistance” into your organization. Most often, that’s a path that goes through an asset that your IT and security teams don’t see, have forgotten about or don’t manage. While organizations are becoming better at protecting against popular attack techniques like phishing or misused credentials, attackers are always looking for new ways into your infrastructure that you aren’t monitoring. This leaves attackers free to wreak their havoc, often unnoticed.
Going beyond just identifying common vulnerabilities and exposures (CVEs) to truly uncover all attack vectors that attackers could use, including misconfigurations, data exposures and zero-day vulnerabilities, modern external attack surface management solutions can give defenders an advantage. And the best EASM solutions do this continuously, not just periodically to meet the needs of compliance mandates.
Most of an organization’s risk is generated by a very small handful of security gaps. Many ASM vendors will provide details of an exposure, but they leave it up to the analyst or engineer to figure out how to sift through the noise and determine which security gaps expose the organization to the most risk. This leaves many resolutions up to subjective decisions, and often requires laborious, manual effort to review all details of a security gap.
A more efficient way to quickly prioritize the riskiest attack vectors for remediation is to utilize an automated solution that uses meaningful data on things like attackers’ priorities, the discoverability of an asset or exposure, the ease of exploitation, the complexity of remediation, and business context of what is exposed to identify the most critical risks.
Guidance, validation and streamlined workflows speed up the time to resolve issues and incidents. With a prioritized list of risks, the next step is to communicate that information quickly and seamlessly to the teams that remediate or mitigate the risk. Clear, detailed and actionable remediation guidance and exploit intelligence offer security and IT teams a clear path forward to fix an exposure and lower the organization’s risk.
Because organizations employ many tools along the path from identification, evaluation, prioritization to remediation of a risk, powerful EASM platforms should include workflow capabilities that connect seamlessly into the most popular IT technologies, sending intelligence to remediation teams via the established communications pathways.
Finally, before work can be considered complete – the patch, change in configuration, or compensating control should be validated to ensure that the exposure has been addressed and the risk is gone.
Adopting external attack surface management as a process that helps you understand and continually reduce your organization’s risk exposure enables growth and digital transformation.
CyCognito has introduced a platform with this concept in mind. The CyCognito platform helps your IT and security teams reduce the number of attack vectors while also providing perspective and visibility into your organization’s IT risk. It does so with the understanding that there will always be business assets that are exposed, but that comprehensive awareness is key to improving your security posture.
SEE HOW WE DO IT
To learn more about the market leading external attack surface management capabilities of the CyCognito platform.