by Scott Gordon, Chief Marketing Officer
In the cat-and-mouse game of cybersecurity, nothing ever stays the same. The mice keep coming up with new tricks, and if the cats can’t stay ahead of them, someone is going to lose their cheese. External Attack Surface Management (EASM) has become a critical tool in the arsenal to ensure that security teams can stay ahead of malicious actors — specifically to identify internet-facing assets (including those outside the purview of IT), proactively remediate exposures, and respond faster to security issues. Moreover, by including the extended attack surface, they can head off potential risks due to exposures introduced by their supply chain.
Today, more and more public and commercial organizations are adding EASM to their security budgets and their toolkits, even while still figuring out how to discern what constitutes an effective and economical solution. This is an evolving field, so expect solutions to keep getting better. In the meantime, continue reading to better understand the key requisites for modern EASM solutions and their application for practitioners — who will soon wonder how they ever got by without EASM.
The basic premise of an EASM solution is to automate the process of identifying internet-facing assets and their security risks in time to act upon them and protect the organization. This includes active attacks by malicious actors that have successfully exploited vulnerable systems and users, as well as targeted systems at-imminent-risk. Beyond an organization’s assts and risks, it can apply to an extended attack surface, which would include the organization’s partners, subsidiaries, and supply chain. Scrutinizing ever-changing threat lists, reviewing and validating findings, and examining different threat intelligence sources is a process that many security analysts do already, with varying degrees of automation. However, even with access to the right threat intelligence subscriptions and tools, the process remains time and resource intensive, allowing exposures and attacks to constantly be missed. Fortunately, EASM solutions are modernizing to address this challenge.
Here are the 3 of the top 5 capabilities every CISO and security operations team should understand and require in a modern EASM solution.
1. All Signal – No Noise
The first objective is to have your solution deliver only validated signals, and zero noise, so every bit of time and effort is spent only remediating imminent vulnerabilities and active exploits. Is that even possible? Noise is a given, and the bane of every security analyst. They are looking for needles in gargantuan haystacks, and every needle not found in time has the potential to do tremendous damage. More so, focusing on active exploits, where malicious reconnaissance, weaponization, installation, propagation, and exfiltration are already underway, is key.
Much of the threat data looks the same until connections are made and patterns are identified. The vast majority will turn out to be noise — irrelevant, outdated, or of lower priority threats. So, how might we dramatically reduce the hay and present a finite number of needles, neatly laid out, perhaps even with annotated sticky notes? Wouldn’t that be nice! Each needle will ultimately be identified by connecting multiple data points that form patterns of behavior recognized as malicious. Only data that belongs to a matching collection of signals, with a high degree of confidence, is worth looking at — removing the noise. Essentially progressing the investigation process down to mere evaluation and enabling action.
By leveraging advanced, big data correlation and behavior modeling, the modern EASM solution should be able to eliminate false positives and elevate only the genuine issues that have been validated for human evaluation for mitigation actions. Plus, with a complete trail of connected signals (evidence), not only can we be confident in the malicious signal, but there will be enough detail to know what the appropriate mitigation steps should be. With limited resources and capabilities within most security teams, this goal should be high on everyone’s priority list.
2. Leave No Stone Unturned
The first thing every EASM solution talks about is “discovery” or mapping the attack surface. Of course, this should be an inventory of vulnerable internet-facing assets, technology targets, susceptible user credentials, as well as threats introduced by BYOD and shadow IT. Given the likelihood of threat actors automating ways to take advantage of soft spots in your attack surface and those of your supply chain, modern ESMs should also enable teams to assess the risks within their supply chain.
This is an Internet-scale security posture assessment challenge that requires ingenuity to complete. Every connection must be found and chased down, which often reveals additional levels of inquiry to explore. One way to deliver these results extremely fast is to perform the enumeration long before the request is ever made. Yes, every company with internet-facing attack surface exposures, already mapped. Then, keeping up with the constant changes becomes more incremental.
To accomplish this with a high degree of confidence, AI approaches will be essential. Expert AI-driven behavior modeling can systematically map and assess the entire digital footprint of an organization. It identifies and catalogs internet-exposed assets associated with a business’s domain, including those that might be overlooked in manual assessments. Multi-level analysis extends this capability to third-party organizations, continuously evaluating their active security issues and potential vulnerabilities.
Finally, the modern EASM has to do more than just map “things” — it MUST identify “traffic” behavior that is malicious to recognize active threats and attacks, and what stage in the attack chain is taking place. The system would also need to obtain and incorporate threat actor intelligence to understand the where, what, and how of cyber adversaries are attacking. This requires amassing and processing a massive scope of web, traffic and threat data, at internet speed — more on this in the next topic. This thorough, automated discovery process ensures no stone is left unturned.
3. Fast, Prioritized, and Detailed Answers
One of the objectives of EASM is to prevent bad things from happening and to contain bad things from getting worse. Every attack progresses through the cyber attack chain, culminating in theft, corruption or destruction of sensitive data or systems. The earlier on the chain, the better the odds are to prevent harm. The farther along the chain an attack is, the higher priority that signal should be so the attack can be stopped or contained. Having the intelligence about the progress of an attack enables prioritization, and further informs security teams on the best mitigation strategies — more on this later.
Since attacks can be fast, both collecting and analyzing data and signals must happen even faster. The conventional approach of collecting a bunch of internet threat data and then running queries on it to on will simply be too slow — and the longer all this data is kept, the longer query wait time may become. Yes, the system does need to keep important patterns active (maintain statefulness) which may result in an active threat or attack. This is a job that requires a streaming data analysis approach. So, let’s add that to the list of a modern EASM.
Streaming data analysis excels in delivering fast insights by applying continuous, real-time monitoring and correlation based on simultaneously processing of multiple sources of web, internet traffic, and threat data. Unlike query-based systems, which require manual input and periodic updates and tuning, streaming analysis provides a constant flow of data behavior assessment. This allows for the immediate detection of anomalies, active exploits, and potential threats. This proactive approach enables security teams to obtain more timely, active attack surface intelligence — and to be able to act swiftly before security issues can fully materialize.
Continue to part two to see the last 2 requisites for demystifying modern EASM.
