Organizations need to proactively embrace the latest security strategies to protect against emerging risks. New, more advanced cybersecurity solutions are constantly developed to address core challenges in the industry. One of these new solutions, external attack surface management (EASM), entered the market in 2021 and is now starting to see increased adoption because of its ability to continuously discover, inventory, test, and prioritize known and unknown assets and exposures on a global external attack surface.

We recently had the pleasure of interviewing our guest Erik Nost, Senior Analyst at Forrester, during a webinar that explored external attack surface management in detail. Learn the key takeaways from the webinar and what to look for if you’re in the process of evaluating EASM vendors.   

How EASM complements external penetration testing 

Penetration testing is a mature cybersecurity solution and is more widely known than EASM today. However, many organizations still largely use penetration tests for compliance, essentially checking boxes because they have to. 

Threat actors thrive on this mentality.  

When penetration testing is approached with a compliance-first mindset for regulatory bodies and organization standards, tests are only completed a few times per year or less. Often no action is taken on the findings for months because of building the context and prioritizing which vulnerabilities need to be fixed first. 

On the other hand, organizations that are strategic about looking at penetration tests, red teams, and other control validation exercises to formally piece together a remediation puzzle achieve a stronger end state of security. EASM solutions help security teams keep pace with the rate of change in organizations today by offering continuous coverage of attack surfaces to find vulnerabilities as they arise. 

Pentesting is a priority that’s complemented by EASM with continuous discovery and prioritization of known and unknown assets and exposures. 

Evaluating EASM vendors to make continuous pentesting a reality 

The responsibility of EASM often falls under security operations groups and vulnerability management teams rather than having team members solely responsible for EASM, such as an attack surface management analyst.   

These teams often have years of experience inventorying assets and identifying vulnerabilities, so they have a strong use case and the right experience to bring in an attack surface management solution. Vulnerability risk management (VRM) analysts, managers, and directors are the people who use ASM the most.  

Red teams and penetration testing teams are other groups involved in selecting and partnering with ASM vendors and can help develop plans to more rapidly discover assets to test and validate for any weaknesses or controls. If an organization has a threat intelligence team, an ASM vendor can also help build different types of threat modeling that they might want to look at to determine where the most risky exposures could be.

When evaluating and selecting an external attack surface management provider, organizations need to understand what the vendor brings to the table, including how they’re prioritizing risk and whether the approach matches their specific prioritization and remediation strategy. It’s also important to talk to potential ASM providers about how they can help supportcompliance and best practice frameworks. 

Looking ahead in EASM security 

The external attack surface management market has experienced a lot of mergers and acquisitions in recent years, with larger platforms that don’t have their own solutions buying up EASM providers. EASM may follow a similar path to vulnerability risk management (VRM), which has become a feature or solution as part of a larger platform offerings.  

Some standalone external attack surface management vendors may remain, but they will likely also include complementary features and capabilities to improve how organizations identify and protect against cyber threats. For the most part, as we see increased convergence of ASM, VRM, cloud security posture management (CSPM), continuous threat exposure management (CTEM), and other security solutions, EASM is likely to be one component in broader platform offerings in coming years.  

NetSPI’s approach to EASM 

Taking the time to evaluate and select an external attack surface management vendor is critical to finding a solution provider that aligns with your goals and brings proven experience. External attack surface management is gaining adoption because of its complementary role to pentesting. Think of EASM as continuous, always-on penetration testing with the ability to discover assets and monitor them at scale for real-time exposure alerts. All of this information is presented in prioritized order within a centralized EASM platform.  

Global organizations trust NetSPI’s Attack Surface Management (ASM) solution to monitor their external attack surfaces. Through a combination of our powerful ASM platform, global penetration testing experts, 20+ years of pentesting expertise, and comprehensive methodology, we can help your organization discover and address vulnerabilities before adversaries do.  

Learn more about NetSPI’s attack surface management solutions or request a demo.  

For more insights on external attack surface management, watch the full on-demand external attack surface management webinar with featured guest Forrester analyst Erik Nost.