Organizations need to proactively embrace the latest security strategies to protect against emerging risks. New, more advanced cybersecurity solutions are constantly developed to address core challenges in the industry. One of these new solutions, external attack surface management (EASM), entered the market in 2021 and is now starting to see increased adoption because of its ability to continuously discover, inventory, test, and prioritize known and unknown assets and exposures on a global external attack surface.
We recently had the pleasure of interviewing our guest Erik Nost, Senior Analyst at Forrester, during a webinar that explored external attack surface management in detail. Learn the key takeaways from the webinar and what to look for if you’re in the process of evaluating EASM vendors.
What is external attack surface management (EASM)?
At a high level, external attack surface management is the process of identifying and managing your organization’s attack surface, specifically from the outside-in view.
In the report, The External Attack Surface Management Landscape, Q1 2023, Forrester defines EASM as, “tools or functionalities that continually scan for, discover, and enumerate internet-facing assets, establish the unique fingerprints of discovered assets, and identify exposures on both known and unknown assets.”
As Forrester points out in the Landscape report, “You can’t secure what you can’t see.” The main objective of external attack service management is to identify external assets that attackers could leverage – such as web applications, certificates, or unsecured APIs – and discover any exposures before attackers do. This helps organizations and security teams be more proactive in fixing vulnerabilities before threat actors find and exploit them.
How EASM complements external penetration testing
Penetration testing is a mature cybersecurity solution and is more widely known than EASM today. However, many organizations still largely use penetration tests for compliance, essentially checking boxes because they have to.
Threat actors thrive on this mentality.
When penetration testing is approached with a compliance-first mindset for regulatory bodies and organization standards, tests are only completed a few times per year or less. Often no action is taken on the findings for months because of building the context and prioritizing which vulnerabilities need to be fixed first.
On the other hand, organizations that are strategic about looking at penetration tests, red teams, and other control validation exercises to formally piece together a remediation puzzle achieve a stronger end state of security. EASM solutions help security teams keep pace with the rate of change in organizations today by offering continuous coverage of attack surfaces to find vulnerabilities as they arise.
Pentesting is a priority that’s complemented by EASM with continuous discovery and prioritization of known and unknown assets and exposures.
Common use cases for external attack surface management
Given EASM’s recent rise to recognition and adoption, security leaders and practitioners continue to express the need for clarity between EASM and cyber asset attack surface management (CAASM), continuous threat and exposure management (CTEM), and attack path modeling.
Organizations that define specific EASM use cases and requirements before engaging with vendors help ensure each solution is providing the maximum benefit.
Forrester has identified five core use cases for EASM. These include:
- Asset discovery
- Asset inventory management
- Vulnerability risk management
- Cloud security posture management
- Mergers and acquisitions (M&A) due diligence assistance
In addition to the core use cases, extended use cases include: supply chain and third-party risk management, penetration testing, government, risk, and compliance (GRC), incident response and investigations, breach and attack simulation (BAS), and certificate management.
Evaluating EASM vendors to make continuous pentesting a reality
The responsibility of EASM often falls under security operations groups and vulnerability management teams rather than having team members solely responsible for EASM, such as an attack surface management analyst.
These teams often have years of experience inventorying assets and identifying vulnerabilities, so they have a strong use case and the right experience to bring in an attack surface management solution. Vulnerability risk management (VRM) analysts, managers, and directors are the people who use ASM the most.
Red teams and penetration testing teams are other groups involved in selecting and partnering with ASM vendors and can help develop plans to more rapidly discover assets to test and validate for any weaknesses or controls. If an organization has a threat intelligence team, an ASM vendor can also help build different types of threat modeling that they might want to look at to determine where the most risky exposures could be.
When evaluating and selecting an external attack surface management provider, organizations need to understand what the vendor brings to the table, including how they’re prioritizing risk and whether the approach matches their specific prioritization and remediation strategy. It’s also important to talk to potential ASM providers about how they can help supportcompliance and best practice frameworks.
Looking ahead in EASM security
The external attack surface management market has experienced a lot of mergers and acquisitions in recent years, with larger platforms that don’t have their own solutions buying up EASM providers. EASM may follow a similar path to vulnerability risk management (VRM), which has become a feature or solution as part of a larger platform offerings.
Some standalone external attack surface management vendors may remain, but they will likely also include complementary features and capabilities to improve how organizations identify and protect against cyber threats. For the most part, as we see increased convergence of ASM, VRM, cloud security posture management (CSPM), continuous threat exposure management (CTEM), and other security solutions, EASM is likely to be one component in broader platform offerings in coming years.
NetSPI’s approach to EASM
Taking the time to evaluate and select an external attack surface management vendor is critical to finding a solution provider that aligns with your goals and brings proven experience. External attack surface management is gaining adoption because of its complementary role to pentesting. Think of EASM as continuous, always-on penetration testing with the ability to discover assets and monitor them at scale for real-time exposure alerts. All of this information is presented in prioritized order within a centralized EASM platform.
Global organizations trust NetSPI’s Attack Surface Management (ASM) solution to monitor their external attack surfaces. Through a combination of our powerful ASM platform, global penetration testing experts, 20+ years of pentesting expertise, and comprehensive methodology, we can help your organization discover and address vulnerabilities before adversaries do.
Learn more about NetSPI’s attack surface management solutions or request a demo.
For more insights on external attack surface management, watch the full on-demand external attack surface management webinar with featured guest Forrester analyst Erik Nost.