We had a CISO community Fireside on "Practical Approach To Understanding Attack Surface Management (ASM) In 2023" with Chris Ray (security architect) and Bikash Barai (cofounder CISO Platform, FireCompass). We discussed on how ASM dramatically improves visibility, how ASM can be a force multiplier for security teams that are stretched thin, case studies, ASM solution market and how to evaluate a 'Good Fit for your organization'.
- How ASM Improves Visibility And Creates Practical Risk Reduction?
- ASM Case Studies
- ASM Solution Market And How To Identify A Good Fit For Your Organization?
- Bikash Barai, Co-Founder, CISO Platform & FireCompass
- Chris Ray, Security Architect
FireSide Chat (Recorded Version)
Executive Summary (FireSide Chat Highlights) :
1. What Is Attack Surface Management (ASM) ?
ASM is just too concise it's too accurate it's it's very descriptive. When we are talking about attack surface management, it's really important to understand if you have never considered it, you have never looked under the covers. It's really important to understand, it is a paradigm shift away from a lot of security practices and tooling. I'll give examples from EDR to help illustrate this. You need to know end point to install the agent on it and take advantage of the EDR solution. For vulnerability management, one must know their repositories to be able to scan and protect them. ASM takes away the shortcomings of legacy vulnerability scanning platforms that are network based. Legacy vulnerability scanners continuosly scan available assets, however this approach could fail if the assets being scanned is not the universe of assets of the company. That's a major problem for a lot of organizations. ASM takes a different approach, it scours the internet, uses automation and human expertise to look for breadcrumbs of data and information based off from One initial starting point like a company domain. With this, ASM build a very comprehensive understanding of an organization's digital footprint.
Sometimes ASM is split as External Attack Surface Management (EASM) and Internal Attack Surface Management. EASM is the publicly exposed data which attacker's could easily misuse. However, this differentiation is not so crucial, I won't care if it's internal or external, I would care about the priority based on high-risk low-risk vulnerabilities.
2. What is the reason behind the rise of ASM ?
It is wise to note majority of attacks that take place are at a much lower sophistication level. Shodan is the search engine for IoT, Shodan it's like Google but for Internet connected stuff. Attacker focused enablers of technology have now existed for a while and that puts a lot of data in the hands of attackers which could get misused. I see this as a catalyst for products like ASM. The next I think that drives a solution like ASM are small teams at startups. A good ASM not only enables the security team with an organization's attack surface but also helps with understanding comtext and provide a method of prioritizing where to start. This is a pretty hard problem ASM solves the prioritization. ASM also comes in handy since it immediately notifies when a new patch is released.
3. What Are The Key Pain Points And The Use Cases Of ASM ?
There are 2 main segments here the large enterprises with merger and acquisition activity, ASM helps with a scan of all resources which is a very time consuming and expensive activity otherwise. Another use case is for large enterprise and government where they are consolidating their business units, a unified list of assets for each unit is a quick view very meaningful to them. Discovering the assets becomes a beginning point for defining their cyber security framework.
Another place of use for ASM comes in smaller organizations or SMB or startups with overworked small security teams. An ASM which prioritizes the vulnerabilty and what to work on, makes sure you are putting the right fire out. The smaller teams don't have the bandwitdth to figure this out, there are way too any things to attend to already.
Another place of ASM value comes in for all security teams, vendor risk management tools might throw vulnerabilities not deduplicated while the ASM could add a very comprehensive report in this case. It save the security team from spending hours on vendor risk management.
ASM adds a huge amount of insight for the security architects. They build the framework and have a deep understanding. The ASM report is of great help to them vs the engineers and analyst who often have a top level view.
ASM reports are extremely useful for security teams like the GRC team, vulnerability management team, security leadership, cloud security posture management teams. There's interesting augmentation amongst SOC and ASM; Threat Intelligence and ASM, it just gives them more data to work on and adds value on it.
4. How ASM Helps In The Risk Management Story ?
Many organizations and security leaders have become comfortable with making risk management decisions in a vacuum. An ASM bridges that gap and empowers a leader with the assets and repository information to help protect their organization. It is adding the context for risk management decision making. That doesn't need to be manual or ad hoc, ASM is doing it in a structured way. With the ASM reports, the security leader (or leadership team) has comprehensive asset data and context with each, so now he/she no longer is making decision in the vacuum but with context and priority. The ASM tool basically starts with base information like IP DNS hostname and it builds on it like the AWS asset or unbuntu server with context on the asset. It could add context like the DNS records changed on this date and previously it was owned by this organization and in this geography, later start stringing together additional context. So now, the person no longer had to make decisions in a vacuum, he/ she has a more comprehensive understanding of where this asset fits into the bigger picture of the organization.
5. From Where Do Organizations Get The Budget ?
Is it like they're taking some existing budget or creating a new budget and also like how are they justifying the budget ?
There are two primary ways that this is getting purchased. Shifting away from their vulnerability management. The best way to think about this is ASM is doing what you should already be doing but you can't. Organizations did not have the full view of all the assets once they got to know all those assets these are like half of it we don't need it they shouldn't be online.
I see there are 2 primary ways this is being purchased - one is creating budget by shifting away from the vulnerability management (not entirely since there are a few must like the compliance frameworks, regulatory frameworks, network-based vunerability scans) by primarily using ASM and then complimenting it with the compliance, regulatory, network based scans. So now you need not spend as much money on the remaining vulnerability management (compliance, regulatory, vulnerability scans). So cutting out a part of this for ASM and cobbling these with ASM.
Another area for ASM budget is asking for new money. It is always hard to get new money and really needs good justification. For ASM one major justification for a security leader is it allows him/her to get a comprehensive view of their asset repository which is a primer for being able to secure in the first place. Most security leaders agree they need to do this but donot have the resource (army of engineers and skill and continuos monitoring) to do it. An ASM is that tool that gives you value out of the box. Not many security teams will have the resource to hire the army of engineers and map out their attack surface thought they know it's a necessity. It is also a lot more expensive while an ASM tool is doing just that for much less.
It is interesting, we noticed in the past some organizations (even large Fortune 500), found out plenty of online resources they were still paying for and weren't using. With ASM, they found it and took it off, saving them cloud costs (turned out it was a big annual expense save).It was an asset marketing created and had collected customer data on it. Nobody was maintaining it anymore. So it was laying out there anyone could have exploited it. With GDPR, it would have then costed them a huge amount for this too. So, in ways ASM actually helped them reduce their attack surface and saved them money by preventing a data breach and saving cloud costs.
6. What Are The Challenges In ASM As A Space ?
It is a hot space but not in its super mature stage
Firstly, ASM maps your attack surface which is like 95% but there will be some parts more to it. ASM is improving with time and evolving. So a mistake easy to make is ASM is giving me the full picture. There may still be a few areas undiscovered, it's nor perfect and it's important to be ready for that 5%. It's the low hanging fruits that get jabbed first and cause the breach mostly. One has to remember ASM is still a tool made by humans to help you make secuity decision but it will have its flaws. ASM as a technology is excellent at discovering and it's almost perfect, but one must be vary of the little part that still stays uncovered (no tool is perfect). Despite the best efforts, computer science is very effective but not perfect, so there will be misses even from the ASM tool, be vary of it.
ASM is really good at the external attack surface mapping and there seems to be a direction where some vendors and ASM solutions are building similar capabilities (not exactly same) for the internal attack surface too. Whether on premise or on cloud, one must not leave out this area of 'internal attack surface' as this still can be a major threat area. Your organization attack surface includes the external attack surface (EASM) and the internal attack surface for a holistic view, even if multiple tools do it.
ASM faces a challenge as to many false positives and prioritizing this. Legacy vulnerability management shows you what's broken while ASM finds more assets more broadly and is more comprehensive but their functionalities are separate. ASM is trying to handle the problem of false positives by adding context, it comes back with the vulnerability and proof like screenshots or commands and potential damage. ASM Tools are trying to automate this and also adding humans in the loop at the last mile for validation. Another way to solve this could be by ASM becoming a part of security suite rather than being a standalone tool. It could become a part of cloud security or SOC or vulnerability management. Essentially ASM will evolve and possibly become a part of the security suite.