In a recent report from Gartner, External Attack Surface Management (EASM) has been highlighted as a major category in cybersecurity. According to Gartner, EASM is an emerging product set that supports organizations in identifying risks coming from internet-facing assets and systems that they may be unaware of threats such as shadow IT, exposure management and, expanding attack surfaces.
In our latest panel discussion with CISO Platform, our speakers - Paul Dibellow, SVP, FireCompass, Tejas Shroff, Director, NTT Data, Ed Adams, CEO, Security Innovation and Bikash Barai, CoFounder FireCompass go over “Why Gartner Is Talking About External Attack Surface Management?”. In this discussion, our panel discussed the critical capabilities of EASM, common use cases, and the MITRE ATT&CK framework.
What is EASM?
Bikash takes the panel down the memory lane through his analogy when for two decades vulnerability testing and Penetration testing were something that kept the organization safe. Security was mostly concerned at the network level. However, he mentions, in the last 6-7years threat vectors have increased. Sharing about a data breach he talks about a large enterprise that faced a massive data breach that happened because one of their databases was left online without a password. The security landscape has massively changed over the last 4-5years. Earlier whatever went online went through the central IT team but in the recent past, almost everyone in the organization put up data on the cloud, and all departments are not trained on the security aspects of these assets.
This creates invisibility for the security team. Currently, the organizations have no central control on which assets go online and how protected they are.
So these are the “unknown unknowns” and most of the breaches are happening because of these assets.
Managing the external attack surface has become critical because of these shadow IT assets. Because of these issues, the EASM acronym got coined by Gartner, as a concept it means knowing what your attack surface includes, which assets are exposed and how protected one is external.
While we already had the term Attack Surface Management in the industry, EASM focuses only on the external attack surface.
Ed mentions that the external attack surface is a sum of all potential digital doorways into an enterprise, which includes, third-party suppliers, partners, cloud services, work from home setups, and more.
The first step is the discovery of this attack surface, and once it discovers, the next step would be to categorize the risk and mitigate the high risk. However, Ed stresses the fact that external attack surface management needs to be ongoing and persistent.
Use Cases - External Attack Surface Management
- Asset Inventory - Keeping a track of external assets has become a major challenge for organizations. EASM as a concept covers the management of external assets.
- Shadow It discovery - Shadow It is assets that are basically the unknown unknowns in an organization. There are multiple tools to discover these hidden vulnerable assets. Tools like CASB, help you identify the applications used by the employees of an organization to put up the assets in the cloud but they cannot identify the asset itself. Because it only scans the network and not the whole internet. Whereas EASM tools scan all internet assets. So CASB and EASM solve the issues in a complimentary way.
- SOC augmentation - Since the challenges today are multiplying by the hour, EASM can work in tandem with SOC, where EASM can feed the information of misconfigured assets to SOC, which then can be taken at a high priority. So basically the intelligence coming from EASM would help SOC.
- EASM augments threat intelligence - Where EASM can feed data to threat management tools.
- Augmenting Vulnerability Management - This one is simple, if one is not aware of the assets, one can’t put them under a vulnerability management program.
- Augmenting red, blue, and purple teaming capabilities by doing the initial reconnaissance and feeding the data to conduct these attacks.
Bikash talks about the tools that one can use based on the maturity level of the organization. He mentions, one can start with open source tools and build a recon base, and start with point-in-time testing, while gradually then move towards enterprise solutions to do this more continuously.