A Primer On External Attack Surface Management

Customer trust is one of the greatest assets an enterprise can have. However, a rising trend in cyberattacks combined with lax oversight of a critical attack vector may put your organization, and your customers, at risk. In fact, a recent ESG research found that nearly 7 out of every 10 organizations have experienced at least one cyber-attack originating from an unknown, unmanaged, or poorly managed internet-facing asset. This unsettling reality highlights the growing need for External Attack Surface Management

Increasing adoption of cloud, SaaS and third party vendors’ services and technologies has given rise to a new and ever-expanding external attack surface that few organizations are prepared to defend.

What is an External Attack Surface?

An external attack surface refers to the sum of all the different points, where an unauthorized user or malicious actor can potentially gain access to, or breach a network, system, software, or digital platform. your organization’s external attack surface includes all the your known and unknown internet facing assets as well as their digital supply chains.

The Rise of the External Attack Surface

When it comes to information security, the dominant strategy has been an in-depth defense of the perimeter by firewalls and internal networks. But what if the threat actors are not looking to breach this perimeter? Assets hosted outside of an organization’s firewall present a growing challenge to security teams. Assets deployed beyond this edge represent an external attack surface that can be used to target your organization.

This new digital footprint is far more expansive than the internal one, often by several orders of magnitude, as the interactions between employees, consumers, and businesses are increasingly happening online via web-based services and applications. The growth of this footprint has accelerated as enterprises undertake significant digital transformation initiatives. These projects require new digital assets, many of which reside outside the firewall, are hosted on public cloud infrastructures, or are deployed in mobile app stores.

Additionally, development of these services and applications often incorporate the products or capabilities of third-party vendors of services, code, infrastructure, or data. It doesn’t stop there. Many of those third parties have built their functionality on top of their own vendors. These third, fourth, and ‘Nth’ parties provide assets that are also part of your external attack surface, whether you know about them or not.

What is External Attack Surface Management?

External Attack Surface Management (EASM) cybersecurity discipline was created in the wake of COVID-19, when the remote workforce and accelerated cloud adoption also brought on unparalleled risks due to internet exposure.

EASM refers to the processes and technology necessary to discover external-facing assets and effectively manage the vulnerabilities of those assets. Examples include servers, credentials, public cloud misconfiguration, and third-party partner software code vulnerabilities that could be exploited by malicious actors. EASM’s core tenent is to take an outside-in view of the enterprise to actively identify and mitigate threats that exist beyond the perimeter. Essentially, you are viewing your organization through the eyes of an attacker.

How Does Attack Surface Management Work?

Given the potential damage to a company as a result of cyberattacks, many organizations are now incorporating EASM into their enterprise risk management strategies. As such, security teams are opting for more proactive approaches where known and unknown risks, vulnerabilities, and assets are handled strategically versus reacting to incidents ad-hoc.

For security teams to achieve this, here is the EASM process step:

• Monitoring — Continuously scan externally a variety of environments (such as cloud services and external-facing on-premises infrastructures) and distributed attack surfaces to identify and changes to the attack surface or new risks
• Attack surface discovery — Discover and map the real attack surface including externally-facing organizational assets and their digital supply chains.
• Analysis — Evaluate and analyze asset attributes to determine if an asset is risky, vulnerable or behaving in an anomalous manner. Use recursive assessment to identify risky connections – external risks to connections and assets that put your asset at risk.
• Prioritization — Utilize a multi-layered prioritization that includes severity scores, exploitability, blast radius.
• Correlate Threat Intelligence – use data from Digital Risk Protection Services (DPRS) to identify leaked credential and exposed machines in your inventory.
• Remediation — Provide action plans on the mitigation of prioritized threats as well as the remediation workflow or integration with solutions such as ticketing systems, incident response tools, and SOAR solutions.