How to Choose an ASCA Platform: Evaluation Checklist & RFP Questions

Amit Sheps
Amit Sheps Director of Product Marketing LinkedIn

Automated Security Control Assessment (ASCA) platforms are designed to identify configuration and control gaps within an organization’s security infrastructure. Via a combination of policy reviews and emulated attacks, they detect whether an organization’s existing infrastructure complies with internal and external security requirements and protects against top real-world threats.

ASCA solutions can provide significant benefits to the business, but their vital role means that a potential platform should be carefully selected and deployed. This article explores key considerations when evaluating an ASCA platform and questions to include in an RFP sent out to potential vendors.

Evaluation Criteria

As ASCA platforms play a complex and important role within an organization’s security architecture, it’s important to consider the following features when evaluating available offerings:

Coverage

ASCA solutions are designed to evaluate an organization’s security architecture against compliance requirements and real-world threats. To provide useful information, a tool needs to have visibility into all elements of an organization’s IT environment and the various metrics to evaluate it against.

When considering an ASCA solution, an organization should assess its coverage of:

  • The corporate IT environment (endpoints, networks, cloud, third-party, etc.)
  • Regulatory and internal policy requirements.
  • Simulated attacks.

Validation

False positives can be a significant problem for ASCA tools. If these platforms report on non-existent threats, then security teams waste time and resources investigating and triaging them.

Key considerations for vulnerability validation include:

  • How vulnerabilities are validated (automated or manual).
  • False positive and false negative rates.
  • Historical performance and third-party evaluations.

Integrations

ASCA platforms work by integrating with an organization’s other security solutions via APIs. This provides insight into existing security controls and enables the platform to automatically launch simulated attacks and scans.

Ease of integration is critical for an ASCA tool. Things to look for include:

  • Out-of-the-box support for existing security tools.
  • API availability and documentation.
  • Ability to develop custom integrations and workflows as needed.

UX

A positive user experience is often the difference between a tool becoming a key part of a security team’s workflow and a wasted licensing fee. The critical role that ASCA can play in the business – surfacing compliance and control gaps – makes the UX an essential consideration.

When evaluating ASCA tools, some key elements of the UX include:

  • User-friendly dashboard and reporting functionality.
  • Easy setup and ongoing management.
  • Intuitive customization and configuration management.
  • Availability of training and customer support.

RFP Question Bank

When sending out an RFP for an ASCA platform, asking the right questions can help to quickly weed out inadequate solutions and highlight those worth the time and effort of a deeper look. Some example questions to include in such an RFP include the following:

  • What environments does your platform support (cloud, network, third-party, etc.)?
  • How does your platform implement continuous monitoring?
  • How do you validate identified vulnerabilities?
  • What integrations are supported out-of-the-box?
  • What does a typical workflow look like (including the user interface and reporting capabilities)?
  • What is your process for customer onboarding and training?
  • How do you manage false positives and negatives?
  • How frequently does your platform receive threat intelligence updates?
  • What support options are available (SLAs, response times, etc.)?
  • Can you provide case studies or references from similar organizations?

Proof-of-Value Metrics & POC Tips

A proof of concept (POC) is the best way to determine the potential benefits and value that an ASCA platform can offer the business. Some tips and best practices for maximizing the insights provided by the POC include:

  • Define Clear Metrics: Well-defined, quantitative metrics are essential for any effective POC. When evaluating an ASCA platform, sample metrics could include the number of issues identified, reduction in mean time to remediation (MTTR), and any improvements that the security team experiences in terms of operational efficiency.
  • Define POC Scope: Since a POC likely won’t cover the entirety of an organization’s IT infrastructure, it’s important to carefully select the systems under scope. Ideally, this will be representative of the organization’s environment as a whole, including assets across on-prem and cloud environments and representing common workflows.
  • Engage Key Stakeholders: ASCA platforms have wide-reaching effects, impacting security teams, legal, IT, and other business units. When reviewing a POC, include key stakeholders from across the business to ensure a good fit for everyone.
  • Document Findings and Pain Points: Documentation provides a basis for comparison across various solutions. Identifying what the solution does well and poorly can help select the ASCA platform that best meets the organization’s needs.
  • Evaluate Integration and Workflow Capabilities: An ASCA platform’s ability to integrate into an organization’s existing security architecture and workflows. Document which solutions are supported out-of-the-box and the anticipated difficulty of creating additional integrations for any unsupported solutions.
  • Gather End User Feedback: ASCA tools only provide value to the organization if they’re actually used, and a poor UX may inhibit adoption and destroy any potential efficiency gains. Collecting end-user feedback regarding each solution helps to select the option that is most likely to provide real benefits to the security team.

Total Cost Considerations

ASCA can offer significant benefits, but it’s also important to be aware of the associated costs. In addition to the cost of the software license itself, some additional factors to consider include the following:

  • Deployment and onboarding.
  • Integration and customization.
  • Maintenance and support.
  • Training and documentation.
  • Additional features and upgrades.
  • Data storage, API overages, and hidden fees.

Optimizing Threat Visibility with IONIX

ASCA solutions can help an organization to streamline its regulatory compliance and identify control gaps that leave it vulnerable to common attacks. However, it is only one component of a comprehensive threat exposure management strategy.

IONIX’s Continuous Threat Exposure Management (CTEM) platform offers comprehensive, holistic visibility across an organization’s real attack surface. Via continuous monitoring, simulated attacks, and risk-based prioritization of validated vulnerabilities, IONIX helps organizations identify and address the threats that pose the most risk to their business. 

To learn more about reducing your digital attack surface with IONIX, sign up for a free demo.