Cyber asset attack surface management (CAASM) or external attack surface management (EASM) solutions are designed to quantify the attack surface and minimize and harden it. The goal with CAASM tools is to give the adversary as little information about the security posture of the business as possible while still maintaining critical business services.
If you’ve ever watched a heist film, step one in executing the score of the century is casing the place: observing security measures, measuring response times, and mapping out escape routes. Similar to both attacking and protecting enterprise IT resources, gaining knowledge of what resources are publicly visible on the internet, what makes up their technology stack, and whether any vulnerabilities or weaknesses exist.
Basics of the attack surface management
The attack surface is the entirety of corporate resources – also known as assets – accessible from the internet in some form. This could be applications hosted on-premises with ports opened through the corporate firewall, SaaS applications hosted in the cloud, or any number of cloud-hosted resources with a public presence. The attack surface includes things like open ports and protocols, SSL and cryptographic standards being used, applications being hosted, and even the server platforms hosting the application.
The units that make up the attack surface are referred to as assets. They are the IP address or domain name, coupled with the technology stack that makes up the application or service.
Vulnerabilities are configuration deficiencies or unpatched software that leave the door open for an attack by malicious users to compromise one or more systems.
While attack surface management is primarily focused on assets on the public-facing internet, assets within the bounds of a corporate data center or cloud networks can also put a business at risk if not properly monitored and managed. Because these assets are not available to outside entities the ability to monitor them requires either a software agent or the ability for the monitoring service to reach into your network.
Servers and applications often have a soft underbelly when viewed from within the corporate network. Any monitoring tool must evaluate a wider range of services and, in many cases, test the services as both an anonymous user and one that’s authenticated to the network.
CAASM and EASM tools for attack surface discovery and management
Periodic scans of the network are no longer sufficient for maintaining a hardened attack surface. Continuous monitoring for new assets and configuration drift are critical to ensure the security of corporate resources and customer data.
New assets need to be identified and incorporated into the monitoring solution as these could potentially be part of a brand attack or shadow IT. Configuration drift could be benign and part of a design change, but also has the potential to be the result of human error or the early stages of an attack. Identifying these changes early allows for the cybersecurity team to react appropriately and mitigate any further damage.
Here are 9 tools to help discovering and managing risks.
Axonius Cyber Asset Attack Surface Management
Axonius offers a robust CAASM suite that touches all of the key factors for monitoring the attack surface. Axonius starts with an asset inventory which is updated automatically and fleshed out with context from both internal data sources and resources Axonius has access to outside a user’s network. It can also perform monitoring based on security controls from policy sets such as PCI or HIPAA, identifying configurations or vulnerabilities that equate to policy violations, allowing the user to take action to resolve the finding.
CrowdStrike Falcon Surface
CrowdStrike Falcon Surface EASM offers a view from the adversary’s perspective, providing a real-time map of exposed assets and potential attack vectors. CrowdStrike’s asset inventory also provides a history of change over time, giving instant detail of configuration drift. Prioritization of risk to the business is enabled through context developed through both internal and external data streams. Remediation actions can be taken automatically through integration-based alerts and actions (notifying a Slack channel, creating a ticket in Jira or ServiceNow, or triggering action on a user account or system) or playbook-based remediation can walk administrators through hardening a system through configuration or application of system updates.
CyCognito Attack Surface Management
CyCognito’s CAASM product provides continuous monitoring and inventory of assets whether they reside on-premises, in the cloud, with a third-party, or through a subsidiary. Business context such as ownership and relationships between assets can be added to facilitate the triage process and aid in prioritizing response to risk. This context and intelligent prioritization (evaluating things like ease of exploitation and asset classification) helps focus in on the most critical risks to the network. CyCognito also tracks configuration drift on assets, enabling the view of change history and identify new risks to the corporate infrastructure.
Informer brings EASM capabilities which automate asset discovery across web applications, APIs, and other aspects of the public-facing business IT stack. These assets are monitored continuously, with any risks identified being prioritized in real time. Informer offers add-on services to perform manual risk validation and even pen testing. Informer’s workflow-based response system facilitates incorporating multiple teams into incident response by integrating with existing ticketing and communication applications. Once threats that Informer has identified have been mitigated, retesting can be initiated immediately to validate the configuration change or system update has fully remediated the risk.
JupiterOne Cyber Asset Attack Surface Management
JupiterOne bills its CAASM solution as a way to seamlessly aggregate cyber asset data into a unified view. Context is added automatically where appropriate, and asset relationships can be defined and optimized to enhance vulnerability analysis and incident response. Custom queries allow the cybersecurity team to answer complex questions, while asset inventory can be browsed using an interactive visual map, enabling evaluation of incident scope and prioritization of response. Your existing investments into security tools can be leveraged using integrations, turning JupiterOne into a holistic centralized view into your corporate security posture.
Microsoft Defender External Attack Surface Management
Microsoft is quietly taking a leadership role in the enterprise security landscape, leveraging their investments in cloud to provide value to customers, and its EASM offering under the Defender brand is no exception. Microsoft Defender EASM provides discovery of unmanaged assets and resources, including those deployed by shadow IT and assets residing in other cloud platforms. Once assets and resources are identified, Defender EASM probes for vulnerabilities at every layer of the technology stack, including the underlying platform, app frameworks, web applications, components, and core code.
Microsoft Defender EASM enables IT staff to quickly remediate vulnerabilities in newly discovered resources by categorizing and prioritizing vulnerabilities in real time as they’re discovered. This being Microsoft, Defender EASM integrates tightly with other Microsoft solutions with a security focus such as Microsoft 365 Defender, and Defender for Cloud, and Sentinel.
Rapid7 has built a business out of enabling enterprise IT to identify vulnerabilities within corporate resources. Turns out the foundational aspects of system scanning and data analysis are useful in attack surface management, and InsightVM builds on this foundation to bring robust capabilities that rival any other solution mentioned. Rapid7’s standing in the industry is such that they don’t just draw from Mitre CVE (Common Vulnerabilities and Exposures) scores as a means to prioritize vulnerabilities, they are a CVE numbering authority with the ability to identify and rate newly discovered vulnerabilities. InsightVM monitors for corporate assets’ changes, whether that’s newly deployed assets or assets with new vulnerabilities or configuration changes. Rapid7 also brings their analytics and dashboard chops to play with InsightVM, allowing users to view a live dashboard with real-time intelligence or delve deeply into vulnerability detail with their query tools.
SOCRadar attempts to give users an attacker’s-eye view of assets through AttackMapper, part of their suite of tools for SOC teams. AttackMapper performs dynamic monitoring against assets in real-time, identifying new or changed assets and analyzing those changes for potential vulnerabilities. SOCRadar correlates their findings with known vulnerabilities attack methods to bring context to the decision making and triage process. AttackMapper does more than monitor endpoints and software vulnerabilities, as things like SSL weaknesses and certificate expiration, and even DNS records and configuration are fair game as well. Even website defacement can be identified by AttackMapper to protect brand reputation.
Tenable has offered tools to identify vulnerabilities for many years, and their current suite of tools accounts well for the needs of the modern IT security pro. Tenable.asm is their EASM module and is fully integrated with Tenable’s vulnerability management tools. Tenable.asm provides context into asset and vulnerability details, not only from a technical aspect but also the business-level context that is needed to fully prioritize the response. Once context has been added to the asset and vulnerability data the user can query and filter against over 200 metadata fields, allowing a quick drill down to the assets and resources that are key to the business.
Copyright © 2023 IDG Communications, Inc.