Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

The Rise of Continuous Attack Surface Management

In the merry-go-round world of InfoSec technologies and “what’s old is new again,” this year we should include Attack Surface Management with a dash of Continuous.

In the merry-go-round world of InfoSec technologies and “what’s old is new again,” this year we should include Attack Surface Management with a dash of Continuous.

Twenty years ago, the first commercial “ethical hacking” training courses taught defenders the mystic arts and methodologies of targeted intrusion. Back then, a lengthy opening chapter would cover the ethics of hacking and the legal consequences of employing the skills students were about to learn. It wasn’t until chapter two that students got to roll up their sleeves and learn through doing — beginning with passive information gathering and enumerating the attack surface of a target (typically the student’s own employer).

Any technical CISO and greying SecOps professional worth their salt can recollect their first ethical hacking experience and foray into mapping the attack surface of their business and being both excited and shocked at the long list of security-related findings they had uncovered with their own hands.

Two decades later, as businesses expand upon their digital transformation investments, their internet-exposed surface has grown exponentially and with it so too have the vectors for attack. In an increasingly cloudified world, identifying what business systems are publicly accessible and what confidential insights or vulnerabilities they may expose has risen to critical importance. Ad hoc point-in-time enumerations of an organization’s external attack surface are being superseded by continuous attack surface management (CASM).

Although CASM is a new label, there’s already a mix of several dozen old and new startup companies focused on external attack surface enumeration and public asset attribution — with an array of integration options into existing threat intelligence platforms (TIP), vulnerability assessment management (VAM) systems, cloud security posture management (CSPM) and SIEM solutions. Although diverse in their offerings, vendors can be roughly divided into three value propositions:

1. “Traditional” external attack security enumerators that focus on cyclically mapping and inventorying the entire internet, often with limited attribution or asset ownership insights. Their data tends to be most useful and consumable from a TIP perspective.

2. Digital Risk Protection services that fuse attack surface information with other intelligence sources (e.g., dark web monitoring) to provide customers with enterprise risk insights. Often delivered as part of brand protection and fraud campaign detection services.

3. Continuous automated external testing of an enterprise’s (known) assets for an outside-in and attacker’s perspective for the prioritization of vulnerability and asset remediation (often as part of VAM).

Advertisement. Scroll to continue reading.

Enumerating and understanding an organization’s outside-in security posture and attack surface through continuous scanning and probing, although clearly a valuable component of modern enterprise security and risk management, is yet another noisy alert generator that contributes enormously to SOC alert fatigue if not well integrated into more advanced workflows. 

Impactful operational security benefits of CASM typically come from deep (single pane of glass) integration with continuous vulnerability assessment and security posture management solutions. 

Internet-spanning scanning, basic asset discovery and service enumeration, and ownership attribution are solved problems and represent a low technology threshold for those choosing to build their own CASM solutions, which helps explain why so many startups incorporate them. 

The mix of low cost of market entry, increasing customer alert fatigue, competitive service pricing pressure, and classification as a feature rather than a standalone solution will likely result in churn of single-solution and dedicated CASM vendors over the coming year. A lucky few CASM startups will inevitably be acquired along the way — but probably at much lower valuations than expected, despite the value of the risks they help customers identify.

Enterprise security teams are hungry for the visibility CASM offers them and are pushing their larger and preferred security vendors to incorporate outside-in attack surface intelligence into their more expansive security suites as a feature. CISOs should anticipate that CASM will quickly become a check-box feature in existing enterprise-grade security solutions and plan accordingly.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...