The Rise of Continuous Attack Surface Management

In the merry-go-round world of InfoSec technologies and “what’s old is new again,” this year we should include Attack Surface Management with a dash of Continuous.

Twenty years ago, the first commercial “ethical hacking” training courses taught defenders the mystic arts and methodologies of targeted intrusion. Back then, a lengthy opening chapter would cover the ethics of hacking and the legal consequences of employing the skills students were about to learn. It wasn’t until chapter two that students got to roll up their sleeves and learn through doing — beginning with passive information gathering and enumerating the attack surface of a target (typically the student’s own employer).

Any technical CISO and greying SecOps professional worth their salt can recollect their first ethical hacking experience and foray into mapping the attack surface of their business and being both excited and shocked at the long list of security-related findings they had uncovered with their own hands.

Two decades later, as businesses expand upon their digital transformation investments, their internet-exposed surface has grown exponentially and with it so too have the vectors for attack. In an increasingly cloudified world, identifying what business systems are publicly accessible and what confidential insights or vulnerabilities they may expose has risen to critical importance. Ad hoc point-in-time enumerations of an organization’s external attack surface are being superseded by continuous attack surface management (CASM).

Although CASM is a new label, there’s already a mix of several dozen old and new startup companies focused on external attack surface enumeration and public asset attribution — with an array of integration options into existing threat intelligence platforms (TIP), vulnerability assessment management (VAM) systems, cloud security posture management (CSPM) and SIEM solutions. Although diverse in their offerings, vendors can be roughly divided into three value propositions:

1. “Traditional” external attack security enumerators that focus on cyclically mapping and inventorying the entire internet, often with limited attribution or asset ownership insights. Their data tends to be most useful and consumable from a TIP perspective.

2. Digital Risk Protection services that fuse attack surface information with other intelligence sources (e.g., dark web monitoring) to provide customers with enterprise risk insights. Often delivered as part of brand protection and fraud campaign detection services.

3. Continuous automated external testing of an enterprise’s (known) assets for an outside-in and attacker’s perspective for the prioritization of vulnerability and asset remediation (often as part of VAM).

Enumerating and understanding an organization’s outside-in security posture and attack surface through continuous scanning and probing, although clearly a valuable component of modern enterprise security and risk management, is yet another noisy alert generator that contributes enormously to SOC alert fatigue if not well integrated into more advanced workflows. 

Impactful operational security benefits of CASM typically come from deep (single pane of glass) integration with continuous vulnerability assessment and security posture management solutions. 

Internet-spanning scanning, basic asset discovery and service enumeration, and ownership attribution are solved problems and represent a low technology threshold for those choosing to build their own CASM solutions, which helps explain why so many startups incorporate them. 

The mix of low cost of market entry, increasing customer alert fatigue, competitive service pricing pressure, and classification as a feature rather than a standalone solution will likely result in churn of single-solution and dedicated CASM vendors over the coming year. A lucky few CASM startups will inevitably be acquired along the way — but probably at much lower valuations than expected, despite the value of the risks they help customers identify.

Enterprise security teams are hungry for the visibility CASM offers them and are pushing their larger and preferred security vendors to incorporate outside-in attack surface intelligence into their more expansive security suites as a feature. CISOs should anticipate that CASM will quickly become a check-box feature in existing enterprise-grade security solutions and plan accordingly.