In this Help Net Security interview, Adrien Petit, CEO of Discoverydiscusses the benefits organizations can gain from implementing external attack surface management (EASM) solutions, the essential features an EASM solution should have, and how it handles the discovery of hidden systems.
What are the basic features that a robust EASM solution should have?
Since the goal is to gain control of assets exposed on the Internet, any EASM solution must be able to provide the following four core capabilities:
- Discovery of assets (whether on-premises or in the cloud) and their maintenance within an inventory
- Continuous monitoring of assets over time and on a regular basis to identify any changes
- Assessment and prioritization of asset risk levels (misconfigurations, vulnerabilities, malicious assets, etc.)
- Integration with tools (ticketing, messaging, SIEM) used by operational teams to facilitate remediation/mitigation
What types of organizations can benefit the most from implementing EASM solutions?
An EASM solution demonstrates its value to companies and organizations – from all sectors – with a large and/or fragmented scope. This is also true for companies for which the digital shift is complex (especially those in the industrial sector).
However, even if EASM solutions arouse real interest among large companies, their adoption is not yet widespread: in fact, the need to control all assets exposed on the internet and to know their level of risk is not yet acquired by all security professionals.
That’s why adoption is strongest in the most security-mature industries: banking/insurance, high-tech, telecommunications, retail, and government.
Concerning SMEs, they have a limited number of exposed assets (a website and a BU which mainly use SaaS solutions), naturally well-controlled exposure, and therefore little legitimate interest in EASM solutions.
How do EASM tools integrate with cybersecurity frameworks and solutions, such as Cloud Security Posture Management (CSPM) and vulnerability scanners?
The fact that EASM solutions natively integrate functionalities for discovery/monitoring of critical assets and assessment of their level of risk guarantee compliance with the requirements requested by the ISO 27001, NIS 2 or DORA standards.
EASM tools can feed data about external assets into solutions like CSPM or CAASM (which leverage API integrations with existing tools). This ensures teams have an up-to-date view of the organization’s attack surface.
Vulnerability scanners can also benefit from an accurate and up-to-date inventory, but conversely, an EASM solution can directly integrate a vulnerability scanner. This enriches the way risks are assessed. Combined with threat intelligence, it saves teams time and allows them to focus only on the most critical assets.
What key indicators should be monitored for an effective EASM program?
Two quantitative metrics based on coverage and precision can be used:
- From a discovery point of view: during initialization, it is important to ensure that the solution identifies more assets than those already known (e.g. the number of subdomains, websites, etc.) by operational teams. However, an EASM solution should not add unnecessary workload to operational teams, which is why it should provide inventory without false positives.
- Regarding continuous monitoring: newly discovered, decommissioned (permanently or temporarily) or re-exposed assets should be reported in real time and not identified days/weeks later.
Concerning the qualitative aspect:
- In order to prioritize the treatment of the numerous declared assets, the assessment of the risk level of the exposed assets must be adaptable/modular (ability to propose new discovery and assessment modules), based on standards adopted by professionals, and correlated with current reality. in terms of cyberattack vectors (remote access services, VPN appliances, critical vulnerabilities with public exploit, etc.).
- The solution must not be closed, and offer the possibility of integration with the tools most commonly used by operational staff.
How does EASM manage shadow IT and how does it differ from other security solutions in uncovering these hidden systems?
It is important to specify that an EASM does not cover the entire shadow IT of a company: the telephone (or personal computer) of an employee used on the company’s WiFi network for example is a case of use which is not addressed, just like a SaaS. messaging application (or accounting, HR, etc.) on which an employee has registered with their professional email address.
However, an EASM solution is perfectly suited to identifying domain names registered by a subsidiary (or a web agency) which have not been declared to the Group. Likewise, a website put online by a developer but unknown to the central team can easily be identified.
The key differentiator that we have worked hard on is how we characterize and classify all the elements (TLS certificates, Google Analytics, favicon, etc.) that make up the resulting mapping. It is possible to perform pivots from these elements, and thus identify shadow IT assets which can be added to the initial inventory of exposed assets.
Many EASM platforms advertise user-friendly interfaces. Why is this so essential for the successful implementation and operation of EASM within an organization?
More and more non-technical operational users, as well as managers, are using cybersecurity solutions, and this applies to EASM. That’s why it’s critical to make data understandable, actionable, and summarized for easy reporting.
On the other hand, teams find themselves accumulating solutions (dozens) to cover their different needs. It is therefore essential to provide user-friendly interfaces to ensure a certain level of support for the product and avoid a disappointing effect which leads to its non-use and consequently its abandonment.