In this Help Net Security interview, Adrien Petit, CEO at Uncovery, discusses the benefits that organizations can derive from implementing external attack surface management (EASM) solutions, the essential capabilities an EASM solution should possess, and how it deals with uncovering hidden systems.
What are the core capabilities a robust EASM solution should have?
Given that the objective is to master the assets exposed on the internet, any EASM solution must be able to provide the following four core capabilities:
- Discovery of assets (whether on-premises or in the cloud) and their maintenance within an inventory
- Continuous monitoring of assets over time and on a regular basis to identify any changes
- Assessment and prioritization of asset risk levels (misconfigurations, vulnerabilities, rogue assets, etc.)
- Integration with tools (ticketing, messaging, SIEM) used by operational teams to facilitate remediation/mitigation
What types of organizations can benefit the most from implementing EASM solutions?
An EASM solution demonstrates its value to companies and organizations – from all sectors – with a large and/or fragmented perimeter. This is also true for companies for whom the digital shift is complex (particularly those from the industrial sector).
However, even if EASM solutions generate real interest among large companies, their adoption is not yet widespread: indeed, the necessity of mastering all assets exposed on the internet and knowing their level of risk is not yet acquired by all security professionals.
That’s why adoption is strongest in the most security-mature sectors: banking/insurance, high tech, telecom, retail, and government.
Regarding SMBs, they have a limited number of assets exposed (a website and BU that essentially use SaaS solutions), an exposure that is naturally well controlled, and therefore a legitimate low interest in EASM solutions.
How do EASM tools integrate with cybersecurity frameworks and solutions, such as Cloud Security Posture Management (CSPM) and vulnerability scanners?
The fact that EASM solutions natively integrate functionalities for discovering/monitoring critical assets and assessing their level of risk ensures compliance with requirements asked by ISO 27001, NIS 2 or DORA.
EASM tools can feed data about external assets into solutions such as CSPM or CAASM (which rely on API integrations with existing tools). This ensures teams have an up-to-date view of the organization’s attack surface.
Vulnerability scanners can also benefit from an accurate and up-to-date inventory, but in the opposite direction, an EASM solution can directly integrate a vulnerability scanner. This enriches the way risk is assessed. Combined with threat intelligence, it saves teams time and enables them to focus solely on the most critical assets.
What key metrics should be monitored for an effective EASM program?
Two quantitative metrics based on coverage and accuracy can be used:
- From a discovery point of view: during initialization, it is important to ensure that the solution identifies more assets than those already known (e.g. the number of sub-domains, websites, etc.) by the operational teams. However, an EASM solution must not add an unnecessary workload for operational teams, which is why it must provide a false-positive-free inventory.
- Concerning continuous monitoring: assets that are newly discovered, decommissioned (permanently or temporarily), or re-exposed must be reported in real time, and not identified days/weeks later.
Concerning the qualitative aspect:
- In order to prioritize the processing of the many assets reported, the assessment of the risk level of exposed assets must be adaptable/modular (ability to propose new discovery and assessment modules), based on standards adopted by professionals, and correlated with the current reality in terms of cyberattack vectors (remote access services, VPN appliances, critical vulnerabilities with public exploit, etc.).
- The solution must not be closed, and offer the possibility of integration with the tools most commonly used by operational staff.
How does EASM deal with shadow IT, and how does it differ from other security solutions in uncovering these hidden systems?
It’s important to point out that an EASM does not cover the entire shadow IT of a company: an employee’s phone (or personal computer) used on the company WiFi network, for example, is a use case that is not addressed, just like a SaaS messaging application (or accounting, HR, etc.) on which an employee has registered with his/her professional email address.
However, an EASM solution is perfectly suited to identifying domain names registered by a subsidiary (or a web agency) which have not been declared to the Group. Likewise, a website put online by a developer but unknown to the central team can easily be identified.
The key differentiator on which we have worked hard is the way in which we characterize and classify all the elements (TLS certificates, Google Analytics, favicon, etc.) that compose the obtained mapping. It is possible to perform pivots based on these elements, and thus identify shadow IT assets that can be added to the initial inventory of exposed assets.
Many EASM platforms advertise user-friendly interfaces. Why is this so critical for the successful implementation and operation of EASM within an organization?
More and more non-technical operational users, as well as managers, are using cybersecurity solutions, and this applies to EASM. That’s why it’s vital to make data understandable, actionable and synthesized for easy reporting.
On the other hand, teams find themselves piling up solutions (dozens of them) to cover their different needs, so it’s essential to provide user-friendly interfaces to ensure a certain level of adherence to the product and avoid a disappointing effect that leads to its non-use and consequently its abandonment.