Mitigate threats affecting your internet-facing assets.
Managed Digital Risk ProtectionExternal attack surface management (EASM) is the process of identifying internal business assets that are public-internet facing as well as monitoring vulnerabilities, public-cloud misconfigurations, exposed credentials, or other external information and processes that could be exploited by attackers. This effort aligns with a goal of obtaining a clear snapshot of cloud security posture.
As mentioned above, misconfigurations can play a big part in a vulnerability landscape. Properly configuring any cloud environment means enacting digital risk protections to defend it from a broad range of threats, whether in the form of deliberate attacks or unintended mistakes – misconfigurations, improper security awareness, etc. – that open the door to attacks.
Internal attack surface management addresses the security of assets – including humans that could be affected by social engineering such as phishing – that are behind a business’ firewalls and protective security measures. These assets are, theoretically, not exposed to the public internet and lie behind defensive measures in order to protect the business’ internal operations and trade secrets.
EASM – even though it is a part of ASM – hones in on protecting a business’ more commercial operations that lie beyond the safeguards of its internal security measures. This includes public-facing websites, apps, e-commerce operations, and any backend that could be accessed if an attacker were to exploit these digital assets.
The difference between EASM and cyber asset attack surface management (CAASM) is that EASM methodologies primarily focus on discovering and protecting public-facing assets accessible by virtually anyone on the internet. CAASM methodologies focus on both the internal and external attack surface to provide a security organization with maximum visibility of their pre- and post-perimeter attack surface. A CAASM platform can accomplish this via API integrations that access an organization's tech stack to provide that holistic view.
External attack surface management (EASM) is important because of the potential for exploitation and attack when it comes to public internet-facing – or external – assets. It’s important to remember that this external attack surface can open the door for threat actors to exploit an internal attack surface.
EASM solutions are becoming better at identifying those external-facing assets that become part of a business’ attack surface as new attack vectors are spun up with each public-facing launch. An EASM solution should be able to leverage threat feeds to engage in threat hunting. This is critical in understanding what threat actors are exploiting in the wild and if it is worth the effort to scramble the team and proactively address a potential issue. Key aspects of a proactive threat hunt can include:
EASM should also be able to leverage external threat intelligence from the post-perimeter attack surface to properly detect and prioritize risks and threats, from the nearest network endpoints to around the deep and dark web. The myriad of assets that businesses place onto the public internet each and every day is truly astounding, and each of those assets – as it goes online – will have its own considerations in preventing potential exploitation.
External, proactive threat intelligence is a must-have for any security organization that hopes to protect the attack surface of its business to the best of its ability. It is key to take preventive actions that go beyond a network perimeter to be able to respond to incidents along each dynamic attack surface.
EASM works by continuously monitoring and discovering public internet-facing assets for potential vulnerabilities that can be exploited as attack vectors. If this were to happen, threat actors could then also potentially breach an organization's internal attack surface.
Indeed Forrester says EASM works when “tools or functionalities that continually scan for, discover, and enumerate internet-facing assets, establish the unique fingerprints of discovered assets, and identify exposures on both known and unknown assets.” Let’s take a look at some uses cases Forrester has identified that can illustrate some specifics of EASM functionalities:
With these use cases, we can begin to understand just how many assets are spun up every day with the express purpose of plugging into the public-facing internet and expanding an organization's attack surface from internal to external – and therefore global. External threat intelligence feeds are critical to mitigating and stopping threats on an external attack surface.
The capabilities of EASM are some we have already covered in different sections above, but we'll compile them, with some additions, here.
Depending on the provider, threat intelligence and detections engineering teams should be able to provide detections via SaaS delivery, which means access to the latest alerts, updates, and threat intel. EASM practitioners should be able to continually enrich threat-management tools with up-to-the-minute intel.
A security operations center (SOC) can leverage an EASM platform to gain rapid access to misconfiguration data for all assets considered post-perimeter. From there, a prioritization process could be conducted to determine which assets need immediate attention. On the proactive front, EASM can be leveraged to perform threat intel gathering for red, blue, and purple teams conducting exercises.
An EASM platform should primarily be able to help practitioners gain visibility into their top external-facing assets so they can prioritize and remediate before attackers sniff out the vulnerabilities.
The benefits of EASM are profound and can have an incredibly positive impact on the effectiveness of proactive security measures and the overall reputation of the business.