Verizon's latest data breach report shows that 83% of attacks are carried out by external actors, exploiting vulnerabilities in companies' network perimeters. At the same time, Gartner has identified External Attack Surface Management (EASM) as the top cybersecurity trend for the coming 5 to 10 years. So, what exactly is EASM, and why is it gaining such global prominence?
EASM is a cybersecurity approach that involves continuously monitoring and assessing a company's publicly accessible digital assets for vulnerabilities. It identifies potential security weaknesses and ranks them based on the level of business risk they pose. This approach is becoming increasingly important as it helps businesses proactively defend against external threats by ensuring their public-facing digital infrastructure is robust and secure.
EASM solutions provide a view of a company's attack surface as seen by a potential attacker. EASM's primary purpose is to alert the information security department about vulnerabilities before they are exploited.
A study by the International Data Corporation revealed that in 2022, the global market size for EASM was valued at $545.2 million. Analysts predict that by 2026, revenue from these solutions will climb to $930.7 million, reflecting an average annual growth rate of 17.5%. Additionally, Forrester's report mentions 36 major EASM vendors worldwide.
Gartner highlights the rapid pace of change in company assets as the key driver for EASM's development. They note that between 80 to 95% of a company's assets undergo changes each year, significantly altering the attack surface along with them.
The danger of shadow assets
Every company operates with public-facing assets such as websites, network devices, and remote access systems, forming an external perimeter accessible from the Internet. Attackers often exploit vulnerabilities in this perimeter to breach internal networks and target vital organizational resources. However, many companies overestimate their control over these Internet-facing assets. Surprisingly, on average, organizations employing EASM / ASM tools found 35% more assets than they were previously aware of.
Shadow assets include any websites, services and devices employees use without oversight from the information security department, like a test service or a self-deployed subdomain. It is challenging to keep track of all externally published assets as the company's infrastructure constantly evolves. The more shadow assets are accessible via the Internet, the higher the risk of cyberattacks.
In late 2022, an EASM platform uncovered a security flaw in a major company with over $5 billion in revenue. This issue came to light when the Deputy CIO inadvertently made his private internal web monitoring service publicly accessible online. Within this service, a "temp" folder was found, hidden from directory listings but containing a backup with the system's entire source code. This folder, accessible to anyone on the Internet, held an archive that, if downloaded, could have enabled a massive attack on the company. The backup also revealed highly sensitive data: the domain administrator's password in plain text, unencrypted passwords for 547 employee accounts, and complete admin access to all crucial information systems.
Gartner advises businesses to bolster their investment in continuous vulnerability monitoring tools like EASM. They highlight that, as of 2022, only 1% of companies are fully aware of their Internet-facing assets.
Understanding external attack surface management
External Attack Surface Management solutions are designed to detect common vulnerabilities in an organization's digital infrastructure. Some of the most prevalent vulnerabilities that EASM can identify include:
- Improper configuration settings in systems and services
- Unpatched software and hardware
- Open ports and services
- Insecure APIs
- Outdated or insecure encryption
- Third-party dependencies/vulnerabilities
- Weak passwords
- Known CVEs
The EASM platform operates in four key stages:
- Asset detection and monitoring: EASM continuously discovers and inventories all Internet-facing assets connected to an organization. This includes identifying websites, servers, clouds, apps, endpoints, and other items that can be accessed externally. EASM knows all domains and IP addresses as well as each resource and the services operating on them. This helps the company view all its assets that could be attacked.
- Risk identification: The platform scrutinizes all identified assets for vulnerabilities and risks attackers might exploit. It assesses how assets are configured, quantifying the impact of misconfigurations, network architecture flaws, and other common issues.
- Prioritization: EASM assesses the severity of discovered vulnerabilities, taking into account the organization's specific context, and prioritizes them from most to least dangerous. This ranking helps determine which vulnerabilities require immediate attention.
- Correction suggestions: For each identified vulnerability, EASM provides recommendations on how to address or mitigate the issue.
Again, EASM solutions offer continuous monitoring, providing real-time feedback on changes and issues in the external attack surface. It provides dashboards and reporting tools for a clear visualization of the security status of the IT architecture. These platforms are generally cloud-based, requiring no on-premises installation, and offer easy onboarding.
Implementing external attack surface management
Implementing EASM effectively requires a comprehensive and strategic approach. Here are some best practices for EASM implementation:
- Clearly define the objectives and scope of your EASM, which will vary based on unique characteristics and requirements. These may include the organization's size, industry regulations, cloud service and third-party integrations, and the specific threat landscape of the industry.
- Conduct a thorough assessment of both the current security posture and the existing IT infrastructure. Identify compatibility issues and areas where EASM can be integrated with minimal disruption.
- Involve stakeholders across departments in planning and implementation, effectively communicating changes, impacts, and benefits.
- Consider implementing EASM in phases rather than all at once. Start with critical areas and then expand to other parts of the IT infrastructure.
- Choose EASM solutions that are scalable and flexible, allowing them to adapt to the changing needs of the IT infrastructure and the organization as a whole. Ensure that vendors adhere to high security standards and policies.
- Incorporate incident response and disaster recovery plans into your EASM strategy.
- Establish continuous monitoring and regular review processes to adapt to new threats and changes in the business environment.
The simplest and most frequent method of infiltrating a company involves exploiting tech weaknesses in its external defenses. With daily changes in a company's IT infrastructure, keeping an eye on the security of its public-facing assets can be daunting. This often leads to the emergence of 'shadow assets' that make it easier for attackers to breach the company's systems. The optimal defense against cyber intrusions combines regular network perimeter scans with External Attack Surface Management (EASM) solutions, which automate asset and vulnerability identification, easing the burden of manual checks. Additionally, air gapping may offer an extra security layer for critical and high-risk systems, isolating them from online threats and enhancing defense against sophisticated attacks.