The Must-Haves of an External Attack Surface Management Solution
External Attack Surface Management (EASM) is becoming a top priority for security leaders in 2022. Why? Digital transformations and rapid cloud adoption have challenged many of the traditional views of cybersecurity. Workforces and business operations have quickly decentralized, widening protection gaps and turning risk management of an organization on its head. Security teams, who were already under-resourced to begin with, are struggling to keep pace with the rapid changes within their company.
EASM helps customers quickly find exposed assets across the cloud and Internet, prioritizing the most critical risks to the organization. But not all solutions are created equally. The ability to automatically detect new exposures saves time for the security team when understanding the entire attack surface, while a prioritized set of accurate risks coupled with practical guidance for fast remediation empowers the team to focus on fixing the problems that are actually going to get you breached.
Are you in the market for an External Attack Surface Management solution? This blog will help you cut through the noise and focus on what is most important when it comes to managing your external attack surface.
What are the most important elements to consider when a security team is looking for an EASM solution?
Internet scanning and attribution
If your security team is looking for an EASM solution, you may be wondering how to find a tool that works for you. When you hear scanning and attribution you need to think – how often is it happening? How much is it happening? And how fresh is the data? The primary goal for any EASM technology is to discover anything you own that is on the Internet, so you need a tool that knows the entire Internet. Having fresh and up-to-date data on hosts, services, certificates, software, and the like are a prerequisite.
Originally started at the University of Michigan in 2013 to comprehensively uncover Internet vulnerabilities, Censys currently supplies data services to some of the most sophisticated enterprises, government agencies, and security companies globally. We are the gold standard in data quality and accuracy because we provide the best coverage with the broadest and most frequent perspective of the Internet, including cloud instances.
Scanning from 5 global perspectives on 3,500+ ports using Automatic Protocol Detection means we are able to see nearly 99% of the IPv4 space (we find more than 63% more services than our nearest competitor). And this cadence picks up in the cloud where we scan all public-facing cloud instances every 12 hours.
All of the data in the world doesn’t help if you can’t accurately determine what belongs to you, so an intelligent and transparent attribution process is just as important as the data itself. Censys attribution is fully automated, and in head-to-head comparisons with other EASM vendors, we produced about 10% fewer false positives.
That means you aren’t wasting time chasing down issues that no longer exist, or simply never belonged to your org. And our attribution happens on a daily basis. The ease of access to cloud services means your attack surface can grow within minutes with little oversight or security considerations. So your understanding of what is now your responsibility needs to be refreshed and updated just as fast. In simpler terms, anything other than daily attribution will mean you are working with stale data.
Risks and insights
Much like daily attribution is important for accuracy, daily monitoring of risks and exposures is needed to make sense of what to prioritize first.
Our risk framework surfaces the most relevant and critical risks that can be seen across your entire attack surface. Everything from cloud misconfigurations, like exposed storage buckets or EC2 Metadata, to risky services that are inadvertently open to the internet – not just software vulnerabilities. As the threat landscape continues to evolve, Censys will identify and continuously evaluate the severity of each risk based on its Impact, Exploitability, and Likelihood. This is due in large part to our Rapid Response and Research teams actively tracking new Zero-Days to quickly build them into our platform (ex. We created 27 new unique risks 3 days after Log4j was announced).
All of this information is immediately actionable with remediation guidance and common workflow integrations to help reduce, mitigate, or reprioritize and accept risk (not every alert requires immediate action). And what do you do once you have updated that end-of-life Nginx, or closed down the RDP running on an obscure port ? Our External Attack Surface Management platform can scan any asset on-demand for immediate validation that the work you’re doing is improving your risk posture.
What type of flexibility will you have with an ASM solution?
No security team wants to be forced into a rigid tool that defines their security posture – they want the tool to adapt to how they work.
At Censys, we find that users want the flexibility to change how they view their company’s attack surface. You might want to break down different business units or recent acquisitions to understand the individual risk they present. Or you might want to be able to search through all of your data in an intelligent and intuitive way, or have the ability to modify a risk for a particular asset if you know that business requires flexibility; for example, maybe running certain end-of-fife software on a host. Finally, you need the option to add or remove entire domains or certain IPs as your business shifts. At no point should an EASM tool require outside support for you to customize to your environment.
How does External Attack Surface Management enrich my current security tech stack?
For the teams that already have SIEMs, SOARs, CASBs, and any of the many other tools in a typical security stack, the valuable information and guidance that EASM collects needs to enrich your day-to-day tasks. This means integrations. Censys integrates with existing security platforms like a SIEM to capture all of the events that change your attack surface on a daily basis, a Vulnerability Management solution to ensure newly discovered and previously unknown assets become part of a routine scanning cadence, and ticketing systems to start remediation work as soon as issues are detected.
Censys also offers native integrations to all three of the primary public cloud service providers (Azure, GCP, and AWS) which will help you get insight from both the inside and outside for comparison. Our customers find 20-30% more assets in the cloud than they knew existed even if they think their cloud sprawl is contained to a few providers or accounts. Cloud Connectors let you quickly identify any unmanaged cloud instances in Azure, GCP, and AWS.
How will this help my team save time or money?
A lot of this work you are doing already – managing an inventory across multiple spreadsheets, ad-hoc scanning to discover new assets, and trying to make sense of what is real and what is not. And this is all before you start addressing any security issues that have come up. Our customers have estimated saving 45 hours per month (that is an extra week of work) because Censys will handle all of this faster, more accurately, and automatically.
You will be fully operational before a purchase is made, and IT is not required to set up lengthy demos and tests. Our Automated Onboarding process will create and maintain your attack surface even as you may change in shape by acquisition, merger, divestiture, or anything in between. You will also have a dedicated Customer Success team to help leverage best practices and support junior analysts or engineers who may be seeing your external surface for the first time.
Ready to explore an External Attack Surface Management solution? Reach out and we’ll set you up with the solution that finds more exposed assets than any other solution on the market.