The dizzying pace of workspace digital evolution in the past decade has brought us cloud computing, remote work, bring your own device and the Internet of Things. But it's also created a massive problem for cybersecurity practitioners, who find that the old perimeter-based, device-centered defense paradigm no longer works.
What had once been a largely static, well-defined "attack surface" — i.e., all the possible pathways that an adversary could use to successfully attack an organization — is now quite literally all over the place.
When employees can work from anywhere, when cloud assets are both everywhere and nowhere, when software is a service and when infrastructure and networks are software, attackers have a seemingly infinite number of potential entry points.
Legacy security tools such as firewalls and VPNs aren't built to deal with this complexity. The modern digital workspace needs stronger, newer cybersecurity tools and procedures.
Yet budget and staffing constraints limit the ability of many in-house security operations centers to implement and manage modern security tools or to take the appropriate proactive measures against potential threats. There's too much to do and not enough time to do it all.
As a solution, many organizations are using the external cybersecurity expertise offered by managed security service providers (MSSPs) and managed detection and response (MDR) providers.
These third-party teams make protecting their clients' assets their core business and can quickly defuse potential threats and respond to security incidents. Even enterprises with large in-house SOC teams may use MSSPs and MDR services to cover off hours.
Many external security providers have been adding vulnerability management (VM) and attack-surface management (ASM) to their slates of offerings. Such proactive measures can detect and mitigate potential weaknesses and issues, reinforcing an organization’s security posture before an exploit or an incident occurs.
"Prevention is better than cure," says Paul Murray, Senior Director of Cybersecurity Products and Services at Sophos. "It's better to stop something happening in the first place where you can than just spending resources and time detecting a breach and repairing the damage after it's done."
The benefits of using a VM/ASM service
Vulnerability management is a tried-and-true proactive process. It scans and maps out an organization's software and networking environment to spot potential weaknesses, suggest remediations and, often, determine which vulnerabilities need immediate attention.
Traditional vulnerability management has been around long enough for widely used standards to arise, such as the common vulnerability and exposure (CVE) system and the common vulnerability scoring system (CVSS) which, respectively, catalog vulnerabilities and categorize them according to severity.
Attack surface management is a newer concept that’s better adapted to the modern, decentralized digital workplace. It extends the vulnerability-management concept to provide visibility into the security posture of hardware, websites and virtual infrastructure, including cloud-based assets.
"It's staggering how many external assets, internet-facing assets, organizations don't even know they own, let alone actually understand whether they're vulnerable or not," Murray says.
A regular vulnerability management program might have a hard time scanning cloud instances or websites; an attack-surface-management service is designed to handle them.
"Large enterprises with complex IT/OT environments ... often have a huge attack surface due to the sheer number of potential entry points for cyber threats," said Pablo Ruiz, a Managing Offensive Security Consultant at EY. "ASM helps these organizations keep control and continuously discover and monitor their assets."
Who should run a VM/ASM program?
Large organizations whose SOC teams have enough budget, resources, manpower and experience might want to keep vulnerability-management or attack-surface-management programs in-house.
But other organizations should consider outsourcing VM/ASM programs and services to MSSPs and MDR providers, whose experts will know more about current threats than most in-house SOC teams. Outsourcing also frees up internal security staffers to focus on more immediate needs.
"Many organizations don't have the people, or if they have the people, they don't necessarily have the skills to monitor and respond to threats," explains Murray. "If they do have the people, they're perhaps wanting to focus them on business enablement rather than on security and managed response."
Walker welcomes the idea of bundling ASM into an MDR service, as it could provide a new angle of visibility into company systems.
"It would definitely help our vulnerability management program, understanding what that attack surface looks like from the MDR perspective," he says. "Right now, our vulnerability management program really only gets to see what the vulnerability scans detect, what the pen testers reveal."
How to prepare and shop for a VM/ASM service
As is often the case when preparing to add a major cybersecurity platform, begin by assessing your own needs.
"You need to be able to answer, first, 'What are all of the things that I have to protect?' and understand why," says Walker. "Look in the mirror, understand what your current posture is, and then make sure that when you deploy something like an ASM platform that it can cover what your current self-reflection is."
If you don’t conduct regular red-team exercises, then start with a penetration test by an outside agency. Inventory all your digital assets, including software, cloud instances, web apps and networking and endpoint hardware, then rank them by order of risk should the asset be compromised.
Once your needs are understood, you can start looking for ASM/VM services that best address those needs. For example, if your company sells consumer items online, ask if the service provider has experience in spotting and fixing flaws in web shopping platforms.
"The key criteria to consider when selecting a provider is the balance between cost and value," says Ruiz. "Each organization should ensure that the ASM platform/service actually covers their scope."
Ask contacts at other companies in your industry for recommendations, and make sure that the service providers you consider are established and knowledgeable.
Sophos' Murray says third-party reviews and ratings can be valuable, adding that you should ensure that the services you choose use the latest tools and information.
"Look for the expertise," he says. "Look for the underpinning technology, not home-grown or open-source. Look for best-of-breed in terms of what's under the hood."
Ruiz says that ASM/VM clients should look for "mechanisms to reduce false positives [and monitoring] of open ports, services and certificates."
In general, the type of organization best suited for an external vulnerability-management or attack-surface-management service is an organization that's eager to modernize its systems to meet the future of its industry.
"Any organization that's really thinking towards digital first, that's really thinking towards, 'How do we transform ourselves away from manual processes to automated processes?'" says Walker. "In those instances, you're introducing more and more technical systems that you need to have that kind of attack surface picture on so that you know that you're protecting yourself."
