Historically, threat intelligence and vulnerability and attack surface management have operated in siloes, creating inefficiencies that increase an organization’s exposure to attacks. When organizations can't unify these capabilities themselves, they are forced to deal with the following:
- A lack of threat context in vulnerability assessments. While vulnerability assessments on external systems uncover at-risk and unpatched systems, their reports are often large, complex, and lack the details needed to identify the riskiest flaws. Threat intelligence, however, is based on information about how adversaries currently act on the exploits they are using, among other pertinent factors. This informs the likelihood of vulnerability exploitation. That information can go a long way to help security and operations teams focus on what to patch first.
- Mitigation latency. When threat intelligence and vulnerability management are separate functions, and security operations or vulnerability management teams are unaware of the threats the intelligence team has identified, the patches that most need to be deployed will likely be delayed or missed altogether. This increases the window of vulnerability for the organization.
- Lost synergies. When threat intelligence and vulnerability management are siloed, threat intelligence teams don't readily inform security and operations teams about emerging threats, and vulnerability management teams can't share the latest insights on their organization's attack surface. That means threat intelligence analysts don't have the newest information regarding externally facing systems.
The outcomes are obvious: Attack surface and vulnerability management are incomplete, vulnerabilities persist, detection and response lags, and the risk of suffering a data breach grows.
"One of the biggest challenges organizations face when improving their security posture is prioritizing what to handle first. This type of guidance helps solve that issue and reduces the workload for security teams tasked with tackling vulnerability and exposure management," Craig Robinson, research vice president of security services at IDC, said.
Building such capabilities is challenging. Many organizations, even large enterprises, lack enough internal staff and budget to do the job they want — and need — to do. This skills and resource strain is especially pronounced for small and mid-sized organizations. These constraints make it challenging to independently conduct external attack surface and vulnerability management. It also makes it difficult for security operations teams to align external vulnerability and attack surface management processes with DevOps and other internal business-technology teams.
Paul Murray, a senior director at Sophos, explains that Sophos Managed Risk, a dedicated managed detection and response team, works with Tenable's exposure management technology to exchange information on zero days, known vulnerabilities, and exposure risks to assess environments that may have been exploited.
According to Tenable and Sophos, the pieces of Managed Risk fit together with the continuous vulnerability assessment of Internet-facing systems. In the evaluation, assets are scanned, and vulnerabilities are identified, analyzed, prioritized, and mitigated in order of the vulnerabilities that create the most significant risk specific to the organization based on Sophos's current intelligence and knowledge of its customer's environment:
Discovery and assessment of internet-facing assets: External vulnerability assessments vet an organization's externally accessible assets, such as their APIs, applications, servers, websites, cloud services, IP addresses, and IoT devices. In addition to assessing known assets, external vulnerability assessments help businesses discover newly deployed, potentially rogue systems connected to the network and exposed to the internet.
A 2023 analysis on the external attack surface management market from research firm Forrester reports that organizations discovered 30% additional internet-facing assets with external vulnerability assessments beyond what they thought existed on their network.
Continuous monitoring: Because EASM monitoring is constant, all alterations, devices, new software vulnerabilities, and other attack surface expansions and potential sources of risk are identified quickly.
Exposure prioritization: As external assets are recognized and assessed, vulnerabilities the assets contain are prioritized based on factors specific to the organization. These can include the business criticality of the asset, the security criticality, the severity of the vulnerability, and the likely impact if it's exploited.
Collaboration with Sophos MDR analysts: The dedicated Sophos Managed Risk team works closely with Sophos MDR analysts, sharing information about known vulnerabilities, zero-days, and exposure risks. This collaboration enables Sophos MDR analysts to assess and investigate the possibility of exploited environments more effectively.
Expert guidance and remediation assistance: Sophos Managed Risk provides expert guidance from a team of Tenable-certified vulnerability analysts. They help customers understand their external attack surface, prioritize vulnerabilities, and provide tailored remediation guidance to eliminate blind spots and stay ahead of potential attacks.
Managed risk provides regulatory compliance and security governance: By providing visibility into the external attack surface, as well as the vulnerability management process, organizations can more readily demonstrate compliance to regulatory mandates and their internet security policies, as well as alleviate concerns of third-party partners and customers.
"The service provides organizations with external attack surface visibility, continuous risk monitoring, vulnerability prioritization, investigation, and proactive notification designed to prevent cyberattacks," says Murray. The service includes access to a team of Sophos experts, including Tenable-certified vulnerability analysts, to help organizations identify and remediate high-risk exposures across their internet-facing assets. "The goal is to help customers identify the most pressing vulnerabilities before they can be exploited," Murray says.
Such partnerships signify where the security industry is heading: more collaboration, integration, and collaboration.