Now that remote work, cloud computing, BYOD and the Internet of Things have become commonplace in modern workspaces, security operations center teams are finding that their old perimeter-based cybersecurity tools can no longer provide adequate defenses.
Clearly, modern tools better adapted to perimeter-free, hybrid environments are needed. Yet budget constraints and lack of experienced personnel mean that some organizations are unable to deploy and manage such tools. There's often just too much to do and too much to learn.
To make up the difference, many organizations, even those with well-staffed SOC teams, are turning to managed detection and response (MDR) services to augment their in-house efforts.
Sometimes the MDR services are just there to pick up the slack on evenings and weekends. But increasingly, they offer features and tools that the in-house team doesn't have or isn't trained on.
Such is the case with vulnerability management and attack-surface management, two proactive approaches to cybersecurity that detect or anticipate potential issues and mitigate them before they become actual problems.
"Prevention is better than cure," says Paul Murray, Senior Director of Cybersecurity Products and Services at Sophos. "Overall, it's better to stop something happening in the first place where you can than just spending resources and time detecting a breach and repairing the damage after it's done."
The value of an external VM/ASM service
Good cybersecurity is not just reactive, but also proactive. It finds the holes in the armor and patches them before an attack. Bean counters may question the added cost of taking proactive cybersecurity measures, but ask yourself: Would you wait until your car's engine died before you changed the oil?
Vulnerability management analyzes an organization's software environment to spot security flaws and suggest remediations. Attack surface management extends the concept beyond software, encompassing other digital assets including networks, hardware, endpoints, websites and on-site and cloud-based infrastructure.
"It's staggering how many external assets, internet-facing assets, organizations don't even know they own, let alone actually understand whether they're vulnerable or not," Murray says.
It's no longer enough to simply manage software flaws. The entire "attack surface" — all the potential ways in which an attacker might gain entry or cause mayhem — must be mapped out, and detected flaws must be analyzed, categorized and prioritized in order of risk.
This is especially true for those organizations whose digital assets are both on-premises and in the cloud. A vulnerability-management program might not adequately scan cloud instances; an attack-surface-management service is designed for them.
"Large enterprises with complex IT/OT environments ... often have a huge attack surface due to the sheer number of potential entry points for cyber threats," said Pablo Ruiz, a Managing Offensive Security Consultant at EY. "ASM helps these organizations keep control and continuously discover and monitor their assets."
The benefits of outsourcing a VM/ASM program
Many organizations might want to keep vulnerability-management or attack-surface-management programs in-house, figuring that their own SOC teams would have the budget, resources, manpower and experience to deploy and supervise such programs.
Some likely do, especially security teams in large enterprises. But other organizations may find it preferable to outsource VM/ASM to external firms who make such services their primary business. These firms may know more about current threats and exposures than most in-house SOC teams.
"From the MDR provider point of view, I think that the more visibility they have over your assets, the better they can provide the basic service, which is to detect and respond to threats," says Ruiz.
"They will know what is exposed, what and attacker will see if they want to target your organization, and what are the areas to pay more attention to."
Offloading the tasks to a third party will also leave the in-house team free to focus on the organization’s core issues.
"If you think about why organizations choose an MDR service, it's first and foremost resource constraints," explains Murray. "Many organizations don't have the people, or if they have the people, they don't necessarily have the skills to monitor and respond to threats. If they do have the people, they're perhaps wanting to focus them on business enablement rather than on security and managed response."
Even large enterprises will have to consider how much can commit to managing an ASM/VM program.
"It all comes down to how much blood and sweat you want to invest into it, because doing that means that you're going to have to have in-house expertise," says Matt Walker, Managing Director of IT Security & Compliance at Goosehead Insurance. "You're going to have to have enough manpower and enough staff cycles to actually ensure that the program runs smoothly and that you're achieving those metrics that you've set for yourself."
Walker adds that having a fresh set of eyes on an organization's digital assets can only help when trying to gain a fuller picture.
"Being able to look at that whole attack surface from the perspective of the MDR would definitely help to prioritize and to just give the data-driven decision-making to the team for where to go, what to fix first, what to focus on,” he says.
"Having the MDR being able to say, 'Hey, here's the attack surface as we see it,' and then being able to overlay that with the vulnerabilities that are coming up detected by our VM program would allow the teams to really strategize on which vulnerabilities are the most impactful to our business."
