The unprecedented pace of change in the modern workplace — cloud computing, working from home, BYOD devices and the Internet of Things — has made many of the old ways of guarding an organization's digital assets obsolete.
Firewalls, network perimeters and VPNs are no longer enough. New tools and new procedures can fill the gap, but many companies simply don't have the budget for additional security software or the time to train their security operations staff. There's too much to do and too much to learn, and not enough time or money to handle it.
To meet these needs, many organizations are turning to managed detection and response (MDR) services that can spot and mitigate new threats and supplement the skills and abilities of in-house SOC teams.
Some MDR services are now adding vulnerability management (VM) and attack-surface management (ASM) to the list of features offered to clients. These protections can spot and fix a vulnerability before an exploit even appears and suggest measures to improve an organization’s security posture.
"Prevention is better than cure," says Paul Murray, Senior Director of Cybersecurity Products and Services at Sophos. "It's better to stop something happening in the first place where you can than just spending resources and time detecting a breach and repairing the damage after it's done."
The benefits of using a VM/ASM service
By its nature, cybersecurity is reactive, fixing problems after they become problems. But good cybersecurity is also proactive, anticipating and fixing potential issues beforehand. After all, it's worth taking your car to the mechanic for a regular checkup even if you can't tell there's anything wrong.
Vulnerability management and attack surface management are both proactive mechanisms. The first scans an organization's software to detect potential flaws and suggest ways of remediating them; the second expands the concept to include networks, hardware, cloud assets, websites and endpoints for a more holistic view of the potential “attack surface.”
"It's staggering how many external assets, internet-facing assets, organizations don't even know they own, let alone actually understand whether they're vulnerable or not," says Murray.
Attack surface management is important for companies whose digital infrastructure has escaped the boundaries of their network perimeters. While vulnerability-management programs might have difficulty properly scanning cloud instances or websites, attack-surface-management platforms are designed to handle them.
"Large enterprises with complex IT/OT environments ... often have a huge attack surface due to the sheer number of potential entry points for cyber threats," said Pablo Ruiz, a Managing Offensive Security Consultant at EY. "ASM helps these organizations keep control and continuously discover and monitor their assets."
Smaller companies can also benefit from VM/ASM programs, depending on the complexity of their digital environments, as well as the regulatory landscape of their industries.
"If it's an organization that's small, that doesn't necessarily have a lot of risk out there, then it may not make financial sense," says Matt Walker, Managing Director of IT Security & Compliance at Goosehead Insurance. "But if it's a large, publicly traded organization, you need it."
Large enterprises with large SOC teams often have the budget and experience to implement and manage their own vulnerability-management or attack-surface-management programs.
But smaller organizations might want to consider outsourcing VM/ASM services to third parties who will be more knowledgeable about current threats and exposures than most in-house SOC teams.
"Many organizations don't have the people, or if they have the people, they don't necessarily have the skills to monitor and respond to threats," explains Murray.
Who should run your external VM/ASM program?
If you're going to outsource your ASM/VM program, you'll need to decide what kind of company should run it. There are managed service providers (MSPs) that handle all IT-related needs, and also managed security service providers (MSSPs) that focus only on cybersecurity.
MDRs are specialized MSSPs that focus on detecting, responding to and, often, initially remediating threats on their clients' networks.
You could also contract a dedicated VM/ASM service. Or you could take what your existing MSP or MSSP might offer.
But if you use already an MDR provider, bundling that with an ASM/VM service might be the best option. Both teams would focus on their specific areas yet complement each other's efforts.
For example, the Sophos Managed Risk VM/ASM service, which is an optional bundle offered to Sophos's MDR services, creates an exchange of information between the teams.
"Whilst they are discrete [teams], they do work in concert with one another," says Murray. "A Sophos MDR analyst can leverage information and data from the managed-risk vulnerability scans, and vice versa."
Ruiz thinks that clients gain an advantage in having many options to choose among from a single provider.
"If you are delegating security services to an external provider, you want that provider to take care about the critical stuff that you define," he says. "But if they keep improving and are able to include more services, then you have more options, and therefore freedom to leverage those MDR services in the best way for your interests."