What is External Attack Surface Management?
If you want to protect your business, you need to see yourself the way the adversary sees you. That’s the idea behind external attack surface management (EASM). Despite growing popularity, what EASM is and how it fits into an overall security strategy remains confusing for many security leaders. Yet, for enterprises who get this element of external cybersecurity right, EASM provides a map of your greatest weaknesses that presents opportunities to defend infrastructure you likely didn’t even know existed.
In the first part of our series on attack surface management, we are going to dive into the basics of what this term means and why you should be paying attention to it.
What is External Attack Surface Management?
Before we explore the ways to use EASM, we need an agreed upon definition. For that, we turn to Forrester’s recently released definition of EASM as, “a tool or capability that scans for, discovers, and enumerates unknown internet-facing assets, establishes the unique fingerprints of discovered assets, and identifies various exposures.” In simpler terms, EASM displays your entire digital footprint, including all that you know and likely a great deal of architecture you did not know about. That can include deprecated systems that were never taken down, shadow IT that was unknown to leadership, and even services from 3rd parties that were discontinued yet continue to operate. All of these are opportunities adversaries see and take advantage of when organizations don’t know to protect that which is invisible to them.
One challenge with the term EASM is that “management” implies control and the ability to take action, which is not really part of EASM, according to the definition of the term. Instead, the goal of EASM is to inform businesses of online exposures so that they can make better decisions. It’s important to note that the actions taken based on that information - the true management of the attack surface - are beyond the scope of EASM as it is defined today.
EASM is easier said than done because you don’t know what you don’t know. You can’t look for assets or vulnerabilities that you don’t know exist. You can’t tell your cybersecurity software to scan for something you didn’t know was at risk. If some of your exposed assets are not known or outside your reach, you won’t know when something is being copied, stolen, duplicated, or used for malicious purposes. EASM is about making sure you know everything you are responsible for outside of your perimeter and watching your assets the way adversaries will. This is because, whether you know or not, they are very likely already watching. EASM identifies the “unknown unknowns” so you can see your entire digital footprint and defend it.
What is the (Digital) External Attack Surface?
When we talk about the digital external attack surface, we are referring to all Internet-exposed assets, including corporate network infrastructure, communications platforms, and even social media accounts. Some examples include:
- IP addresses
- Domain and subdomain names
- Organization’s hosting the exposed systems
- TLS certificate information, open ports, tech stack, etc.
- Executive personnel
- Social media profiles
- Email accounts
- Business collaboration software platforms
- Profiles on recruitment, bidding, or business networking websites
When corporate assets or proprietary information become publicly available, criminals use that access to create spoofed accounts or sell that information on the dark web to further attack your business at the perimeter. If you don’t even know these assets exist, you can’t prevent this kind of harm because you can’t even see the threats.
Who Needs EASM?
Finally, we come to the questions being asked by CISOs everywhere: “Who needs EASM, and is this worth it?” The reality is that the bigger your company gets the more you need EASM. Why? Because as a company grows they produce an ever increasing amount of architecture and intellectual property that needs to be protected. And, sadly, I’ve yet to meet a company that is confident their asset inventory is 100% accurate. When talking privately, few (if any) will even claim to have confidence their inventory is even 75% complete. This is just one of the ugly but accepted norms of cybersecurity that people have grown to accept. Worse yet, some newer companies - or those that have been acquiring other companies - often have little to no clarity on their asset inventory. Without tools to manage this, exposures are inevitable.
All of that is not to say that small and midsized companies are excused from concerning themselves with EASM. While the footprints of these companies are almost always smaller, these same companies have fewer resources to defend their assets. This results in the exact same problems with incomplete asset inventories and not enough resources to confidently maintain visibility as the large companies demonstrate. There are less exposures due to the smaller footprint, but the risk is proportionally the same…and it only takes one unknown exposure to cause immense harm. Unlike large companies, small and midsize enterprises are less likely to be able to absorb the harm of a major loss of Intellectual Property, as one example of the risks that make EASM a vital need for these businesses.
Is EASM the Same Thing as External Cybersecurity?
EASM is neither synonymous with external cybersecurity nor separate from it. Instead, think of EASM as an element within the larger external cybersecurity concept; a necessary piece of the overall cybersecurity puzzle because you cannot defend something you don’t know exists. In Part 2 of our series on Attack Surface Protection, we’ll examine how EASM and Intelligence work together to provide a complete picture of the threats to your external attack surface so you can better prioritize your responses; increasing the effectiveness and value of every action taken.
ZeroFox for Attack Surface Protection
ZeroFox is pioneering external attack surface management through our attack surface protection. Using a combination of automation and human analysts, we help enterprises map out the assets leaving them vulnerable online.
In our next installment of this series, we will cover how EASM fits into the overall external cybersecurity strategy. We’ll also discuss why CISOs should be paying attention to their external attack surface with real-world examples. Sign up for our blog subscription to get the next installment straight to your inbox.