The case for enterprise exposure management
For several years, external attack surface management (EASM) has been an important focus for many security organizations and the vendors that serve them.
EASM, attempting to discover the full extent of an organization’s external attack surface and remediate issues, had broad purview, targeting software vulnerabilities, misconfigurations and neglected shadow IT assets from the outside-in. The focus on greater attack surface visibility and external asset awareness resonated with CISOs, CIOs and practitioners alike.
Recently, a new framework of cybersecurity practices and tools has emerged – exposure management (EM). When EM (sometimes referred to as threat exposure management) is applied, organizations focus not only on discovery of vulnerabilities and misconfigurations, but also on prioritizing and operationalizing those security findings for better outcomes and simplified workflows.
The innovation of EM lies in shifting focus from mere vulnerability to actionable exploitability and then using exploitability to prioritize remediation actions.
EASM: The good and the bad
Gartner first called out EASM in its 2021 Gartner Hype Cycle for Security Operations, and the category quickly climbed the hype cycle as an innovation trigger.
The ecosystem didn’t hesitate to see value in EASM and frenzied market consolidation ensued. IBM swallowed up Randori, Palo Alto acquired Xpanse, Microsoft bought RiskIQ, and EASM was rapidly subsumed into larger, more comprehensive offerings from the cybersecurity behemoths.
Architects and deployers of EASM solutions recognized that to be effective, a security paradigm must meet and overcome multiple structural and logistical challenges:
Dynamic attack surfaces – SaaS applications and as-needed cloud provisioning and orchestration obfuscate information needed (IP addresses, device names, network designations, etc.) for accurate and up-to-date cataloguing and tracking of assets. This dynamism is compounded by mercurial users exposing assets through otherwise harmless reconfiguration and connecting corporate devices to at-risk networks.
No network perimeter – At one time, enterprise networks were constrained to organization headquarters. This perimeter expanded to include regional offices and partner organizations. Cloud adoption further blurred definitions of corporate networks. BYOD and COVID-19 remote working finally obliterated any illusion of well-defined networks or hard-and-fast rules for categorizing assets. But those assets still need defending.
Information and staff silos – Today’s organizations are large, and department boundaries are increasingly fluid. This dynamism may remove chokepoints, foster initiative and boost productivity, but it also stymies cataloguing and securing the assets deployed (often informally) and used (ad hoc) by diverse stakeholders.
EASM was able to adequately perform continuous discovery and provide remediation recommendations for many new types of assets. However, as it achieved peak hype status, the promise of EASM began to fracture. It turned out that the chase for asset visibility created considerable additional workload for vulnerability management teams:
1. The visibility highlighted by EASM tools still left dangerous blind spots, in particular vendor-managed asset risks, which most tools will not reveal. In addition, the code and scripts that websites depend on, e.g., third-party CSS and JavaScript, are open to compromise as well, but early EASM tools missed these risks completely. Plus, EASM’s propensity for mis-identifying asset ownership, getting stuck in information silos, and generating a litany of false positives, left customers annoyed and frustrated.
2. Visibility became yet another source of alert fatigue. EASM itself provides no processes for operationalizing the noise, consolidating repeat findings or integrating them into existing tooling and workflows.
3. Threat validation and prioritization are weak points in EASM: given the amount of noise arising from heightened visibility, it is key to confirm the validity of alerts before ranking threat severity and assigning remediation priority.
4. The imbalance created by the shortcomings above led companies to assess exposures incorrectly, causing mitigation of the wrong issues, wasting time and resources and leaving critical risk areas exposed.
It’s little wonder that Gartner soon after consigned EASM to the “trough of disillusionment”. So much promise, but still requiring substantial investment to address the shortcomings in this first phase of EASM market delivery.
Enter exposure management (EM)
Where EASM would “boil the ocean” by cataloguing possible CVEs and misconfigurations without end, EM instead intelligently seeks out actual exposures in real world assets and configurations.
Exposure management strives to ensure that organizations discover exposures and validate them. Validation supports not just prioritization, but also remediation.
The following three principles provide the path away from EASM towards exposure management.
Broader, deeper discovery – Knowing more about potential threats, vulnerabilities and exposures, accompanied by proof, context and relative importance of involved assets. Discovery scope is key and should include both assets managed and owned by the organization, including cloud and SaaS assets, vendor-managed assets and digital supply chain assets connected to those belonging to the organization. Proof of ownership is also critical to a more comprehensive discovery process.
Validation and prioritization – Once potential exposures are discovered, EM tools help to validate those findings and prioritize them based on business impact and exploitability. Such an approach ensures that exposed critical assets are addressed first. More than merely creating an inventory of vulnerabilities, this principle advocates a more dynamic understanding of asset connectedness, often represented as a graph, to comprehend relationships and the impact of security issues.
Operational simplicity – Reducing mean-time-to-repair (MTTR) is vital for exposure management. EM focuses on streamlining the process for resolving alerts and ensuring that they reach the right team. Providing easy-to-follow procedures for remediation helps IT teams act quickly and efficiently. Integrations with security information and event management (SIEM) and ticketing systems ensure that measures are implemented promptly by appropriate staff, minimizing the window for exploitation.
EASM 2.0 = Exposure management
Is EM just the next Gartner category, guiding CISOs to buy more software tools?
The path from legacy EASM to emerging exposure management is more than a question of semantics. EASM provided a good starting position by highlighting attack surfaces and emphasizing visibility. However, cataloguing myriad symptoms is not the same as understanding the severity of those ills and providing validated exploitability information and appropriate remediation.
The cybersecurity marketplace needs a discipline focused on actual exposure with tools optimized to analyze exploitability and operationalize remediation on a continuous basis. You can think of EM as an upgrade to “EASM 2.0”, grounded in a focus on actionable findings and straightforward directives. As such, exposure management is more than just Gartner’s “next big thing”; it’s the most viable approach to securing your organization’s assets and reputation.