What Is External Attack Surface Management (EASM)?
9 Minute Read
External attack surface management (EASM) helps organizations identify and manage risks associated with Internet-facing assets and systems. The goal is to uncover threats that are difficult to detect, such as shadow IT systems, so you can better understand your organization’s true external attack surface.
EASM processes, tools, and managed services can help detect threats across servers, public cloud services, credentials, and third-party partners. Ideally, your EASM program should help you identify cloud misconfigurations, software vulnerabilities, exposed credentials, shadow IT, and various other security weaknesses that threat actors can exploit.
Related content: Read our guide to attack surface management
In this article:
The Rise of the External Attack Surface
Traditionally, the dominant IT security strategy is to provide in-depth perimeter defenses using internal networks and firewalls. However, threat actors don’t always need to breach the perimeter because externally hosted assets represent low-hanging fruit. Protecting this external attack surface is a major challenge for security teams.
Modern digital systems have an extensive footprint, with many assets deployed outside the protected network edge. This external digital footprint can be much larger and more challenging to protect than the internal network, encompassing Internet-based interactions between staff, customers, and third parties.
This challenge only grows while businesses implement digital transformation projects and allow remote users to communicate via web applications and services. Organizations expand their digital assets, with many of these hosted beyond the firewall or in the public cloud (i.e., on cloud infrastructure or mobile application stores).
Furthermore, developing these applications and services often involves third-party products and capabilities, including data, infrastructure, and code. Third-party vendors and service providers often build their functionalities on top of other providers (i.e., fourth parties). Organizations must factor these assets into their external attack surface strategy, even if they are unaware of the specifics.
What Are the Main Challenges Around the External Attack Surface?
Here are the main challenges organizations face when trying to map and protect the external attack surface:
Distributed IT Ecosystems
Organizations no longer have a traditional, well-defined network perimeter. Today’s IT ecosystems include numerous endpoints and assets scattered across many locations and devices. The ecosystem can include a core network, regional offices, subsidiaries, third-party hosting providers, and business partners that are located beyond the organization’s firewalls.
In addition to the increasingly distributed nature of IT ecosystems, organizations also face critical risks posed by shadow IT, unauthorized use of IT systems, software, devices, services, and applications. Often, shadow IT can help improve employee productivity and also drive innovation. However, it also introduces critical security risks that may result in data leaks and potential compliance violations.
The main issue is not that employees use a certain tool. Rather, security issues occur because employees introduce these tools without informing the IT or security department. Shadow IT means security teams do not even know about compromised assets already being exploited by attackers. There is no visibility, no way to inventory all assets, and no way to ensure the security stack truly covers all components interacting with the IT ecosystem.
If the IT team is unaware of these tools, they cannot raise protections around them to ensure proper use and defend against attacks. They cannot patch to the latest secure version of software or monitor vulnerabilities. As a result, the organization is vulnerable to attacks.
Too Much Data from Automated Tools
Organizations often use multiple tools to monitor the attack surface. As a result, they spend extensive resources and time without achieving actionable visibility. These tools produce massive amounts of data that require constant maintenance and analysis. Too much data and too many alerts can end up draining resources. To truly be helpful, security tools need to employ prioritization and alert triage capabilities that offer actionable insights.
Related content: Read our guide to attack surface monitoring
EASM Capabilities and Use Cases
EASM tools help map out the external attack surface, helping organizations uncover and manage potential vulnerabilities and security weaknesses in external and internal-facing assets and surface unknown infrastructure-based vulnerabilities.
You can use these tools as part of your overall cybersecurity strategy and set them to work alongside tools like cloud security posture management (CSPM) and vulnerabilities scanners. Ideally, EASM should work within your security stack to help identify, prioritize, and remediate misconfiguration and vulnerabilities.
Here are key EASM capabilities to look for:
- Monitoring—continuously scans various external environments, such as external-facing on-premises infrastructure and cloud services, and distributed ecosystems like IoT infrastructure.
- Asset discovery—attempts to uncover and map unknown external-facing assets.
- Analysis—evaluates and analyzes asset attributes to help determine the risk level of each asset, whether it is vulnerable or behaving abnormally.
- Prioritization—helps prioritize vulnerabilities and risks, pushing out alerts according to prioritization analyses.
- Remediation—offers actionable insights for mitigating the prioritized threats and remediating integration with solutions like ticketing systems, security orchestration, automation and response (SOAR) solutions, and incident response tools.
EASM is an emerging space with relatively few vendors that offer similar capabilities for common use cases. Here are the most common EASM use cases:
- Digital asset discovery and inventory—helps organizations find unknown digital assets like websites, domain names, IPs, cloud services, and SSL certificates across various environments, including clouds, local IT, operational technology (OT), and IoT. EASM helps maintain the inventory of identified assets in real-time.
- Remediate vulnerabilities and reduce exposures—prioritizes the remediation of various exposures, including misconfigurations, unpatched vulnerabilities, and open ports, according to the risk level and severity.
- Cloud security and governance—helps organizations identify public assets across cloud vendors to improve cloud governance and security. The goal is to uncover cloud assets the organization is unaware of and apply the appropriate protections to secure them.
- Data leakage detection—monitors for data leakage, including credential leakage and sensitive data exposures occurring through cloud applications and collaboration tools used by third parties and employees.
- Subsidiary risk assessment—gain visibility into digital assets across various subsidiaries for a more comprehensive risk assessment.
- Supply chain or third-party risk assessment—extend visibility to cover supply chain vulnerabilities and third-party threats. It helps support assessments that evaluate the organization’s risk exposure.
- Merger and acquisition (M&A) risk assessment—helps organizations understand the digital assets landscape and the associated risks the acquiring organization may inherit from an acquired company.
Attack Surface Management with HackerOne
Visibility alone is not enough to minimize risk and resist attacks. Organizations need to know their attack surface. They need to risk rank their assets based on how a bad actor would prioritize and execute their attacks.
HackerOne Assets blends intelligence from ethical hackers with asset discovery, continuous assessment, and process improvement to reduce risk across your ever-expanding digital landscape. You can identify, analyze, manage testing scopes, and track testing results in one place for a complete asset inventory.
Once identified, asset risk can be ranked, coverage gaps addressed and remediation resources assigned. Our community of ethical hackers can enrich asset data to include technology mapping to enable asset tracking and foot-printing. With HackerOne Assets, organizations will know their attack surface and be armed to effectively resist attacks.
Learn more about HackerOne Attack Surface Management