Hello and welcome to our webinar. Today, we're going to talk about Attack Surface Management and how to find results from our leadership compass through KC Open Select. I'm John Tolbert, Director of Cybersecurity Research here at KuppingerCole. A little bit of logistic info before we begin. Everyone's muted centrally. We control that, so there's no need to mute or unmute yourself. We're going to do two poll questions and we'll talk about the results at the end. You can submit questions and answers in the CVENT control panel at any time and we'll take the questions at the end.
And then lastly, we're recording this, so both the recording and the slides will be available in a couple of days. So I'm going to start off by talking about ATT&CK Surface Management, what it is, what are the trends, and then how to look for the results of our research in KC OpenSelect. And then we'll do the poll results and questions at the end. So first of all, what is ATT&CK Surface Management? How does it work? And what are some of the key features, trends, and our predictions for where it will go?
You know, we tried to group the major functions into four big categories. So what we see here is asset discovery and classification is one of the key features. It's where it all begins. And by asset discovery and classification, this can use either passive or active techniques for asset discovery. In the case of passive, it's, you know, listening on a network, trying to figure out what traffic is going by.
Active would be more active things like actual port scanning, going through DNS, looking for records, doing network mapping, and then using the information that results from that to classify what kind of asset is it. Risk prioritization. This would be using vulnerability assessment tools, vulnerability management tools, checking configurations of services that are deployed, and then being able to get the actual business context. It's not just about looking to see what kinds of assets are out there.
That's a good starting place, but it's also important to know, you know, is this an important machine that could be, you know, a primary attack vector, you know, on an attack path? Risk prioritization helps organizations understand which ones are the most critical ones to remediate most quickly. Mitigation and remediation. Mostly we think of, you know, updating patches, getting configurations corrected if they're incorrect. For attack surface management, generally these solutions will help develop a list of assets that need to be patched, for example. They don't do the patching for you.
It's not like a patch management system, but they can provide guidance in some cases in a step-by-step fashion that makes it much easier for IT staff to work on. Then lastly, dashboards and reports. Got to be able to visualize what's out there, look at metrics. You absolutely have to have alerts when critical items are found. And then being able to track progress on a list of vulnerabilities when they're closed, when things are in a much more secure position. So it helps with the tracking as well.
So I think it's good to mention at the outset here, there are two major approaches for attack surface management. There's the external side, EASM, it's often called. This is really about looking at public-facing assets, things that are live on the internet, on the web. A customer organization would in some cases start simply just by going to the EASM solution provider site and entering a domain. And from there, they will enumerate all sorts of permutations of other subdomains, find IP addresses that may be associated, look specifically for applications and certificates.
It's very helpful for being able to do certificate management even. Then there's the aspect of vulnerability assessment. Some of these solutions have vulnerability assessment capabilities. Some of them rely on third-party products for that. And either way, it's important to be able to do good contextual risk analysis on all the assets that are discovered. On the other side, we have cyber asset attack surface management.
This is, I'd say, a little bit more internally focused. Some of the solutions that do CAASM can do both passive or active listening, but they also may import information from asset management solutions, configuration management databases. But really what they do here is add a layer of vulnerability analysis and business context.
Again, helping to figure out which are the most important assets and then apply controls as needed. So beyond the two top level use cases or types of ASM, we find ASM being used for a variety of other use cases. These are really interesting. Shadow IT discovery, IOT devices. So many organizations have IOT devices and they're probably not even aware of all of them that are out there. Organizations that are in the operational technology or running industrial control systems. It can be hard to get a handle on all the different devices that are running in your different environments there too.
ASM can actually help with that, provide and also provide the vulnerability and risk prioritization in those environments for some vendor solutions. Dark web monitoring. I'll say a little bit more about that in a few minutes, but this is kind of what it sounds like looking at the dark web and being able to provide very specific threat intelligence to their subscribing customers. Brand protection, definitely related to ASM and dark web monitoring even, but also adding an element of say email and social media analysis as well.
DevSecOps integration for test environments, for development environments. Threat modeling, attack path modeling. Once you have vulnerability and asset information, being able to figure out what the most likely attack paths are is very useful. Taking that one step farther even is breach and attack simulation. There are specialty solutions for breach and attack simulation and some of the ASM vendors also offer this too.
This is exactly like it sounds like running a simulated attack, showing which paths might be most critical or most likely to be compromised and providing generally very good visualizations for that and very specific recommendations of how to close off those possible attack paths. And then lastly, regulatory compliance and regulatory and security framework compliance, I should say.
We all have lots of different regulations or frameworks that we need to comply with and for good reason, they do help improve security posture and I'll show some of the results here which regulatory regimes and security frameworks ASM can assist with. So in terms of integrations, ASM really, for eASM, external ASM, it can really function autonomously. In most cases, like I said, you can, in some cases, simply go off, enter your domain name, start a service with one of the solution providers and they will run everything externally.
You don't really need any infrastructure for that but it can be helpful to have that information flowing back into the rest of your security architecture and other IT tools. For cyber asset ASM, I think integrations are really key there. You've gotta be able to get information from other parts of your security infrastructure in order to make use of what CAASM can do for you.
So some of the most important integrations are IT service management that can help with issue tracking case management, SEM, monitoring systems, SOAR, security orchestration, automation and response, third-party threat intelligence. Many organizations have subscriptions to third-party threat intelligence already. So if you would like to be able to use that in your ASM, it would be good to know if you can get those things connected. Most ASM solutions either have some built-in cyber threat intelligence or some of these vendors actually have their own dedicated threat research teams.
So they get very specific threat intel. But yeah, if you're already using threat intelligence and you want that to be considered by your ASM, you should find out whether or not those integrations are possible. You'll wanna be able to use your own IAM system for authenticating your admins and analysts. And then others here are more sources of information for ASM, things like unified endpoint management, mobile device management, vulnerability management systems.
Again, some of the ASM solutions have vulnerability assessment management capabilities and some don't. So it's important to check whether or not the ASM vendor you're looking at has integrations with the vulnerability management system you currently have. Then things like PAM, Privileged Access Management, Cloud Infrastructure Entitlement Management. These help you get a handle on the IAM and aspects of what's externally visible. And then lastly, endpoint security and XDR for additional asset information or even for controls to remediate things, the discovered issues.
So when we talk about vulnerability types, what kinds of vulnerabilities are these solutions looking for? Well, CVEs are pretty well known. There's also the exploit prediction scoring system. There are other national systems like the US CISOs, known exploited vulnerabilities, the National Vulnerability Database. Then there are more general things like OWASP Top 10. And then looking for missing patches where that can be determined. Many organizations are running, maybe even without their knowledge, out of date or end of life software. They may have missing controls.
You may find, again, on the identity side, unauthorized access is possible or over-provisioned entitlements. And then misconfigurations. And this can be things like not sufficiently hardening the machines or not having the right access.
And then, again, there's a lot of variety of what's possible and what each of the different vendor solutions actually does here. But they do things like look for compromised credentials on the dark web. They can look for leaked or stolen intellectual property. They can look for leaked or stolen personal data. They can look for misused data. And then there's a lot of variety of what's possible and what each of the different vendor solutions actually does here. But they do things like they can look for leaked or stolen PII.
And this can include really valuable things like passport information, EIDs, driver's licenses, even photos for, let's say, biometric use. Some of these solution providers have, like I said, very advanced threat research teams. They may follow APT actor groups.
They, in some cases, track cyber criminal forms. And they may, some of them actually monitor malware and exploit trading forms. And they do this so that they can provide very, very handcrafted threat intelligence to their customers to let them know specifically what kinds of threats they may be facing. So there's a long list of different regulatory regimes and security frameworks. Not every single one of the vendors that you'll see here in KC OpenSelect or the Leadership Compass does all of these, but this is kind of a sample of all the different compliance regimes that can be addressed by ASM.
So again, it's important to look to find out what specific regulations an ASM solution can help you with. And depending on the business you're in, you can find industry-specific things like HIPAA or PCI DSS as well as the more common ISO and NIST cybersecurity framework and various special publications that are out there. And things like SOC 2 Type 2 or cloud compliance, those are also things that many organizations would like to have even better visibility of. And ASM can help with these. So let's take our first poll question.
Now that you've heard a bit about it, I'm curious to find out, does your organization already have an attack surface management solution in place? And our choices here are A, yes, we do.
B, no, we don't. And if you don't find it useful, maybe that's a good way to indicate that.
Or C, not yet, but we're searching for it or going to be searching for it. So I'll give you a few seconds to answer that. And we will take a look at the end. So here are some conclusions that we reached after looking at ASM solutions in the market. It's still an evolving field.
It, like I said, there's a wide range of features that you can find even on the EASM side, which seems to be a bit more prevalent at the moment. And I think over time, there will be a standardized feature set, but in the interim, I think it will be interesting to watch how these develop and to see which features do kind of become accepted as standard. Not all ASM vendors have fully in-house developed components. As I was kind of hinting at, vulnerability management is one example. So many of them rely on other third-party products. Some may have OEMed in specific bits of functionality.
And this isn't necessarily a bad thing. This is just, it depends on what's most important to you as a consuming organization, and what your position is on that. So if they have the features that you need, I think that's probably the most important thing to look at. As I mentioned, integrations with different kinds of security and IT tools, that's really essential for enabling ASM, CAASM especially. Some do the dark web monitoring if you think that's important to your organization. When you get into KC OpenSelect, that will become clear which ones have those kinds of capabilities.
Some of these also do have additional services like manual or automated penetration testing, or even red teaming services. So this can be an add-on or something that could be offered that can help take the information that is discovered through the course of normal usage of ASM and make it even more tailored for an individual customer. And some vendors have some of these limited brand protection features. I think that too will become a bit more common.
And the fact that's one of the predictions here, brand protection, digital risk protection will become more important for ASM solution providers. I think EASM will be an absolutely essential part of any web-facing organization security architecture. Those feature sets are growing, they'll standardize. Right now we see a lot of variation and that really starts with where the vendor came from.
If they're, let's say, really strong in asset management or configuration management database, then you'll see that that's probably where they have the greatest strengths at the moment and they're building out capabilities. But each one of the vendors, you'll see it started at a different place. And I think that's why you find different strengths in different products.
Lastly, I think that EASM and CAASM will eventually sort of merge into just a single unified ASM offering. The reason for that is I would imagine that CIOs, CISOs would probably prefer to deal with one vendor, have one contract rather than multiple. So let's stop and do another poll question here. And this one is, which ASM approach seems most useful for your organization? And our choices are external ASM, cyber asset ASM, or both? So when we did our latest round of research on this, again, these are the functional evaluation criteria that we were looking at.
And you'll see this kind of maps back to the main functions that we talked about at the beginning, asset discovery and classification, vulnerability assessment and monitoring, cyber threat intelligence. That includes both having a threat research team or using multiple third-party CTI sources, the digital risk and brand intel, remediation, which again, mostly is discovering what the vulnerabilities are, listing out missing patches, listing configuration changes.
And in some cases, the solution providers here will give very detailed guidance, which I think is a real strength and they can do that. The last two are looking at the breadth of attack vectors and then overall architecture and administration, what it's like to use the product from an end-user organization's point of view. So we use the same similar process for KC OpenSelect is for the leadership compass. So I thought we'd quickly go through what our methodology and standard categories that we rate against.
So how we do it, we look for all the vendors in a field, we get briefings, demonstrations, we create a large technical questionnaire, we send it off, get the responses. Then we look at the information that we've received, we write a first draft, we go through a fact check process. And once all that is agreed upon and done, then we publish it on our website. This also goes into KC OpenSelect, which we just ASM launched within KC OpenSelect just recently. We have nine standard categories that we rate against security.
This is not about how much security a product delivers to a customer, but more about what is the internal security of the product like? Does it use things like, or require strong authentication? Does it have role-based access control? Or is its data encrypted? Is it using the latest versions protocols? Things like that. Then we look at the functionality.
This is, does it have all the features that we think it should? And we just kind of ran through the list of features there, so you'll know what we mean there. Integration, what can it connect with? Does it have a large number of connectors? Is it easy to extend with APIs? Interoperability, does it work well with other services? Can it connect to your SIEM? Can it use your ITSM? Can it pull in data from other configuration management databases in these cases? Then usability, this is how easy is it for an end-user organization to interact with it on a regular basis.
And we also look at innovation. Is it a leading edge? You're kind of playing catch-up kind of product. What's the market like? How many customers? Which industries are targeted?
Ecosystem, do they have suppliers or partners that they can leverage to help customers deploy and maintain? And then lastly, the overall financial strength. So in KC OpenSelect and this leadership compass, here's the list of vendors that we surveyed. It's a pretty long list.
And again, I think that's interesting because it shows it's a very dynamic space within cybersecurity. So here, I kind of quickly just want to run through and show you a glimpse of what KC OpenSelect has to offer and then invite you to go try it out for yourself. KC OpenSelect is our tool that helps end-user organizations get started on the path of figuring out what products or services may be right for their organization. It's based on our research. It helps you to get a feel for what's out there in the market.
And then as you'll see here in a minute, you can even take the use cases and capabilities and the results from our research and sort of get a more customized view of what may be right for your organization. So if you come to our website and go to KC OpenSelect on the top here, attack surface management is near the top. You'll open that up and then you'll start by getting an overview of attack surface management, kind of what I've been describing so far today. You can scroll down to see individual vendors like the ones that I listed there.
And I've chosen one kind of at random here to sort of represent what that menu item is like. So you can read through here, find out more information about individual vendors, background on them, location, things like that, where the history, and then also of course features. You can then also come in and look at the various use cases. You can use our spider chart to click and drag these different points into which of these features you think are most interesting to you and your organization. Then it will automatically sort based on that. And then you can click down to see the results.
In this case, you'll find the ones that most closely match how you have positioned the individual points on the spider chart. And then you can go through and see how they have rated in the attack surface management research that we've done. Since KC OpenSelect is really designed to help companies with let's say doing an RFP, we also give questions that are helpful in if you wanna set up an RFP to say, look at a given field like ASM. These are some questions and some general answers that you might expect from vendors when they're being asked in an RFP sort of context.
So with that, we will move on to look at our poll results. Okay, here we go. Does your organization have an attack surface management solution?
Well, great, more than 50% say yes and a little less than half say no. So that is a great to know. It's a little bit better than I would have expected. So that's good to see that organizations are actively using this already. Let's move to the next one. Which ASM approach seems most useful for your organization? EASM at 17, cyber asset ASM at one third and about half say both. And I think you're absolutely right. I think that both have really good kinds of functionality that I think can very much help with deterring sophisticated cyber threats that we see today.
So now let's take a look at and see if we have any questions in the queue. And we have, let's say ASM sounds like a service that large companies might use. Is it really applicable for small or medium-sized businesses? I would say yes, and maybe especially so. In the case of like EASM, again, it's a SAS delivered service. It's something that doesn't really require additional resources on the part of the customer organization.
So yeah, if you're a small or medium-sized business and you have a web presence, then absolutely I think attack surface management is very useful. It can also be great for the internal or the cyber asset attack surface management aspect as well. I think it's not necessarily the size of the company that's important.
It's are you addressing all the possible attack vectors and can you get good risk prioritization information because especially in the case of small and medium-sized businesses, if you don't have say sufficient staff, then something that helps you prioritize risks becomes even more essential. Let's see, next one. What are the common challenges and best practices associated with implementing an attack surface management program?
I think, let's see, well, common challenges, I would say making sure that it has the appropriate level of reporting for both let's say your analysts, management, stock management, even executives. Many of the solutions do have really good, really interesting executive level reports. And I think that's really where it can help show its value at the appropriate board level. So that would be something to consider as far as a best practice. What role does attack surface management play in the context of threat modeling and risk management?
As I was mentioning, it can be a very pivotal piece of that, especially if you're looking for more advanced solutions that have breach and attack simulation capabilities. They can give you very specific attack path predictions, attack path modeling. In many ways, I think it can be very helpful as an add-on or maybe even replace some types of red teaming activities. I think it's definitely something that can aid in those kinds of activities around attack path modeling. Let's see.
Well, I think that's all the questions we've got. So yeah, I wanted to thank everyone for attending today and would encourage you please go take a look at our KC OpenSelect site and work your way through that. Look through the attack surface management. There are a number of other solution types that are out there. So feel free to go in, use it. And if you have questions, contact us. We'll be happy to help. Thank you.
