Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the Director of the Practice Identity and Access Management here at KuppingerCole Analysts. Today I have two guests and it's worth it. We want to talk about a topic that we have not yet covered in that form or shape, and my guests today are, first of all, John Tolbert. He is the Director of Cybersecurity Research at KuppingerCole. Hi, John. Good to see you. Good to have you.
Hi Matthias. Good to be back again.
Great to have you. And for the first time, we have Osman Celik. He is a Research Analyst with KuppingerCole working together, obviously, with John. Hi, Osman.
Hi, Matthias. It's nice to see you for the first time here.
Yeah, absolutely. And we want to start with a topic which is again, yet another new acronym. It's ASM, we want to talk about attack surface management. First of all, for the listeners that hear that for the first time and not too long ago, I was hearing that for the first time as well. Can you give us a brief overview of what is attack surface management and why it's so critical within today's cybersecurity?
Sure. Attack surface management is primarily a cloud delivered service. It is designed to help customer organizations find weaknesses in their infrastructure. It can start with like looking for assets, finding vulnerabilities, or pulling in vulnerability information, business, context information, and then helping them prioritize the risks so that they can remediate them. Osman?
Yeah, I could contribute. I agree with John and I could contribute to that to that in some small extent. What I can say is that we know what, what are the like... we have this philosophical schema, you know, like known knowns, unknown knowns. And I think so far, with the cybersecurity measurements that we were taking measurements against the known unknowns like what we know and that we don't have any solution for. But the approach that ASM is taking is more like is making you ready for the unknown unknowns, like this is like the most trickiest part, I guess, because it is a proactive approach to cybersecurity threats. And you know, with the traditional methods like pen testing or vulnerability management, you can only take measurements against the trust, the risks that you know that you are going to hit by at some point. Sometime soon or you have been, you have already had the incident in your organization. But what ASM does is like unique, in the sense I would say, and then it prepares you for what you are going to be hit by in the next months, next years. So that's what makes ASM very unique in the sense, I would say.
Okay. I'm seeing a pattern here because I just did recently an episode with our colleague Mike Small, and he talked about cloud security posture management, and he was talking about the same phenomenon that infrastructures are so volatile, that things change so quickly within the infrastructure, but also the threats changed so dramatically and so rapidly. So that is also something that is covered and countered with attack surface management. So this dynamic nature of the attack surface is really something that these solutions specifically target. So this continuous evolving of the attack surface, how do these ASM solutions that actually really tackle these dynamics within the attack surface. Maybe starting with Osman.
Yeah, I mean that's a great question. When we think about the dynamic nature of attack surfaces, I can like directly think about like, you know, what an attack surface is and what an attack vector is. The attack surface is dynamic for sure. You have your IT environment and then you have your components. They are physical, like the tangible and intangible ones. So your attack surface could be anything like your assets, your users, your devices. But on the other hand, you have an attack vector that's being targeted by attack vectors. And that is, I think, a difficult one to control. And that's where you also need to be more careful because you have this evolving attack vectors. You know, like in the past we had like only one small, very easy to detect phishing email. Now they're getting so complicated, just think about it. And now I can list off to many different attack vectors that an attack surface management solution should address. And the number is growing. And we were trying to like, you know, detect like how many attack vectors actually we can highlight for a solution. And then actually at the end we were like, okay, this is a lot of attack vector that we need to address - solutions we need to address. And at the end of we come to a consensus that, okay, we should just probably see what each vendor is doing differently and that's what actually is part of - that's also part of the dynamic nature because I think everyone is just, every vendor is entitled to what they are coming across in this dynamic environment, I would say.
Right. Anything to add from your side, John?
Yeah, you know, there's many organizations I think, sort of struggle with keeping an eye on all the especially public facing assets that they have. You know, there are test environments, there's use of shadow I.T. where, you know, maybe people outside of your I.T. department go out and provision cloud services, SaaS services, and you may as an I.T. department not know about that. And then there are other cases, you know, we call it typo squatting where you, a bad guy will go out and, you know, register a domain that's very, very similar to your domain and try to redirect traffic there that can be used to send out phishing emails. And certainly you don't want your organization to look like it's responsible for, you know, being part of phishing or business email compromised. So there's a whole lot of things that can go on that are sort of outside of what, you know, most I.T. security organizations might necessarily easily be aware of. So attack surface management can help find that those things that are going on that you may be unaware of. And I think we should mention that there's two major kinds of attack surface management. There's external attack surface management, which is all about looking at the outside, you know, all the web facing things that an organization might have out there. And then there's cyber asset attack surface management, which is more of an internal view. Those are generally linked to other asset management or configuration management databases, unified endpoint management, mobile device management. And those kinds of systems to pull in information about known assets, but then add a layer of analytics on top of that to be able to determine whether or not they have different kinds of vulnerabilities or if they're misconfigured.
I can maybe a couple of things to what John just said. Yes, John is right about the attack vectors also. And the thing that we should never forget that the cybercriminals are using different techniques and tactics every year and then their methods are also evolving. And then attack surface management is an ongoing process. I think that this like, you know, this is something that I provision that we will see more often in the upcoming years because the trends are changing very frequently. So we need to have a proactive approach. The second thing about what John said is just the two separate ASMs, in the beginning of our research, we wanted to see if we can actually unify this as a single approach, as only ASM, attack surface management. But it was rather a difficult one. As John said, different vendors approach to the attack surface management differently, from external side and then internal side, as he highlighted. But one thing to note, I think that some vendors will try to seek out a way to see if they can unify these two approaches under one name attack surface management. I think the time will show us if it's going to happen or not.
Right. And John mentioned that there is shadow IT, there's IT you just don't even know of and that is constantly changing and the same company will look differently to the outside and from the inside, two weeks from now, as it does today. So how do these systems deal with this changing environments, with these devices showing up and being removed with virtual machines fired up and then again just closed down or retired? So how do these solutions deal with this, with these assets that are changing over time? I've read through the document. I've at least quickly skimmed through it, and I found the term asset discovery. So really understanding what is actually to be protected and is actually the first step. So can you maybe dig a bit deeper into that, into the importance of asset discovery and how this is executed in these attacks surface management systems?
Sure. Well, you know, the way most of the external attacks service management solutions work is when you sign up for the service, you go in and put in your domain name and some of them will just kind of take it from there. So they'll look at the registration, they'll look at ASMs, they'll look at, you know, any and all associated IPs. They will try to generate permutations of those domain names to look for typosquatting. And then from there, they will gather information about each found some domain, IP address, certificate that's associated or application, even credentials, everything that can be found on the open Web. Some of them also engage in dark web monitoring. And we could talk more about that in a minute. But that's kind of how they get started from the external ASM perspective. On the cyber asset ASM perspective, like I said, they're they're mostly drawing from other configuration management or UEM kinds of databases. And then how do how do they keep up with it? It's scan, scan, scan. You know, it's not that you can just do a scan like this once or twice a year. Most of these solutions will allow for, you know, fairly regular scanning, maintaining a database and then alerting when something's new and different. Because if you don't do that, you wind up sort of like doing just periodic vulnerability management or periodic pen testing. And as we know, that isn’t particularly effective anymore. Osman?
Well, yeah, I can add something small. Again, I think that you know, we are trying to take measures against cybercriminals and they are mostly after your critical assets or your sensitive information. And we can all find them in our physical or digital attack surface and then they are spread and we don't know sometimes where they are. And if sometimes we don't know that we have that specific asset. So attack surface management is trying to automate this and trying to make this identification of assets in a continuous way. And then, well, what is now better than an automated system? Now, I think automation is like getting everywhere. And the asset discovery, once you automated and once you do it continuously, you're definitely one step ahead of the vulnerability management and the pen testing solutions. So this is what again what makes ASM a unique solution.
Right. So now that we know what the assets are, we know what the threats are. We know that there is a high volume of assets and threats, how do these systems deal with these, with this large number of assets and threats, Are they all treated the same or is there prioritization? Is there is there a risk based approach? I'm always asking that question to when it comes to mitigating risks, is there a top down approach? And where does this information come from? What is high risk? What is of high importance? How does prioritization work in these ASM systems? Maybe starting with Osman?
Yeah, sure. So yeah, depending on the solutions, for example, we have come across with different numbers. Speaking of number of assets, for example, some vendors were telling us that they are able to manage 500k assets, this is like something really low and some vendors were managing over 500 million assets. Like that was a huge and like the average number, what number was around like 10 to 100 million assets for especially big vendors. So this a lot of assets and when you think about like some conglomerates or some international companies, organizations, you definitely need to prioritize something and you definitely need to eliminate false positives. And the prioritization comes into play here and the you need to know what is relevant to your market, what is relevant to your organization, and what is most, what is the most threatening and what is the most risky thing to take measures against. So attack surface management contextualizes what is, what are the threats and what are the risks for your organization or for your company. And then from there on, you can start fixing the problems one by one. And if you have like 1000 risks, but if you have only need to take care of, let's say, ten of them in the in the short term, then that's how you actually utilize utilization. Yep.
Right. John?
Yeah, you need to know what kind of vulnerabilities are to understand your risks. And you also need to put that in a business context. So most of these solutions look at things like CVEs and CVSS, you know, vulnerability scoring for, you know, known vulnerabilities. And then they also consider whether or not these are have any exploits in the wild, you know, a theoretical vulnerability is still a, a risky thing. But if there's a known exploit, it's far more risky than one that's theoretical. You know, they also look at things like the National Vulnerability database. The U.S. CISA key exploitable vulnerabilities, then they can enumerate and look for what versions of operating systems each component is running on and whether or not there are patches that are missing. They can look for misconfigurations or if controls are not in place. And some even go to the level of whether or not there have been overprovisioned entitlements associated with that or credentials. So that's there's a lot of different variations that we see in the capabilities there. But lastly, I'll add here, you know, the business context piece kind of alluding to what Osman was talking about. You may have a thousand vulnerabilities, but a good attack service management system can tell you which are the ones that you really need to focus on right now, which are the ones that if they were compromised and caused the most damage. And I think that that element of prioritization is what can make these extremely valuable tools.
Yeah. And just one thing to add to what John said, when it comes to risk scoring, we have noticed that most of the vendors are doing a good job. And I could say there are two kinds of methods for this. Some of them are just extracting the data from like, they just use the CVSS score, for example, and they just say, okay, this is something critical because this has been highlighted as critical. So you need to know. But some vendors actually consider the market you are in, the industry you are in, and kind of customize that risk score and also prioritize it depending on your needs. This is what I prefer, of course. And as I said, like they just let you know, you know, like if this is relevant to you or not like raising red flag or just saying okay this is a medium threat or they can also use some numerics like, you know, this is like 50 out of 100, they all lead to the same logic. But yeah, at the end there are two logics. And I think that they're both fine. Yeah.
Right. And I think the information that that relies on and this is a perfect segue way for me to get back to something that John already hinted at. And I'm really interested in that. I hope the audience as well that that is these emerging trends. And you've mentioned dark web monitoring. That, of course, sounds interesting. That is the darker side of cybersecurity and looking over the fence on how the bad people are doing it, but also just thinking of new architectures, hybrid architectures, like cloud and IoT. How do these trends, how are they covered in ASM tools? And especially, can you dig a bit deeper into these this dark way of monitoring, of course?
Sure. Well, yeah, you've kind of hit on some of the major trends that I think we see so far. You know, EASM especially is really, really taking off. Every organization that has any web facing property really should be considering this strongly at this point. You know, the feature sets, I mean, we've kind of talked about a lot of the different features that are sort of spread out across all the vendor products. Not all the vendor products have all these features. It's still kind of an emerging field. I think we're going to see standardization in the feature set in the not too distant future. And brand protection's sometimes called Digital Risk Management will become even more important in looking for things that may impact your brand that can be tied to dark web monitoring. If there are mentions of your company on the dark Web, if there are leaked credentials or leaked intellectual property, that's part of what dark web monitoring does. And those things, I think, will also sort of rise as important features in EASM as well. And kind of going back to what Osman said, I think that eventually we'll see sort of a unification between cyber asset and external attack surface management. I think both are very valuable, but in the long run, most organizations are going to want to be able to get these kinds of features out of the same product. You know, nobody really wants to buy and manage two different products. You know, it's two different contracts, increased cost and whatnot. So those are some of the trends that I think we see right now. Osman, anything else to add?
I totally agree, like deep web monitoring or like the or the brand protection intel is one of the reason why I also think that there will be a unified solution sometime soon. And well, when we think about the attack surface like, sorry, the surface level internet, because it's not only the deep web, but there are like some repositories like GitHub or like the pastebin websites that most people ignore and some ASM solutions started to do some scanning or scanning of those websites, monitoring of those sites on top of the dark web, which is like has no ending as we know. And that's also something more emerging, I would say. And on top of that I could say that one of the very, I think one of the most interesting thing I have seen in this market that some vendors started to also automate their remediation process. And this was something really interesting to see for me. And I mean, just automating a remediation process without the human involvement, who with other expert involvement was very interesting. And this is one of the trends that I think we will see in the most ASM vendors in the upcoming years. Some vendors are already doing a very good job in this market. Maybe John can say something about this, too.
Yeah, there's a wide range. I mean, we did release a leadership compass on it and I think it would be very good for organizations that are looking for this kind of functionality to take a look at it, because as we said, there's a sort of a broad range of functionality and not every product does everything. So we try to know a score, you know, based on what we think are the most important features. But in the write ups, we try to call out in the text the things that are features that you might want to look for. So it's a good place to start if you're looking for an attack surface management solution to get an idea of not only what's out there in the market, but kind of help you start figuring out what's most important for your particular organization.
When we think of the vendor landscape and you mentioned this is a leadership compass, so in the end it is a list of vendors and products and services. Are these the usual suspects that you expect in the security, cybersecurity market anyway, or is this a new group or at least a new added group of vendors that take this bigger perspective when it comes to cybersecurity? Look to the left and to the right, to the background sources, to external threat information, and combine this into this overall attack surface management. So how does the market look like?
Maybe I can start giving a quick answer to this because I think John would be the best person to answer to this question. The reason is that I am now familiar with the ASM market, but John can do a better comparison with the other vendor markets there. The thing I noticed here is that there is not a consensus on what an ASM does, actually, and that's why we still have this distinction of external and internal ASM. And the different vendors focus on different functions. Some of them highlight AI already, some of them are still doing pen testing, like as a service that's I think super normal because when we think of some governmental organizations, they still have traditional IT environments. So I think that each vendor is trying to bring a solution to the table and I think that they are doing the right thing. But as I said, there is not a unified approach. I didn't see it. I could say, yeah.
Yeah, I think, you know, to answer the question, yeah, we see some of the major cybersecurity platform players in there and there are also some specialist startups that, you know, have a different take on that. And there's already been some consolidation. And, you know, as most things happen in cybersecurity and IAM, they'll probably be more consolidation going forward. But we also probably expect new entrants into the market because it is a hot topic. It's something that really can add value to a security architecture. So I expect to see further investment in in more startups and more development overall in this market.
That sounds interesting. So it's not another yet boring because mature and saturated market, it's a new market. It's an upcoming emerging market with lots of new entrants and lots to discuss about. And where can you discuss this? Of course, we are running a cybersecurity event by the middle of November where John will be there and I think Osman, you will be there and I will be there and the discussion can be started and continued there as well. So a new market, a new emerging market is of course something that demands for discussion, exchange with peers and yeah, just talking to those who have similar experience right now are the same challenges and have already made some experiences as well. And of course talk to our experts like John and Osman. So cyberevolution is highly recommended and I think you will talk about that at cyberevolution as well, right, John?
Yes.
Sounds good. Quick answer and good answer because that's if somebody is interested more in this topic of ASM, you can go to the kuppingercole.com website and just pick up the Leadership compass on attack surface management by Osman and John. You can leave a comment, leave a question below this video on YouTube or reach out to Osman, John or me via the usual channels. The email addresses are easy to find on our website and we will answer, promised. And if you want to really lead an in-person discussion with John, with Osman, with me, and maybe users already of these solutions come to cyberevolution in Frankfurt in the middle of November and join the discussion for the time being. John, Osman, thank you very much for being my guests today. Any final words you want to add when it comes to ASM and what you're expecting for the future, maybe starting with Osman?
Yeah, sure. I think as you said, the the attack surface and attack vectors are pretty dynamic nowadays and the the cybercriminals are changing their tactics and methods every year. So we need to have a proactive solution in place in our organizations. And I think that ASM could be that solution that everyone is looking for, that unified solution. I don't know if it's going to happen in one or two years time, but maybe in the short term, medium term, I think that ASM coming to the play with all strength is has, with all strength it’s promising actually. And thanks for hosting me for the first time, by the way, Matthias.
John, final thoughts?
Yeah, it's an important topic. It's an important product area. We're going to talk about this and many other important cybersecurity topics at cyberevolution. So as you said, I hope everyone can join us there.
Absolutely. So thanks again. John, Osman, looking forward to having you soon on this podcast again, especially you, Osman, and seeing you in Frankfurt, you and maybe the audience in person, and reach out to us when you've listened to that podcast and leave your comment. Thanks again. Have a great day. Thank you, Osman and John. Bye bye.
