Vulnerability Management

External attack surface management is evolving. Here’s what you can do to keep up

It’s no longer enough to detect where you have been exposed from within your network--today, it’s imperative to look at your entire attack surface from the outside in.

During a conversation at RSA, Vinay Anand, chief product officer at NetSPI, a provider of offensive security and pen testing, said attack surface management is a relatively new concept in terms of products and presence in the market, but it has evolved into enterprise attack surface management (EASM). The basic premise is using scanners and automation to probe the entire state of your network from the outside in.

EASM identifies every part of the attack surface and uses a combination of automation, tools, platforms, and pen testing to detect exposure areas and determine what the risk is, Anand told Bill Brenner, vice president of content strategy at CyberRisk Alliance.

There is also CASM, or continuous attack surface management, which is more geared at the internal network, Anand noted.

EASM probes every asset to see what has been exposed--whether it’s a port or secret keys—and whether it is at the app or protocol level. “So you go up and down the stack and [do] a holistic look at the particular asset.” Then you can identify which areas are exposed.

Technology is built on top for a more qualitative assessment of what you find.

Customer pain points

At a basic level, companies “really are largely blind to what assets are exposed to the internet,’’ Anand observed. Some exposures are intentional and at other times shadow IT comes into play, where people spin up servers and do something that isn’t infosec approved.

Often, a misconfiguration creates a big security risk, he noted. “Customers don’t have a holistic view of all of this,’’ Anand said. The first thing they want to know is what’s been exposed and whether it’s harmless or can cause a risk.

Depending on the sophistication of the vendor, you might be able to connect those exposed assets to internal assets that “could potentially be at risk because you have a door open.”

Most of today’s tools and automation don’t provide deep, qualitative assessment because context is missing, he added. NetSPI pairs automation with manual pen testing and separate signals from noise, he said.

“It’s a triage between automation, business context, deep testing, and understanding the net impact of the exposure,’’ Anand said.

How Generative AI fits into EASM

The conversation turned to generative AI and how the technology works with EASM.

Generative AI or large language models require a large amount of data that requires a lot of correlation and context, he pointed out. If you deliver that to a solidly trained LLM model, you can ask questions.

In the context of EASM, that might be probing to determine which of your assets are exposed to risk. You can go further and say, “Of all these assets, tell me which ones are high risk, and the system will automatically tell you that,” and get even more granular to ask which of those assets are connected to your PII or your crown jewels.

“The concept of generative AI is probably new to the world, but the outcomes, the use cases, and the problems we’re trying to solve, we’ve all been working on for a long time,’’ Anand said. “This just makes it easier to deliver natural language-like answers.”

By Esther Shein

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.