Category Report: Attack Surface Management (ASM)

Terms You Might Hear

• Cyber Asset Attack Surface Management (CAASM)

• Continuous Attack Surface Management

• Continuous Vulnerability Management

• External Attack Surface Management (EASM)

Closely Related Categories

• Breach and Attack Simulation (BAS)

• Cloud Security Posture Management (CSPM)

Why It Matters

Understanding your attack surface lets you focus your finite time and resources on mitigating the right cybersecurity risks.

Problem Statement

• Cloud services are continually evolving. Regulation and cybersecurity best practices for the cloud are continually evolving. It’s hard to keep up with the pace of change and get secure, let alone stay secure.

• Attack surfaces are growing faster than security teams can keep up with.

• Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement, and mistakes. Often on assets companies are not monitoring and Digital Transformation has made this harder.

• Response and remediation is now more important than protection and detection, and companies have challenges with this and the ephemeral nature of the cloud.

Market Solution

Enter the Attack Surface Management (ASM) product market space.

• ASM tools seek to provide continuous monitoring and visibility of a company's environment.

• More than just an asset inventory function, ASM tools seek to correlate disparate information to show a realistic view of threats for a given environment. This allows for better impact analysis and coordination.

• ASM tools understand where an asset is on your network, what vulnerabilities it has, what misconfigurations it has, and what internal and external connections are being made.

• ASM tools automatically visualize a “threat-informed defense” model. This prioritization allows teams to focus on responding to what matters most and reduce the right risks.

Players

A few of the players in this space include:

• appNovi

• Axonious

• Censys

• Detectify

• JupiterOne

• RapidFort

• SecurityTrails

If you want to see the full list of players in this space that I keep track of, check out this Airtable view. This is not an exhaustive list. If I'm missing a company, let me know!

Predictions

• Expect this space to become commoditized - The same thing after the early days in the “cloud security” product space. Acquisitions and consolidations are likely in this space.

• Internally-focused (asset inventory view) attack surface management and externally-focused (pen testing view) attack surface management will start to roll into one offering. Sell me a platform that does both well so I can see my risk inside-out and outside-in.

• This space is too fractured and is confusing customers with marketing. Look for automated red team/penetration testing vendors to roll into the ASM space and vice versa.

• Cloud Service Providers (CSPs) will slowly chip away at this space and launch more services (as they always do), further increasing CSP lock-in.

Opportunities

• Correlate the data for me - the value of a product like this is in scalability and time saved. Help security practitioners mitigate the most impactful risks first by using AI/ML to do threat correlation.

• Show me the zero trust - or lack thereof. ASM products could show the relationships of accounts, services, and servers to a given cloud entity, helping customers understand if they are actually achieving that zero trust state they all want. This would be a great first step to getting your zero-trust approach in order.

• Detect and Deceive - an integration with aBreach and Attack Simulation (BAS) platform takes your ASM investment to the next level. Stop talking about hypotheticals and show what’s real and exploitable right now.

Key Insights

• Relationship mapping is the biggest value of these platforms - This is what gives you context and the ability to prioritize what you mitigate.

• The Cloud Security Posture Management (CSPM) space has been largely engulfed by the Attack Surface Management (ASM) space. The CSPM is dead, long live the CSPM.

• ASM products direct Security Operations teams’ focus and priority. If you don’t know where to start with inventorying your risk, this is a good place. Spend less time and deliver more value.

Pro Positions

What type/size/stage company should leverage these platforms?

• Startups (1-250 employees)- If you’re a cloud-first start-up, a platform with this capability should be on your radar after you meet basic compliance requirements like SOC 2.

• Small and Medium-sized Businesses (SMBs) (250-500 employees) - Same as above. Pair this with a managed security provider or managed SOC to complete the incident response function.

• Larger Companies (>500-1,000 employees) - This is an absolute must for larger companies. The more systems, people, and data you have, the more you are exposed and the harder it is to understand your full risk picture.

What makes one of these platforms “good?”

• Look for solutions that cover both the internal and external spaces, or at least integrate with an existing provider that can do the external view.

• Look for solutions that enable your teams to be more efficient and more effective with their time. This kind of platform should reduce the time and effort needed to identify and remediate vulnerabilities, so you can measure if it is actually improving.

• Look for platforms that can determine if you are missing any other security controls where they should be

Out of the Players listed, who are the top ones I would consider?

• appNovi

• CyCognito

• Intruder

• JupiterOne

References

• 8 Best Attack Surface Monitoring Tools

• Why You Need Attack Surface Management (And How To Achieve It)

• The Rise of Continuous Attack Surface Management

Thanks for reading this far!

This post is not meant to be a particular endorsement for any one player or company in this product category but is instead intended to be an industry-level primer.

If I missed something (or am just wrong), let me know!

This is not a paid post, and none of the companies listed above paid for placement. I just pick a few companies at random when I write. Also, at the time of writing this post, I have no active investments in any of the companies mentioned above.

If your company is looking to get more of a highlight, consider sponsoring the Security, Funded newsletter.