The Importance of Prebuilt EASM

For those of you who don’t remember, our team founded and built Bit Discovery, which was arguably the best external attack surface management product at the time, and it was sold to Tenable (NASDAQ: TENB). As you might expect, after we left, we kept very close tabs on the industry, as knowing what a customer owns is a prerequisite for virtually every software security product offering. We gradually began to realize there are a lot of problems with our original design after we left. I want to go over one of those problems with you today.

‍

We noticed a gap in how we treat the external inventories that drive decisions in security and insurance. We talk about external attack surface management (EASM) as if it somehow perfectly reveals the truth about what a company owns. But the utility of an attack surface map depends heavily on the customer assembling the inventory, since they are required to do this task themselves. We use EASM like a talisman, as if it will ward off danger, with no fact checking to ensure we are doing a good job. How exactly do you prove that you have built your attack surface map correctly?

‍

I have watched large organizations stumble through this task. They pull data from half a dozen sources, glue it together, and hope the resulting picture is comprehensive enough to ensure completeness. No one audits or certifies it. The whole thing relies on the customer’s own detective work. This is in part because vendors want to divest themselves of liability, by pushing the risk onto the customer, and it is also because vendors don’t know how to do it any better than the customer does. Vendors are probably worse, given that they don’t have the advantage of insider knowledge of acquisitions. Not a great combination. So, the ownership of the problem lies at the feet of the customer. It’s “thanks and we’ll see you during renewal time,” I guess, because the customer is entirely on their own.

‍

What makes this even more dangerous is the speed at which the world and adversaries now move. When someone asks what is exposed right now, they are really asking the verbal version of a race-condition. They really want to know what is reachable, and preferably they would like to know that detail before an attacker does, despite the fact that the EASM may not be complete or up to date. While they may not have been vulnerable the last time the EASM ran, in reality, new assets have been added and they actually are vulnerable, regardless of what the interface says.

‍

Customers want to know if that new exploit that has surfaced in the news has a path into their environment at this exact moment. These are not slow questions that can be answered once a quarter during an audit. These are questions that should be answered the very instant they need to be answered. Speed is not about re-scanning alone; it is also about having a correct inventory ready before the question is asked. It is about eliminating the lag between an initial lack of awareness, to awareness and finally to action. When someone in insurance tries to price a policy, they cannot wait for a client to assemble a spreadsheet of technographic data, it must be virtually instant, lest they lose the deal to a competitor who can source it themselves. When a security team hears about a live exploit, they cannot begin by hoping they know which hosts they even own. Without an accurate pre-built inventory, many of the most valuable use cases for accurate inventories are impossible.

‍

Vulnerability management has matured because of the industry-built audits around it. We know how to test whether a vulnerability scanner is catching what it should in both coverage and accuracy. However, there is a lack of scientific rigor around EASM. We assume customers know their own attack surface, but in practice, few, if any, actually do, and vendors aren’t equipped to prove a customer right or wrong. It is a hidden cost of ownership for EASM, as customers struggle to leverage the solutions, ultimately ending up with a question mark about the validity of the inventory, because who exactly is double-checking their work? Not the vendors - they avoid taking responsibility for quality by design.

‍

What is needed is a system that treats accurate asset inventory as a first-class discovery problem rather than a homework assignment for the customer. Our industry needs a system that builds and maintains the EASM with the same rigor that vulnerability scanners apply to finding flaws, with good evidence as to why something belongs in the inventories and strong disincentives for failure. The industry needs something that creates the attack surface map before anyone asks for it and keeps it current without the customer doing anything at all. Of course, they would be allowed to modify it as they see fit. If, for instance, a company acquired another company last night, they should be able to alert an EASM to that fact, but that should be an added feature, not the main feature of an EASM.

‍

Once that exists, everything else becomes faster. The insurance analyst gets an instant answer. The security engineer gets real-time awareness. Most importantly, the enterprise gets out from under the hidden cost of sourcing and maintaining its own truth about what it owns. If we get the incentives and feedback system in place, for the first time ever we will know if we are doing EASM correctly or not. My conclusion is that virtually no one has been doing it correctly from all that I have seen.

‍

Until that shift happens, EASM will continue to rely on self-reported data and manual work that no one has verified. That is a weakness we cannot afford, if we actually want to reduce the risks to enterprises.