There is no shortage of new tooling in the cybersecurity market. Security professionals are overloaded with different types of tools. In fact, Gartner has recently announced a new category named Cyber Asset Attack Surface Management (CAASM). All these solutions are touting industry best practices and best-in-class technology. Between breach emulation, enterprise attack surface management, automated penetration testing, attack simulation, posture management, and scoring tools, etc, it can be quite difficult to understand the real value of each solution and where it fits in your security program. Therein lies the answer.
Organizations like yours must regularly adjust your priorities and risk appetite to meet changes in IT and the threat landscape. Investments in security technologies and services need to provide immediate and long-term benefits and must align with the operations requirements of your organization. Most capabilities from vendor solutions are consumed by an analyst and require a process to become effective. Security operations need to be designed to support business operations and respond effectively to issues that could affect the organization’s brand and productivity. It’s critical for you to identify the outcomes your organization requires instead of a technology that you believe you need.
Getting started
Taking a look at current assessment solutions on the market, below is a high level list of categories:
- External Attack Surface Management (EASM)
- Penetration Testing as a Service (PTaaS)
- Autonomous Penetration Testing & Red Teaming
- Breach and Attack Simulation (BAS)
- Cyber Asset Attack Surface Management (CAASM)
- Vulnerability Assessment/Management (VA/VM)
- Risk Rating and Scoring
- Remediation Validation
All of these technologies can have a place in a cybersecurity program, it just depends on the goals set by your organization. We’ve identified a few questions below to ask yourself to help understand what those goals may be.
How much asset coverage do you want?
Basically, what percentage of the organization’s attack surface are you trying to address? Most organizations have internet-connected assets across internal, external, and/or cloud environments.
- Internal environments are traditional office headquarters, on-premise data centers, colocation facilities, satellite offices, etc.
- External environments are internet-facing points of presence. This can be entire network ranges or even just one web server.
- Cloud environments include Amazon AWS, GCP, or Microsoft Azure (or other cloud) environments where your organization manages infrastructure. These environments are effectively ‘internal’ to the cloud environment.
Some of the solutions listed above are explicitly external and others have no problem no matter the type of environment. For example, external attack surface management has it in its name, it can only assess external environments. Risk and scoring tools are external only too, with no point of presence internal to your infrastructure. On the other side, breach and attack simulation tools often require agent installation to function.
After identifying the assets your organization is trying to protect, and identifying their location, ask yourself the next question.
How in-depth should the coverage be?
Should the testing be deep and narrow, low-touch and noninvasive, or broad and thorough? Breach and attack simulation assessment solutions are extremely powerful, aligning with MITRE ATT&CK. These solutions typically require agents be installed, but identify advanced exploitation workflows. On the other hand, risk rating and scoring tools are very low-touch, passive, and non-invasive. They do not require an agent, but they do not provide anywhere near the same depth of insight.
What level of effort are you willing to put in?
Remembering that every tool requires your organization to have a procedure and process in place to get value out of, do you have the resources and time necessary to drive value from the solution? Some solutions require agents, which means installing software across your enterprise. Software tools will always require some sort of configuration or recurring upkeep unless fully managed. No matter how advanced or comprehensive the solution, if the organization does not put the work effort or have the resources necessary to react and respond to the data, the technology is useless.
To help with the identification process, we’ve added high level descriptions of each solution with some insight with answers to the questions above. Download the Ebook for more information!
The Tools
External Attack Surface Management (EASM)
EASM tools only works for external environments – basically assets in the public domain. Testing depth is wholly dependent on the type of technical testing performed by the vendor. Low level of effort required to get started and most providers have a SaaS portal where you enter your targets and monitor your dashboard. Plugin your external IP addresses, hostnames, etc. and watch your dashboard. Due diligence needs to be done on the vendor to ensure technical depth of testing, coverage of different environments, and integrations.
Penetration Testing as a Service
Penetration testing is a staple in the information security world. And now organizations can broker the experience with a web interface and a consultant in the back. Testing depth is considerable, depending on the quality of the consultant. Penetration testing is manual work and does not lend itself to automation, though there are vendors attempting to address that as well.
You must engage a PTaaS firm, though the process is much faster than working with a traditional professional services organization. A penetration test, by a qualified consultant and with the proper coverage of the organization’s attack surface, is an ultimate testament to the security controls in place.
Autonomous Penetration Testing & Red Teaming
Taking penetration testing automation to a new level, these solutions attempt to automate the work that would be manually performed during a penetration test.
Very few actions during a penetration test lend themselves to automation. Not to mention that the goal of penetration testing isn’t always to exploit and get domain admin. Sometimes it’s simply finding an unprotected share with PII or organizational financial data. Another questionable factor to consider is the acceptance of results from automated penetration testing solution when auditors expect manual testing (e.g. a human analyst).
Breach and Attack Simulation (BAS)
These solutions are quite comprehensive and typically provide continuous insight into compensating controls and security mechanisms in place. By emulating and simulating attack scenarios that mimic malicious actors and APT groups, these solutions are at the forefront of testing the most advanced exploitation and attack chains.
These solutions are typically expensive, require an agent be deployed, and don’t provide coverage of the entire environment. They are recommended for mature organizations and information security teams that are looking to protect against advanced threat actors such as APT groups.
The level of insight is unparalleled. These solutions help validate security spend in other cybersecurity domains. For example, any solution the organization has implemented that is meant to act as a compensating control or detection/prevention mechanism can be tested while running breach and attack simulation scenarios.
Cyber Asset Attack Surface Management (CAASM)
Hot off the press from Gartner, this new category of solution blends data from multiple sources and attempts to provide a single pane to view cybersecurity from an asset perspective. CAASM solutions work best when integrated with other solutions. The level of effort will be determined on how many solutions your organization has that integrate with the CAASM provider, otherwise net-new software must be purchased and configured.
These solutions provide a wealth of information when correlated, but the reliance on integrations means more tooling, configuration, and management. If your organization already owns and manages complementary solutions (the ones that integrate), then great!
Vulnerability Assessment/Management (VA/VM)
This solution category is foundational to modern cybersecurity programs and built into industry standard compliance and regular frameworks as a requirement. Required by practically every cybersecurity compliance, governance, and audit framework, vulnerability management existed before any of the other solution categories identified in this article. It is a building block of modern cybersecurity programs.
Risk Rating and Scoring
A simplified and non-invasive approach to identifying cybersecurity posture with an easy-to-understand scoring system. These solutions work best in the vendor risk assessment space. These solutions are typically non-invasive, low-touch, and passive. The results provided by these solutions are not an accurate representation of the technical real risks.
Remediation Validation
This solution is designed to identify assets, perform vulnerability scanning, and subsequently monitor and identify when vulnerabilities are successfully remediated across an organization’s infrastructure (internal, external, and cloud). Remediation Validation addresses the full lifecycle of vulnerability management – from asset discovery, to vulnerability identification, prioritization, and confirmation of resolution.
Identify the outcome, not a technology
When looking for assessment solutions, the goal is to reduce risk by identifying and remediating vulnerabilities. If this is the desired outcome for your organization, the technology must be in place along with the proper coverage of the organization’s assets. A process must also be in place for resources at your organization to act on vulnerability information.
All of the technologies listed above provide a fundamentally different level of coverage. They assess the number of assets and status of vulnerabilities in a technologically different manner. Some of the solutions perform active testing, some only passive, some require agents, some only work externally, and some rely entirely on integrations. Focus on the outcome, and not a technology when choosing your solution. Of the solutions listed, only one is recognized as a requirement for practically every industry standard compliance and governance framework in the information security, technology, and cybersecurity space: Vulnerability Management.
Vulnerability management is the cornerstone of information security programs. This is the process of systematically identifying assets across your organization’s internal, external, and cloud infrastructure, and subsequently performing discovery, enumeration, and vulnerability scans to identify misconfigurations and deficiencies.
Vulnerability management requires technical tooling and a human-in-the-loop to remediate vulnerabilities (though there has been some great progress on automated patching!). When correctly implemented, vulnerability management provides breadth and depth of coverage that no other solution can match – not breach emulation, not attack simulation, not scoring tools, not posture management. These solutions have their place in an organization’s security program, especially as an organization matures, but they do not provide the fundamental level of coverage a vulnerability management program provides, from a risk reduction, technical coverage, and business value perspective.
Align with the business goals
After identifying the desired outcome, the next step is to ensure it aligns with the goals and drivers of your organization. If you’re adhering to a security program, chances are maintaining a vulnerability management and patch management program, along with annual penetration testing, is on your radar. The business relies on these functions.
When undergoing annual audits, it’s very common to prove to the auditor that the organization is actively identifying and fixing issues. Customers, business partners, investors, and insurers all expect the modern corporation to prove some level of cybersecurity oversight. This is often the first challenge your organization will face where business and cybersecurity requirements converge – proving to outsiders that your organization is performing its due diligence when it comes to cybersecurity and safeguarding data.
With the auditors on one side, your internal stakeholders also need to see return on investment for security spend. The whole point of identifying issues is to fix them, know how long it takes to fix them, and understand what actions are being taken for resolution. Are these metrics the organization can report on?
Security ROI is critical for establishing confidence and trust in leadership. Vulnerability management is a fundamental function of information technology and security teams and provides the most comprehensive coverage compared to other solutions. This is the second challenge an organization will face is proving to stakeholders that the organization is improving its cybersecurity posture.
What makes VULNERA different?
Remediation validation is a core tenet of VULNERA. While traditional vulnerability management focuses on identifying issues, we take it a few steps further. VULNERA identifies when your organization successfully remediates vulnerabilities – and we make this information available to you in real-time. This allows your organization to focus on what matters: remediating security issues. No time wasted configuring tools, interpreting/prioritizing results, or validating false positives.
VULNERA provides context. It’s common for an organization to have hundreds or thousands of vulnerabilities when starting or operating a vulnerability management program. It is critical to take a contextualized and risk-based approach to prioritization and addressing issues identified in your environment. This can be loosely translated to ‘the exploitable issues that are public facing and could result in takeover of a host are the most important ones to address first’.
Vulnerability prioritization streamlines the analysis, remediation, and mitigation process by focusing efforts on identifying context around a vulnerability and prioritizing the issues that pose the greatest amount of risk. VULNERA provides a prioritized roadmap for addressing security issues in your environment, based on real risk factors. We integrate with repositories to track actively exploited vulnerabilities and vulnerabilities with weaponized exploits and incorporate these data points into the ranking so that you can focus on the most critical issues first.
We satisfy business requirements. Vulnerability management is a business requirement when the organization is adhering to an information security governance or compliance framework. With VULNERA, your organization receives a turnkey solution where all you need to focus on is remediation. We take care of the rest. We provide the real-time dashboard and all the reports an auditor would expect. The dashboard also helps with third-party vendor risk assessments.
VULNERA shows cybersecurity ROI. We understand that remediation is the ultimate goal of a vulnerability management program, and remediation progress is your return on investment. We track metrics and KPI’s around remediation progress. When it’s time to justify security spend or show progress, you have exactly what you need.
Our founders have been on the front lines delivering cybersecurity assessments for the past two decades. VULNERA solutions provide every stakeholder, from the line engineer to the CISO, with the report, dashboard, or KPI they need. At VULNERA, we do the heavy lifting.
You have a lot of options when choosing a vulnerability management solution. Take the stress out of choosing the right one for your organization by:
- Determining the amount of asset coverage you want
- Considering the depth of coverage needed
- Defining the level of effort you are willing to put in
- Evaluating the various solution categories
- Identifying your desired outcome
- Aligning with your business goals
