What is External Attack Surface Management (EASM)?

External attack surface management (EASM) is the process of identifying internal business assets that are public-internet facing as well as monitoring vulnerabilities, public-cloud misconfigurations, exposed credentials, or other external information and processes that could be exploited by attackers. This effort aligns with a goal of obtaining a clear snapshot of cloud security posture.

As mentioned above, misconfigurations can play a big part in a vulnerability landscape. Properly configuring any cloud environment means enacting digital risk protections to defend it from a broad range of threats, whether in the form of deliberate attacks or unintended mistakes – misconfigurations, improper security awareness, etc. – that open the door to attacks.

Internal vs. External Attack Surface Managment 

Internal attack surface management addresses the security of assets – including humans that could be affected by social engineering such as phishing – that are behind a business’ firewalls and protective security measures. These assets are, theoretically, not exposed to the public internet and lie behind defensive measures in order to protect the business’ internal operations and trade secrets.

EASM – even though it is a part of ASM – hones in on protecting a business’ more commercial operations that lie beyond the safeguards of its internal security measures. This includes public-facing websites, apps, e-commerce operations, and any backend that could be accessed if an attacker were to exploit these digital assets.

What is the Difference Between EASM and CAASM? 

The difference between EASM and cyber asset attack surface management (CAASM) is that EASM methodologies primarily focus on discovering and protecting public-facing assets accessible by virtually anyone on the internet. CAASM methodologies focus on both the internal and external attack surface to provide a security organization with maximum visibility of their pre- and post-perimeter attack surface. A CAASM platform can accomplish this via API integrations that access an organization's tech stack to provide that holistic view.

Why is External Attack Surface Management (EASM) Important? 

External attack surface management (EASM) is important because of the potential for exploitation and attack when it comes to public internet-facing – or external – assets. It’s important to remember that this external attack surface can open the door for threat actors to exploit an internal attack surface.

EASM solutions are becoming better at identifying those external-facing assets that become part of a business’ attack surface as new attack vectors are spun up with each public-facing launch. An EASM solution should be able to leverage threat feeds to engage in threat hunting. This is critical in understanding what threat actors are exploiting in the wild and if it is worth the effort to scramble the team and proactively address a potential issue. Key aspects of a proactive threat hunt can include:

  • Data collection and processing 
  • Documentation and reporting 
  • Collaboration and communication across teams
  • Humans working together with technology

EASM should also be able to leverage external threat intelligence from the post-perimeter attack surface to properly detect and prioritize risks and threats, from the nearest network endpoints to around the deep and dark web. The myriad of assets that businesses place onto the public internet each and every day is truly astounding, and each of those assets – as it goes online – will have its own considerations in preventing potential exploitation.

External, proactive threat intelligence is a must-have for any security organization that hopes to protect the attack surface of its business to the best of its ability. It is key to take preventive actions that go beyond a network perimeter to be able to respond to incidents along each dynamic attack surface.

How Does EASM Work? 

EASM works by continuously monitoring and discovering public internet-facing assets for potential vulnerabilities that can be exploited as attack vectors. If this were to happen, threat actors could then also potentially breach an organization's internal attack surface.

Indeed Forrester says EASM works when “tools or functionalities that continually scan for, discover, and enumerate internet-facing assets, establish the unique fingerprints of discovered assets, and identify exposures on both known and unknown assets.” Let’s take a look at some uses cases Forrester has identified that can illustrate some specifics of EASM functionalities:

  • IT Asset discovery: Dynamically find unknown, internet-facing assets; complement on-premises asset discovery tools and processes
  • IT Asset management (ITAM): Automate the capturing and refreshing of data representing the IT asset estate; identify asset ownership 
  • Vulnerability risk management (VRM): Enumerate internet-facing assets; inform VRM teams and tools of asset exposures for remediation
  • Cloud security posture management (CSPM): Discover incorrect or weak configurations of cloud assets; identify cloud policy violations and potential compliance risks
  • Merger and acquisition due-diligence assistance: Discover and enumerate unknown internet-facing assests of acquisition target; assess the risk to determine next steps in due diligence

With these use cases, we can begin to understand just how many assets are spun up every day with the express purpose of plugging into the public-facing internet and expanding an organization's attack surface from internal to external – and therefore global. External threat intelligence feeds are critical to mitigating and stopping threats on an external attack surface.

What are the Capabilities of EASM? 

The capabilities of EASM are some we have already covered in different sections above, but we'll compile them, with some additions, here.

Curated and Fine-Tuned Detections

Depending on the provider, threat intelligence and detections engineering teams should be able to provide detections via SaaS delivery, which means access to the latest alerts, updates, and threat intel. EASM practitioners should be able to continually enrich threat-management tools with up-to-the-minute intel.

SOC Augmentation

A security operations center (SOC) can leverage an EASM platform to gain rapid access to misconfiguration data for all assets considered post-perimeter. From there, a prioritization process could be conducted to determine which assets need immediate attention. On the proactive front, EASM can be leveraged to perform threat intel gathering for red teams, blue teams, and purple teams conducting exercises.

An EASM platform should primarily be able to help practitioners gain visibility into their top external-facing assets so they can prioritize and remediate before attackers sniff out the vulnerabilities.

What are the Benefits of EASM? 

The benefits of EASM are profound and can have an incredibly positive impact on the effectiveness of proactive security measures and the overall reputation of the business. 

  • Reducing risk: Reducing the attack surface means reducing overall risk. Attack surfaces will inevitably change, so it’s important to take advantage of a solution that can perform dynamic scans in relation to external risk and telemetry that points to a potential threat or gaping vulnerability.
  • Remaining in compliance: If an EASM platform is able to identify gaps in a network’s compliance, especially as it operates in an external environment around the globe, then a security organization will have the ability to address those cloud compliance gaps and remain in compliance with both internal and external regulatory bodies.
  • Managing vulnerability: As the modern perimeter expands, new – and old – vulnerabilities become open doors for threat actors. Not all vulnerabilities will be exploited, but a security organization certainly doesn’t want to wait around to find out. Proactively managing vulnerability along an external attack surface is crucial.
  • Refining threat intelligence: By going post-perimeter with an EASM platform, it becomes more possible to mitigate threats before they have the chance to make an impact. Adding greater context to alerts and telemetry will enable a more rapid response and prioritization.
  • Operating securely in the cloud: When integrated correctly into a security organization, EASM practices should yield a thorough inventory of a business’ assets that are exposed to the public internet and also should – as previously mentioned – provide access to any misconfiguration data that would help a team respond.

Read More About Attack Surface Security 

Attack Surface Management: Latest Rapid7 Blog Posts

Rapid7 Blog: Cyber Asset Attack Surface Management 101