External attack surface management (EASM) is a cybersecurity approach focused on identifying, monitoring, and mitigating risks associated with data, systems, and technologies that are connected to the outside world.
An organization’s attack surface is the total set of vulnerabilities, access points, and attack vectors that bad actors can use to gain unauthorized access to systems and data. It’s what criminals target when they want to disrupt systems, steal data, extort a ransom, or take any other kind of malicious action.
Every organization has both an internal and an external attack surface. The internal attack surface comprises everything that makes up the internal network environment: infrastructure, devices, applications, users, and more.
The external attack surface, as the name suggests, is all the technology that faces—and interfaces with—the outside world via the internet, cloud services, mobile connectivity, and the like. It also includes connections to third-party suppliers, partners, vendors, and remote workers.
External attack surface management (EASM) is the process of protecting those outwardly exposed assets, resources, and technologies. It gets special attention because so many threats come from outside organizations and because the external attack surface in particular is more dynamic and complex than ever before. An organization that can proactively manage its external attack surface is able to dramatically strengthen its security posture.
External attack surface management vs. attack surface management
Attack surface management (ASM) is an umbrella term covering the total attack surface, internal and external. External attack surface management is focused on external risks only. Both types of attack surface management have three dimensions—digital, physical, and social/human—both require a continuous, three-step process of discovery, assessment, and mitigation.
Why does EASM matter?
EASM has become increasingly important as networks have become interconnected and open. Gone are the days when gateways and firewalls could reliably keep bad guys out, backed up by routine vulnerability and penetration testing. Today, networks have fewer ‘hard borders’ to protect in those traditional ways, creating abundant new opportunities for cybercriminals to gain access to systems and data and do harm.
At the same time, enterprise IT has become highly decentralized. Business units and individual users can spin up cloud resources without any help from the IT department. Shadow IT apps and services are rampant, and many workers use personal devices on corporate networks or for work purposes.
All of this means the external attack surface has more vulnerabilities than ever before and demands a concerted, comprehensive approach to cyber risk management. EASM brings the full external attack surface into view, enabling continuous monitoring and mitigation. This allows cybersecurity teams to understand where their organizations are most at risk and to take action to do something about it.
What does EASM protect against?
Most attack vectors (methods of conducting a cyberattack) target the external attack surface. Common ones include ransomware and phishing schemes, as well as incursions intent on stealing private or high-value data, or on disrupting operational systems. EASM helps security teams shrink the external attack surface so that vectors like these have fewer opportunities to break into the enterprise environment.
EASM also equips organizations to comply with laws and regulations for privacy and data protection by providing greater visibility across the external attack surface and enabling security teams to prevent or contain breaches.
Examples of external attack surface elements
Any internet-accessible system or service can be part of the external attack surface. Every organization will have its own specific mix of devices and technologies that are outward-facing and potentially exposed. Some common ones include:
- Web applications: Any business with an e-commerce site or booking engine is running a web application (web app). That makes web apps a big part of many organizations’ external attack surfaces, accessible to anyone with an internet connection. If a web app is misconfigured or poorly secured, a bad actor can use those vulnerabilities to deploy malware, steal data, or access back-end corporate systems that are connected to the web app.
- Cloud services: Cloud services and virtualized infrastructure give organizations access to convenient, flexible, and highly scalable compute resources. But because they require an external network connection for an organization to use them, they are exposed and potentially vulnerable to attack. As with web apps, when cloud infrastructure is configured improperly, hackers can exploit those weaknesses.
- Remote access systems: The explosion of remote and hybrid work during and since the pandemic requires workers to access corporate systems and data from their home networks or from potentially insecure networks on the road. The technologies used to secure those connections, such as virtual private networks (VPNs), have come to be targeted by attackers as pathways into corporate IT environments.
- Internet of Things (IoT) devices: Many businesses and buildings are now IoT-enabled for everything from environmental controls to security systems, including workers’ homes and home offices. Those devices also make up a growing part of the external attack surface.
One other area of external exposure that organizations need to factor into their EASM strategies involves third-party vendor relationships. Many businesses depend on third parties for commercial, financial, and technical services—such as managed service providers (MSPs) for IT and payment processing partners. Any connectivity between those third parties and the organization’s IT assets can be a potential target for attackers.
How does EASM work?
Like overall attack surface management (ASM), EASM involves a continuous and repeating process of discovery, assessment, and mitigation.
Discovery
A cybersecurity platform with external attack surface management capabilities should be able to identify all outward-facing assets, including ones that may not be included in existing inventories. Assets and elements scanned for as part of the discovery process include cloud services, web apps, IP addresses, domains, and more. An EASM solution can also discover shadow IT applications in the cloud that represent total cybersecurity gaps (“unknown unknowns”).
Assessment
Following discovery, the EASM solution can then be used to assess external attack surface risks. This typically includes looking for misconfigurations, unpatched software, out-of-date systems, known and potential vulnerabilities, and more. Once vulnerabilities have been identified in this way, they can be prioritized according to their relative level of risk (known as risk scoring). This gives the organization a way of determining which risks are most urgent or significant so resources can be allocated accordingly to respond.
Mitigation
Mitigation may involve decommissioning old hardware, updating and patching software, fixing misconfigurations, bringing shadow IT applications under management, and more. As part of the ongoing EASM process, the external attack surface must be monitored continuously so that as the IT environment and threat landscape change, organization can be proactive and maintain a strong security posture.
What are the benefits of EASM?
EASM has a number of related benefits for organizations:
- Visibility: EASM gives organizations a comprehensive view of their outward-facing technology assets, uncovering previously unknown vulnerabilities to enable stronger and more complete cyber defenses.
- Effectiveness: EASM contributes to faster and more precise incident response thanks to quicker threat detection and a fuller picture of the IT environment, making it possible to contain threats sooner and more completely.
- Compliance: Organizations in many sectors are required to abide by legal and regulatory frameworks for data protection and privacy. EASM supports compliance as part of a good overall cyber risk management approach.
All of these combined provide for a stronger overall security posture based on real-time intelligence and focused cybersecurity responses.
How does EASM fit with cyber risk management?
Cyber risk management is a way of improving an organization’s cybersecurity situational awareness—identifying, prioritizing, and mitigating threats. EASM is just a small part of an overall cyber risk management framework.
Generally speaking, cyber risk management aims to help organizations be more proactive about identifying and managing threats, with tailored security measures and controls to suit the specific needs, industry context, and threat environment of the business in question. Its goal is to enable real-time insight into threats through continuous monitoring and ongoing assessments, and to ensure that all employees share the same proactive cybersecurity mindset.
The phases of cyber risk management are the same as those of EASM: discovery, assessment, and mitigation.
A complete cyber risk exposure management solution will include ASM, EASM, cyber asset attack surface management (CAASM), |vulnerability risk management, security posture, compliance risk quantification, and risk scoring as well as policies, procedures, and other governance-related components to ensure clear goals and consistent follow-through.
Where can I get help with EASM?
EASM is an important piece of ASM, but to build true risk resilience, organizations require a breadth of cutting-edge cyber risk exposure capabilities like EASM, cyber asset attack surface management (CAASM), vulnerability management, and security posture management. Trend Vision One offers a Cyber Risk Exposure Management solution that combines all of those capabilities to enable you to continuously monitor entry points, prioritize mitigation actions based on impact, translate risks into financial terms, and predict future threats to neutralize risks before they materialize.
Learn more about how Cyber Risk Exposure Management can help you go beyond simply managing the attack surface.