Product / Managing your External Attack Surface with SearchLight

Managing your External Attack Surface with SearchLight

Managing your External Attack Surface with SearchLight
Michael Marriott
Read More From Michael Marriott
November 2, 2021 | 4 Min Read

Recently we have been hearing plenty about External Attack Surface Management (EASM). While Digital Shadows focuses on digital risk protection and cyber threat intelligence, we have been providing many elements of these capabilities for several years. In this blog, we’ll outline what EASM is and how SearchLight helps. 

What is External Attack Surface Management?

According to Gartner, EASM is “the processes, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated vulnerabilities.” 

There are five core capabilities you might associate with an EASM provider:

  • Monitoring
  • Asset Discovery
  • Analysis
  • Prioritization
  • Remediation

Let’s dig in to how SearchLight helps with External Attack Surface Management across each of these five areas. 

Monitoring for Vulnerabilities and Weaknesses

SearchLight continually monitors for vulnerabilities on an organization’s external attack surface. These fall into three main types of alert: 

  1. Vulnerable service. SearchLight alerts when a vulnerability tied to an organization’s IP address is discovered that has an associated exploit and can be exploited remotely.  
  2. Vulnerable certificate. Alerts when a vulnerability is reported in a certificate on an organization’s domain.
  3. Report of Technical Vulnerability. Alerts when vulnerabilities are reported on social media or across bug bounty reports. 

In addition to these three types of vulnerability alerts, there are a host of weaknesses that SearchLight identifies. These include expiring or weak certificates, exposed cloud services, exposed ports, and misconfigured web servers. 

Beyond these “traditional” EASM use cases, SearchLight also identifies exposed documents on IoT devices and exposed access keys for cloud services. 

Asset Discovery

It’s all very well to identify vulnerabilities and weaknesses associated with your known assets, but what about those assets you don’t even know about yet? Organizations operate within an increasingly complex ecosystem of third and fourth party providers, which makes it difficult to understand what assets they are even trying to protect. 

When monitoring for vulnerabilities and weaknesses, SearchLight automatically discovers associated IP ranges to scan for related to an organization’s domain(s). However, given the importance of effective asset discovery, we extended this to a dedicated “Proposed Assets” feature in 2019.

Whenever a company, brand, or domain asset is added to SearchLight, it will trigger asset discovery. Asset discovery can currently be used to find and propose domain and code repository assets.

SearchLight discovers related domains by discovering where the WHOIS registrant email matches that of an existing and active domain asset, or where the WHOIS registrant organization matches an existing and active company or brand asset. Clients have the final say over whether to add these for monitoring. If they do so, SearchLight will provide ongoing monitoring for instances of domain impersonation, exposed employee credentials, and certificate issues.

Identifying domain assets in SearchLight

Prioritization

When SearchLight users receive alerts, it’s important that these are prioritized effectively. This is particularly important for CVEs, where the CVSS score may not map to the risk posed to your specific environment. 

As we outlined above, SearchLight only alerts on vulnerable services if the vulnerability has an exploit and may be exploited remotely so that teams are not overwhelmed with too many vulnerabilities. 

A Vulnerable Service alert, rated as “Very High”
A Vulnerable Service alert, rated as “Very High” 

There are many ways that users can make use of these risk scores. For example, email notifications may be set-up to only trigger emails for “Very High” or “High” scores, helping to save inboxes.

Alert email subscriptions based on risk level

Remediation

Every SearchLight alert comes alongside playbooks that provide best practices for response. SearchLight playbooks are based on the NIST “Computer security incident handling guide” (NIST Special Publication 800-61) and provide step by step advice to triage, evaluate, and mitigate risks. These playbooks are specific to, and available in, each risk type.

Furthermore, our integrations with Ticketing platforms (such as Jira), SIEM (such as Splunk), and SOAR platforms (such as XSOAR) enable users to streamline their response. You can read more about our suite of integrations here

Get in touch to learn more 

Curious to learn how SearchLight can help you solve your EASM needs, alongside other TI requirements?

Set up a meeting with one of our experts to discuss your requirements.

Not ready to chat just yet? No problem, take a tour of the platform at your own pace with Test Drive.

Tags: