Recently we have been hearing plenty about External Attack Surface Management (EASM). While Digital Shadows focuses on digital risk protection and cyber threat intelligence, we have been providing many elements of these capabilities for several years. In this blog, we’ll outline what EASM is and how SearchLight helps.
What is External Attack Surface Management?
According to Gartner, EASM is “the processes, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated vulnerabilities.”
There are five core capabilities you might associate with an EASM provider:
- Asset Discovery
Let’s dig in to how SearchLight helps with External Attack Surface Management across each of these five areas.
Monitoring for Vulnerabilities and Weaknesses
SearchLight continually monitors for vulnerabilities on an organization’s external attack surface. These fall into three main types of alert:
- Vulnerable service. SearchLight alerts when a vulnerability tied to an organization’s IP address is discovered that has an associated exploit and can be exploited remotely.
- Vulnerable certificate. Alerts when a vulnerability is reported in a certificate on an organization’s domain.
- Report of Technical Vulnerability. Alerts when vulnerabilities are reported on social media or across bug bounty reports.
In addition to these three types of vulnerability alerts, there are a host of weaknesses that SearchLight identifies. These include expiring or weak certificates, exposed cloud services, exposed ports, and misconfigured web servers.
Beyond these “traditional” EASM use cases, SearchLight also identifies exposed documents on IoT devices and exposed access keys for cloud services.
It’s all very well to identify vulnerabilities and weaknesses associated with your known assets, but what about those assets you don’t even know about yet? Organizations operate within an increasingly complex ecosystem of third and fourth party providers, which makes it difficult to understand what assets they are even trying to protect.
When monitoring for vulnerabilities and weaknesses, SearchLight automatically discovers associated IP ranges to scan for related to an organization’s domain(s). However, given the importance of effective asset discovery, we extended this to a dedicated “Proposed Assets” feature in 2019.
Whenever a company, brand, or domain asset is added to SearchLight, it will trigger asset discovery. Asset discovery can currently be used to find and propose domain and code repository assets.
SearchLight discovers related domains by discovering where the WHOIS registrant email matches that of an existing and active domain asset, or where the WHOIS registrant organization matches an existing and active company or brand asset. Clients have the final say over whether to add these for monitoring. If they do so, SearchLight will provide ongoing monitoring for instances of domain impersonation, exposed employee credentials, and certificate issues.
When SearchLight users receive alerts, it’s important that these are prioritized effectively. This is particularly important for CVEs, where the CVSS score may not map to the risk posed to your specific environment.
As we outlined above, SearchLight only alerts on vulnerable services if the vulnerability has an exploit and may be exploited remotely so that teams are not overwhelmed with too many vulnerabilities.
There are many ways that users can make use of these risk scores. For example, email notifications may be set-up to only trigger emails for “Very High” or “High” scores, helping to save inboxes.
Every SearchLight alert comes alongside playbooks that provide best practices for response. SearchLight playbooks are based on the NIST “Computer security incident handling guide” (NIST Special Publication 800-61) and provide step by step advice to triage, evaluate, and mitigate risks. These playbooks are specific to, and available in, each risk type.
Furthermore, our integrations with Ticketing platforms (such as Jira), SIEM (such as Splunk), and SOAR platforms (such as XSOAR) enable users to streamline their response. You can read more about our suite of integrations here.
Get in touch to learn more
Curious to learn how SearchLight can help you solve your EASM needs, alongside other TI requirements?
Not ready to chat just yet? No problem, take a tour of the platform at your own pace with Test Drive.