Making Sense of External Attack Surface Management: The Current and Future State of the Category

Jonathan Cran
Jan 12, 2023
3 min read
|   Last updated: Apr 04, 2024
Attack Surface Management
cyber risk

The external attack surface management (EASM) category came into existence as security vendors sought to improve the gaps in asset visibility and vulnerability enumeration created by legacy tools that failed to adapt to the evolving dynamics of enterprise IT and the growth of digital ecosystems. Among challenges with gaining visibility into unknown assets, organizations are faced with risk introduced by third party assets, including applications. The Google Cybersecurity Action Team (GCAT) predicts third-party assets and dependencies within the cloud will necessitate updates to risk management programs as the rate of application adoption outpaces the speed in which the security team can perform risk assessments.

Hear from Security Advisor in the Google Cloud Office of the CISO, Anton Chavukin,
on the latest insights from the January 2023 Threat Horizons Report.

External Attack Surface Management (EASM) at Mandiant, Now Part of Google Cloud

The objective of using an EASM solution is to find unknown external assets, reduce sprawl, and inform risk management functions through continuous monitoring for faster remediation and response. At Mandiant, now part of Google Cloud, we define external attack surface management as the automated and continuous discovery of internet-facing assets and cloud resources, assessed for technology relationships and the identification of vulnerabilities, misconfigurations or exposures. Mandiant was named a large vendor in the Forrester External Attack Surface Management Landscape Report, Q1 2023, which features an overview of the EASM landscape and use cases.   

Mandiant Advantage Attack Surface Management can be purchased as a standalone module or as part of a solution of modules within the Mandiant Advantage Platform. Attack Surface Management starts with simple information about the organization, (e.g., a domain, known networks, or SaaS accounts), then collects asset and exposure information about an organization’s distributed global infrastructure like an attacker would. The solution then performs extensive discovery by scanning externally facing assets and cloud resources daily to identify software, architecture, and configuration risks to your organization. In addition to the direct integration with Mandiant Advantage Threat Intelligence, Attack Surface Management aligns to the NIST National Vulnerability Database (NVD) and CISA’s Known Exploited Vulnerability catalog, enabling customers to prioritize based on exploitation status or the existence of an exploit code. 

Our customers use Attack Surface Management for a number of reasons: 

  • Assessing High-Velocity Exploit Impact: The ability to quickly assess how the latest CVEs impact external assets and how those assets reside in the ecosystem 
  • Identify Unsanctioned Resources: Daily notifications of newly discovered assets and technology vendors  
  • Merger & Acquisition (M&A) Due Diligence: An outside-in view of the external security posture and risk of being acquired
  • Subsidiary Monitoring: Centralized visibility across portfolio companies with the ability for independent security teams to manage their own attack surface
  • Digital Supply Chain Monitoring: Inventory of the supply chain ecosystem that expands past third- and fourth-party providers 

Read this blog post for a more in-depth understanding of how Mandiant Advantage Attack Surface Management enables customers to mitigate risk from digital supply chain, M&A and subsidiaries

Where’s the Category Going?

As the EASM category matures and capabilities adapt to broader enterprise adoption, we expect to see the capabilities wrapped into comprehensive risk management programs that account for all digital and physical assets, threat actor targeting and iterative prioritization within remediation workflows. Security leaders will be faced with the decision to work with platform vendors that offer multiple siloed capabilities, smaller vendors that cover a gap or comprehensive vendors with products and services to help establish and mature programs over time. As new vendor evaluations kick-off it’s important to assess vendors for capabilities that offer coverage of the specific use cases an organization may have.