The landscape of cybersecurity has undergone significant transformations over the years, reflecting the ever-changing tactics of cybercriminals and the evolving vulnerabilities in digital infrastructure. This blog explores the shifting trends in hacking methodologies, from network-level compromises to the emergence of database security as a critical concern for organizations.

Here is the verbatim discussion:

Completeness and which also helps in the continuity may not be the depth as Ed mentioned esm is more about the bread but for depth you need to go for pentes in probably couple of decades so if I look at the way the hacking landscape has kind of changed over a period of time so it went through a lot of interesting phases so there were times when the hacking used to happen more through compromise of uh the network level vulnerabilities then came a phase where application Level vulnerabilities took over and then a little bit later something very strange happened when the industry went through like two decades of vulnerability assessment penetration testing and all this super cool stuff we started seeing some strange stuff happening in last few years and I'll give you an example one of the strange stu stuff is like one of the topmost names in the financial services companies got compromised because they had a open database without any password.

Highlights :

Historical Phases of Hacking:

• Network-Level Vulnerabilities: In the early stages of hacking, compromises often occurred through exploiting vulnerabilities in network infrastructure, such as unsecured ports or misconfigured firewalls.
• Rise of Application-Level Vulnerabilities: With the proliferation of web applications, hackers shifted their focus to exploiting vulnerabilities in software and web applications, such as SQL injection or cross-site scripting (XSS) attacks.
• Decades of Vulnerability Assessment and Penetration Testing: The cybersecurity industry witnessed a surge in vulnerability assessment and penetration testing, aimed at identifying and remedying security weaknesses in digital systems.

Emerging Trends in Cyber Attacks:

• Database Security: In recent years, the spotlight has shifted towards database security, with incidents of data breaches occurring due to misconfigured or unprotected databases. For example, prominent financial services companies have faced security breaches due to open databases without passwords, highlighting the importance of securing sensitive data at the database level.
• Importance of Depth in Security Measures: While external attack surface management (EASM) provides breadth in identifying digital assets and potential vulnerabilities, depth in security measures is essential to address specific threats, such as database security lapses.

The Need for Comprehensive Security Practices:

• Continuous Assessment and Monitoring: Organizations must adopt a proactive approach to cybersecurity, conducting continuous assessments and monitoring to identify and address vulnerabilities promptly.
• Collaboration with Cybersecurity Experts: Cybersecurity consultants play a crucial role in guiding organizations in implementing comprehensive security practices, including database security measures and vulnerability remediation strategies.

As cyber threats continue to evolve, organizations must adapt their security practices to address emerging vulnerabilities effectively. From network-level compromises to database security lapses, the cybersecurity landscape demands a comprehensive approach to threat mitigation and risk management. By staying vigilant, collaborating with cybersecurity experts, and implementing robust security measures, organizations can enhance their resilience against cyber threats and safeguard their valuable data assets.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff

In today's rapidly evolving cybersecurity landscape, external attack surface management (EASM) has emerged as a critical strategy for organizations to safeguard their digital assets. This blog explores the significance of EASM, its key components, and the pivotal role it plays in enhancing cybersecurity resilience.

Here is the verbatim discussion:

defitely going to be uh lifting that one for you and using it myself that's a good one um and yes I I I think you know external attx surface management uh is something that's been you know long overdue uh for um industry coverage from the analysts and I think of a tax surface is just the the sum of all potential digital doorways into an Enterprise um and that includes thirdparty suppliers Partners cloud services from cloud service providers work from home set up everything um but of course Discovery um that's just the the first step it's a critical step but it's just the first step but you know now that you've got that Discovery in inventory which by the way most organizations don't have they have no idea but once you've got that then what do you do with it you still have to classify and category categorize it by risk level with limited staff and money you have to figure out how to mitigate high risks uh while reducing your attack Surface by maybe turning off unnecessary services or shutting down that shadow ID um but um the fast adoption of things like iot and and cloud services have really made a tax service management imperative and and I'm really glad that the analyst Community is finally taking a look at it uh it's a critically important thing um it is a component of Enterprise vulnerability management um but one thing that uh I think is is really important for folks to understand is that application I'm sorry uh a tax surface management and external tax surface management something that has to be ongoing and persistent because asset and staffs are ASM platform and the results of it to help streamline and focus you know an application or an internal security testing effort uh and we're seeing a lot of organizations you lead with with easm uh and how have that really feed the rest of their security um maturity in their security practices that's excellent yeah um the the the depth and the breadth that's um that's really really important so where you can get that wide visual view that we really never have had or or we've had but it's been extremely manually intensive now we have automated tools that can get us that PL farm so that's a little bit about me thanks bicash appreciate it I know bicash pretty well we work together he's my boss I have to say that b man uh anyway gotta we're going to keep this very light today I do want to say before we get into uh the discussion about um external attack surface management um the value proposition overall and what the industry is bearing i' like to do as as much interaction as we possibly can I know this is a we have everybody muted and it's a it's a webinar type of panel discussion and we're all on zoom and hopefully one day we're very soon we're all doing this with microphones like the old days and pass it around.

Highlights :

The Foundation of EASM:

• Discovery and Inventory: EASM begins with comprehensive reconnaissance to identify all potential digital doorways into an enterprise, including third-party suppliers, partners, and cloud services.
• Risk Classification: Once discovered, assets are categorized based on risk level, enabling organizations to prioritize mitigation efforts effectively.
• Continuous Monitoring: EASM is an ongoing and persistent process, requiring continuous monitoring to adapt to the dynamic nature of the cybersecurity threat landscape.

The Value Proposition of EASM:

• Enhanced Security Posture: By gaining visibility into their entire attack surface, organizations can proactively identify and mitigate security risks, reducing the likelihood of successful cyberattacks.
• Streamlined Security Practices: EASM platforms provide organizations with a wide visual view of their attack surface, streamlining internal security testing efforts and improving overall security maturity.
• Adaptation to New Threats: With the fast adoption of IoT and cloud services, EASM has become imperative for organizations to adapt to new cyber threats and vulnerabilities effectively.

The Role of Cybersecurity Consultants:

• Cybersecurity consultants play a crucial role in guiding organizations through the implementation and optimization of EASM solutions, leveraging their expertise to tailor solutions to the organization's unique requirements.
• Consultants assist organizations in conducting thorough reconnaissance, identifying vulnerabilities, and implementing proactive security measures to enhance cybersecurity resilience.

As organizations navigate the complexities of the modern cybersecurity landscape, external attack surface management emerges as a cornerstone of their cybersecurity strategy. By embracing EASM and leveraging the expertise of cybersecurity consultants, organizations can strengthen their defenses, mitigate security risks, and safeguard their digital assets effectively. With continuous advancements in EASM technology and practices, organizations can adapt to the evolving threat landscape and stay ahead of emerging cyber threats with confidence.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff

In the ever-evolving landscape of cybersecurity, organizations are increasingly recognizing the importance of external attack surface management (EASM) in bolstering their defenses against cyber threats. This blog delves into the evolution of EASM, from its foundational principles to its role in proactive security monitoring, highlighting key insights from cybersecurity experts.

Here is the verbatim discusssion:

by putting out a sign that yes I've done my due diligence so are you doing it for due diligence or are you doing it for proactive security monitoring of your assets that's the key and Paul to say that how we would have done it differently absolutely things would have been so much differently done had we done it right now and I'm I'm sure the results would have been very very different sorry Bashi trying to say something no no I'm good yeah that will they are just scratching the surface when they think that everything happens in the clear web well so much work happens in the dark web that we are not even aware and that use case helped the client show what's going on in the dark web what's going on what were their assets which were being exposed which they were completely unaware of that Discovery helped clients know about some of the tools some of the tools which were they thought they were already no longer using it but they still had ends open sitting on the internet and as Ed rightly mentioned right means you can run a scan exercises you do you know both from a from a training but from a uh security assessment security pen penetration testing all all of the old you know a lot of the the the old monitors that have new kind of um that you have to keep up because you have to stay to try to stay ahead of the of the bad guys right and gals um so and what your thoughts what are your what are you seeing with your customer base as it relates to okay so I think we've beaten the concept of of surface management external tax management debt right so it's about reconnaissance it's about recovery it's about Discovery it's about asset inventory and it's about doing that continuously right um because things are changing every day what are your thoughts at about taking that from where what we've seen over the past number of years some really good Asm.

As the cybersecurity landscape evolves, organizations face increasing threats and challenges, particularly in the era of remote work and digital transformation. In response to these challenges, Continuous External Attack Surface Management (EASM) emerges as a critical strategy to bolster cybersecurity resilience. This blog explores the key capabilities of a comprehensive EASM solution and how it can automate traditionally manual processes, with insights from cybersecurity consultants.

Here is the verbatim discussion:

Basis there's also this there's a lot of new acronyms out there as well continuous automated red teaming cart continuous automated security testing cast right automated exploitation right Ed talked a little bit about breach uh attack simulation um key capabilities of a full endtoend easm solution what are your thoughts Picos on that and then I know that we had I think we have some folks on the phone as well that come from the Consulting world right that are Consulting they're doing cyber security Consulting talk a little bit about how you think that a comprehensive easm slash continuous testing you know package could assist in potentially helping to automate what has been uh let's say automate some of what has been a traditionally manual process Zoom these two have basically taken over the world in the last one one one and a half years because zero trust was a term which was Loosely used but all of a sudden it's become so critical because you no longer know who's trying to connect into the network you have to authorize each and authorize authenticate each and every person before they can get into your network you no longer can trust anyone obviously Zoom I would't go into it because we are on Google meet so I'm not going to go and talk about Zoom but I'm just kidding but Okay gole Google's always but this as you said The New Normal has been working remotely where people working from anywhere you no longer know where people are connecting from uh to use our current discussion the attack surface has just exp is as good as the coverage of its assets right if you don't have the coverage of assets then it can't do a good job right so that's one uh the second thing which it brings is the continuity I mean you can do reconnaissance as a Consulting exercise using team using open source tool but can you do that on an hourly basis can you do that on a daily basis it's not possible right so it complements those programs by giving you the ability to do it on a continuous basis and today if you look .

In today's rapidly evolving cybersecurity landscape, organizations face unprecedented challenges, particularly in the wake of the "new normal" brought about by global events. Remote work, cloud adoption, and digital transformation have expanded the attack surface, necessitating innovative approaches to security. One such approach gaining prominence is External Attack Surface Management (EASM). In this blog, we delve into the significance of EASM in addressing cybersecurity challenges amid the new normal, exploring its key concepts, use cases, and implications for organizations.

Here is the verbatim discussion:

that's a great point I mean and I'll I'll throw this out to you and maybe to Ed um before we jump into into the next topic I wanted to U discuss but what do you think about what do you think the uptake is in the in the and I hate using this term but it is everybody's using it in this new normal world that we're living in right where we have we now have almost like the Wild Wild West again right we have uh we have a lot of people working from home that have never worked from home ever in their careers we have the brick and mortar is now the is now the cloud and and it's the cloud you know part two three four five mid pandemic and hopefully getting toward the end but I don't think the world's ever going to be the same from a market perspective so Paul what are your thoughts there Paul that's a great Point how I say that is the two Z's have taken and catapulted over in the A2Z of our your day-to-day words and that those two z's are one is zero trust and one is zoom these two have basically taken over the world in the last one one one and a half years because zero trust was a term which was Loosely used but all of a sudden it's become so critical because you no longer know who's trying to connect into the network you have to authorize each and authorize authenticate each and every person before they can get into your network you no longer can trust anyone obviously Zoom I won't go into it because we are on Google meet so I'm not going to go and talk about Zoom but I'm just kidding but okay go Google's always list but this as you said The New Normal has been working remotely where people working from anywhere you no longer know where people are connecting from uh to use our current discussion the attack surface has just funded that much more exponentially earlier people were working from their offices so you had a controlled environment now people can connect from anywhere and that basically adds to the problem uh those Discovery assets would never have been captured earlier because now people are using the bods they are bringing their own devices so they are not registered in the asset management tools so the IP addresses are not registered in the asset management tools lot of companies are going away from VPN so things like the secure Gateway Etc have started to take lot of effect like how bkash mentioned about casby similarly secure Gateway also has gained lot of prominence over last couple of years where people are now preferring secure Gateway over VPN so again not here to solve the problem I leave it to Ed but just wanted to know the new normal has only expanded the attack surface has created more more possibilities of an attack than what we had before let me let me throw one over to Ed and this is really for both you you Tas and Ed because you're.

Welcome to an enlightening panel discussion on External Attack Surface Management (EASM), an essential component of modern cybersecurity. Today, we gather insights from esteemed cybersecurity leaders to explore the significance of EASM, its common use cases, and its role in augmenting threat intelligence and vulnerability management programs. Let's dive into how organizations can leverage EASM to enhance their security posture and mitigate risks effectively.

Here is the verbatim discussion:

there you take it at a high priority whereas a normal ping you don't take it at a high priority right so the Intelligence coming from esm could help this sock the fourth use case could also be where esm augments threat intelligence threat intelligence is more about actors and their TTP is for the broad industry level how can you make it pinpointed to a specific uh like how that uh threat intelligence that actor pose a risk for your organization if you can correlate that with your attack surface and the risk then you can make it more actionable so augmenting TI will be another augmenting vulnerability Management program is another use case because um if you don't know the assets you can't put them in under the vulnerability Management program right if you don't know that here is a pre-production system which is out there online and has got critical data obviously gone taking exploits in their past um Ed Ed Adams like to introduce you uh to say a little few lines about yourself sir hello thank you Paul welcome everyone uh I am Ed Adams I'm the president and CEO of security innovation an organization that specializes in software security I'm also a research fellow for The pamon Institute and I am a leader and board member for the international Consortium of minority cyber Security Professionals otherwise known as icmcp in the cyber security program so um and I'm also board member of North Texas infragard which is a collaboration between FBI and private sector in strengthening the processes and practices around um both FBI actually Department of Homeland Security and private sector coming together to uh understand the common grounds and have some collaboration so thanks Paul again for having me on the panel.

Highlights :

Significance of EASM:

• EASM enables organizations to proactively identify, monitor, and manage their external digital footprint.
• Understanding the attack surface is crucial for prioritizing security measures, detecting vulnerabilities, and fortifying defenses.
• EASM complements traditional security practices by providing continuous monitoring and threat intelligence to address emerging threats.

Common Use Cases:

• Asset Discovery: EASM facilitates the identification and cataloging of external assets, including websites, applications, and cloud services.
• Tagging and Classification: Efficient tagging of assets by type aids in prioritizing remediation efforts and streamlining security management.
• False Positive Mitigation: EASM solutions strive to reduce false positives by accurately categorizing assets and minimizing noise in security alerts.
• False Negative Identification: Addressing false negatives ensures comprehensive coverage of the attack surface and minimizes blind spots in security defenses.

Augmenting Threat Intelligence:

• EASM augments threat intelligence by correlating external attack surface data with threat actor profiles and tactics, techniques, and procedures (TTPs).
• Pinpointing specific risks posed by threat actors to the organization enhances the actionable insights derived from threat intelligence.

Enhancing Vulnerability Management:

• EASM enhances vulnerability management programs by providing visibility into external assets and their associated risks.
• Identifying overlooked assets and vulnerabilities enables organizations to prioritize patching and remediation efforts effectively.

External Attack Surface Management is instrumental in advancing cybersecurity strategies, offering organizations comprehensive visibility and actionable insights into their external attack surface. By harnessing EASM solutions, organizations can proactively identify and mitigate risks, strengthen their security posture, and stay ahead of evolving threats. Let's embrace EASM as a vital component of modern cybersecurity and empower organizations to safeguard their digital assets effectively.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff

Welcome to an insightful discussion on External Attack Surface Management (EASM) brought to you by the SISO Platform. In today's dynamic cybersecurity landscape, understanding and managing external attack surfaces are paramount for organizations to enhance their security posture. Our esteemed panelists will delve into the concept of EASM, its significance, common use cases, and its relation to industry frameworks like MITRE ATT&CK. Let's explore how EASM is reshaping cybersecurity strategies and preparing organizations for evolving threats.

Here is the verbatim discussion:

so the coverage of Discovery is one of the things the second thing is the false positives so when you do esm it's a very hard problem because there are ephimeral IPS which are continuously changing on the cloud how well can you discover those now there's no perfect solution in the world today everybody is working towards that but look for the false positives out there there are um suppose um uh WF uh IPS and CDN IPS so you those are not exactly your IPS so how how does the system discover those and appropriately tag those assets so the coverage of asset Discovery is one thing the tagging of asset Discovery by type is the second thing the third is the false positive rate over there and the fourth thing is also going to be the false negatives what am I missing out what are those assets which are out there but the system is not to discover so this is one part the other part is how frequently is the system doing it I mean how how many times does the database get uh refreshed I mean does it get refreshed every day who's really working on it but to go into that use case I think the use case we had done for a very large uh client of mine and what we had done was they wanted to get an assessment done uh and we did it on both sides one from a external attack surface management where we compiled a list of uh external assets and uh approached it from the outside with the external attack surface management to identify the list of Discovery and the other one was from the bottom up approach using more of a security architecture and based on that we tried to uh converge and come up with a point and we added the third angle to that some of those external assets we even had some deep and dark web scans and some of the results were so so surprising and one thing which I found as a part of my research was almost 90% of the transactions happen in the dark web me which we are not even aware and lot of people they are just scratching the surface when they think that everything happens in the clear web well so much work happens in the dark web that we are not even aware and that use case help the client show what's going on sales and business development business Partnerships here at fire compus um I have the distinct honor today of Hosting uh what I hope and I know will be a very informative and interactive panel um with some very talented uh cyber security leaders um this session just so let everybody know is has been organized by the siso platform uh topic for our discussion today why is the gardener group uh talking about external attack surface management uh a new acronym that we're all going to start to see we don't have enough acronyms in our business right our industry so called easm so our panelists will give you some critical insights common use cases talk a little bit about some comparisons and and contrasts with a lot of the different types of uh of of again Gardener and Industry Forester and Industry acronyms that we see out there as it relates to the concept of of attack surface Recon and and and surface management as well as exploitation and continuous testing um and talk a little bit of how it relates to the miter attch framework uh this session today will be a precursor to the 13th annual siso platform Summit which will uh which will take place next week on I believe June the 2nd and 3rd so it's a little little little teaser um in advance of the sessions uh that we'll all be a part of next week um we're going to touch upon understanding a little bit about this um especially in where we are in our our up crazy.

Highlights :

Significance of EASM:

• EASM involves reconnaissance, discovery, and continuous testing of an organization's external digital footprint.
• Understanding the external attack surface is crucial for identifying vulnerabilities, mitigating risks, and fortifying cyber defenses.
• EASM complements traditional security measures by providing a proactive approach to threat detection and response.

Common Use Cases:

• Asset Discovery: EASM tools enable organizations to identify and catalog external assets, including websites, applications, and cloud services.
• Tagging and Classification: Efficient tagging of discovered assets by type helps prioritize remediation efforts and streamline security management.
• False Positive Mitigation: EASM solutions aim to reduce false positives by accurately identifying and categorizing assets, minimizing noise in security alerts.
• False Negative Identification: Organizations must address false negatives to ensure comprehensive coverage of their external attack surface and minimize blind spots.

Real-World Example:

• A large client underwent an EASM assessment, combining external reconnaissance with internal security architecture analysis.
• The assessment revealed surprising findings, including the prevalence of transactions in the dark web, highlighting the importance of comprehensive threat visibility.
• EASM provided insights into overlooked assets and vulnerabilities, empowering the client to enhance their security posture and proactively address potential threats.

Role in Cybersecurity Strategy:

• EASM serves as a critical component of modern cybersecurity strategies, offering continuous monitoring and threat intelligence to detect and mitigate external threats.
• Integration with industry frameworks like MITRE ATT&CK enhances threat detection and response capabilities, aligning security operations with recognized best practices.
• Collaboration between EASM providers, security vendors, and cybersecurity professionals fosters a proactive approach to cybersecurity, enabling organizations to stay ahead of emerging threats.

External Attack Surface Management is a cornerstone of effective cybersecurity, providing organizations with the visibility and insights needed to protect against external threats. By embracing EASM solutions and integrating them into their cybersecurity strategies, organizations can enhance their resilience, minimize risks, and safeguard their digital assets in today's ever-evolving threat landscape. Stay informed, stay proactive, and stay secure with EASM.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff

In today's rapidly evolving cybersecurity landscape, organizations face constant challenges in managing their external attack surface and mitigating potential risks. One approach gaining prominence is External Attack Surface Management (EASM), which encompasses reconnaissance, discovery, and continuous testing of digital assets. This blog explores the evolution of EASM, its integration with other security tools, and its role in maximizing cybersecurity resilience.

Here is the verbatim discussion:

of the world that you live in every day right security innovation NT data you have a lot of large clients you do a lot of services engagements um um as it relates to cyber exercises you do you know both from a from a training but from a uh security assessment security pen penetration testing all all of the old you know a lot of the the the old monitors that have new kind of um that you have to keep up with because you have to stay to try to stay ahead of the of the bad guys right and gals um so and what your thoughts what are you what are you seeing with your customer base as it relates to okay so I think we've beaten the concept of of surface management external attack surface management debt right so it's about reconnaissance it's about recovery it's about Discovery it's about asset inventory and it's about doing that continuously right um because things are changing every day what are your thoughts at about how taking that from where what we've seen over the past number of years some really good ASM easm products out there to the concept of continuous testing as well right so that's a biggie right and and I'm using the word testing to be very generic on purpose right there's testing there's red teaming there's attacking you know which again is the big red button that everybody's been afraid of forever what are your thoughts on the evolution there what are your client saying to you about this kind of thing yeah so you know what what what I see as a growing Trend um you know I do see things like you know um attack simulation you know hitting hitting that that big red attack button um I do think that's a natural extension for some of these easm platforms um you know easm is sometimes confused with with Bas or breaching attack simulation um but it should not be um breaching attack simulation you does not do that you know kind of scanning and Reporting um what it does is it does that continuous testing of security controls by you know automating simulated attacks you're using techniques you similar to those found in in the Met attack framework which I think we're going to be talking about a little bit later on um but Bas deployments uh historically are much more complex they usually require some type of agent or maybe multiple agents to be installed in the corporate network uh and and you know Bas is still is still pretty immature in terms of its value versus other existing methods you know like internal vulnerability scanning and and penetration testing so you know I think the value of Bas in and of itself is still you know to be determined uh and and I think uh I see it being consumed with with an a attx service management type of platform maybe starting from the from the outside and then just kind of you know um expanding naturally internally um I I still think that you know a tax refence management has a very very long Runway um you know most of our clients still cannot accurately say how many assets asss they have um and it does change every single day so you know we're we're presently trying to uh you know sell them on the concept of not just a tax surface management but that Perpetual continuous automated you know kind of red seaming and the value of it U because you if you're not let me let me put it this way um your infrastructure and uh endpoints are being tested continuously your choice is whether you want to do it as well because someone is already doing it guaranteed um so you know we I definitely see you know the the trend of um these platforms type kind of merging um and and I think you know easm will eventually might morph into ASM and cons right so I think it makes it louder but I don't know I'm not anybody answer that how do does esm in your mind I'm gonna throw this out to tages how would this Tech this this type of of of security offering external Tax Service manag complement other security tools that have been deployed well so what I would take and say compare it with something like a Digital Risk protection so if if you look at esm that focuses more on the Discovery aspects that's like bash mentioned that's primarily more on the Recon side well something like a Digital Risk protection provides you a 360° view it also does a takeown but uh yeah M as it stands like Paul you rightly mentioned in the BF analogy right it's not replacing or it's not U taking away your speaker and creating a new one it's not doing something which has not been done before it's just possibly providing some method to the madness and organizing things uh better so that um we understand that the to treat the external attacks differently and the external assets differently.

In the ever-evolving landscape of cybersecurity, organizations are constantly seeking effective solutions to manage their external attack surface and mitigate risks. One approach gaining traction is the utilization of open-source tools for reconnaissance and asset discovery. In this blog, we'll explore the value proposition of leveraging open-source intelligence in external attack surface management (EASM) and its role in enhancing cybersecurity resilience.

Here is the verbatim discussion:

basis there's also this there's a lot of new acronyms out there as well continuous automated red teaming cart continuous automated security testing cast right automated exploitation right Ed talked a little bit about breach uh attack simulation um key capabilities of a full endtoend easm solution what are your thoughts Picos on that and then I know that we had I think we have some folks on the phone as well that come from the Consulting world right that are Consulting they're doing cyber security Consulting talk a little bit about how you think that a comprehensive easm SL continuous testing you know package could assist in potentially helping to automate what has been uh let's say automate some of what has been a traditionally manual process a little bit about me thanks bicash appreciate it I know bicos pretty well we work together he's my boss I have to say that b you the man uh anyway got we're gonna keep this very light today I do want to say before we get into uh the discussion about um external attack surface management um the value proposition overall and what the industry is bearing uh I'd like to do as as much interaction as we possibly can I know this is a we have everybody muted and it's a it's a webinar type of panel discussion and we're all on zoom and hopefully one day we're very soon we're all doing this with microphones like the old days and pass it around the you know pass it around the uh the auditorium but um any questions that anybody might have please please make this as interactive as you possibly can throw it into the chat um into the uh which could also be part of suppose picking up open source tools so let me start with open source tools what you can do with open Source tools and I will also talk about later on the other Technologies which are out there available so if you look at esm the primary capability is nothing but reconnaissance right and if you find out or if you try to find out the reconnaissance tools which are out there if you just try out do a Google search you will find more than five 500 such kind of reconnaissance tools which are out there which can help you to uh discover various types of assets which can help you to do subdomain Discovery etc etc so there are I'm not naming all these tools largely these are various small small tools which you can tie together string it together and use it or or somebody a consultant could use it so you can use these reconnaissance tools but these tools are not good enough along with the reconnaissance tools you also need a lot of data like for example uh you need the IP who is information of the entire Globe then you'll be able to pick pinpoint your assets in a more accurate in a accurate manner so you also need to find out all get all this who is information the domain registration details now these data are unfortunately you can't get everything for free so some of this data you have to buy you need uh dark WB uh information uh which could also be utilized as a part of reconnaissance so there are all these data which is out there which you need now the next part is using this tools and this data you may initially just focus on open source intelligence don't buy any kind of data which is um proprietary or which companies are selling so I think there's a good start where you can start with all these open source tools.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff

In today's dynamic cybersecurity landscape, traditional security measures are no longer sufficient to combat evolving threats. As organizations strive to fortify their defenses, they must adopt new tools, techniques, and procedures (TTPs) to stay ahead of adversaries. In this blog, we'll explore the significance of modern TTPs and their role in bolstering cybersecurity resilience.

Here is the verbatim discussion:

the reconnaissance the discovery the inventory right and then they say here you go right Mr C Mr Miss customer it's yours now right so have at it right but I think there are other tools some newer tools and techniques and procedures to where it's not good enough right tus it's not good enough to just be able to say I think that door is unlocked and if I go like this I might be able to get inside but I'm not going to touch it because that would be happy to be on this panel thank you Ed thanks very much appreciate it it's great great to have you here uh in beautiful Boston Massachusetts it's great um our next panelist is um uh tus uh shro tagis out of the Dallas Fort Worth area today we again we're representing today uh my old my old stomping grounds down there t just a few few words about yourself sir yes I'm a senior director in the cloud security manage practice at entity data but before that almost 20 plus years in the security industry um I'm also a faculty at UT Dallas teaching a master students um especially in the cyber security program so um and I'm also board member of North Texas infragard which is a collaboration between FBI and private sector in strengthening the processes and practices around um both FBI actually Department of Homeland Security and private sector coming together to uh understand the common grounds and have some collaboration so thanks Paul again for having me on the panel thanks T just really appreciate it look forward to seeing it down in Texas in uh Father's Day week appreciate it absolutely um and um our our third panelist um is bicash baray Bash again I'm just focusing on Consulting right right now right in that world add you and you know and tasas you live in that world because you have big you have practices that are focused on that so making the human smarter as it relates to some of the Automation and giving and allowing them to focus on the stuff that really really the C client really needs which is that repeatable process and that you know that Contin um security architecture design or whatever it might be so talk a little bit Picos about key capabilities of a of a holistic program and then maybe some of the nuances there in from a from from an overall Market perspective sure sure so if you look at esm and and these terminologies are kind of created by different groups right you have esm you have bass uh and there's some overlap there you have ASM which is there let me talk about it as Broad concept like what are the key capabilities that one should look for so one of the primary capability.

Highlights :

The Evolution of Cyber Threats:

• Cyber threats have evolved from simple network vulnerabilities to sophisticated zero-day attacks and advanced persistent threats (APTs).
• Traditional security approaches like vulnerability assessments and penetration testing are essential but may not adequately address the complexity of modern threats.

New Tools and Techniques:

• External Attack Surface Management (EASM): EASM solutions provide comprehensive visibility into an organization's external attack surface, including cloud resources, applications, and APIs.
• Continuous Automated Red Teaming (CART): CART platforms simulate real-world attacks to identify vulnerabilities and assess the effectiveness of security controls.
• Threat Intelligence Feeds: Leveraging threat intelligence feeds allows organizations to stay informed about emerging threats and adversary tactics, enabling proactive defense strategies.

Proactive Defense Strategies:

• Active Defense Measures: Organizations can proactively defend against threats by implementing active defense measures such as threat hunting, deception technologies, and automated incident response.
• Purple Teaming: Purple teaming exercises facilitate collaboration between red and blue teams to improve security posture and response capabilities.
• Continuous Security Monitoring: Continuous monitoring of networks, endpoints, and cloud environments enables organizations to detect and respond to threats in real time.

Integrating Frameworks and Standards:

• MITRE ATT&CK Framework: Organizations can leverage the MITRE ATT&CK framework to map adversary tactics and techniques, enhancing threat detection and response capabilities.
• Compliance and Regulatory Standards: Adhering to industry-specific regulations and standards ensures that organizations maintain a robust security posture and protect sensitive data.

In an era of escalating cyber threats, organizations must embrace modern tools, techniques, and procedures to strengthen their cybersecurity defenses. By leveraging advanced technologies like EASM, CART, and threat intelligence feeds, organizations can proactively identify and mitigate risks before they escalate into full-blown cyber incidents. Moreover, integrating frameworks like MITRE ATT&CK and complying with regulatory standards enhances organizational resilience and fosters a culture of cybersecurity excellence. As organizations navigate the complex cybersecurity landscape, embracing modern TTPs remains imperative in safeguarding digital assets and mitigating cyber risks effectively.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff

 In today's ever-evolving cybersecurity landscape, organizations face an array of threats that require proactive and robust defense mechanisms. External Attack Surface Management (EASM) emerges as a critical component in fortifying organizational defenses by providing visibility into external assets, vulnerabilities, and potential threats. In this blog, we explore the significance of EASM and its key capabilities in mitigating cyber risks and enhancing overall security postures.

Highlights :

Understanding the Evolution of Cyber Threats:

• The cybersecurity landscape has evolved significantly over the past decades, with threats ranging from network-level vulnerabilities to sophisticated zero-day attacks.
• Traditional security measures like Dynamic Application Security Testing (DAST) and penetration testing are essential but may not adequately address the breadth and depth of modern cyber threats.

Key Capabilities of EASM:

• Asset Discovery: EASM solutions enable comprehensive discovery of external assets, including cloud resources, applications, APIs, and subdomains.
• Active Assessment: By simulating real-world attacks, EASM platforms identify vulnerabilities and assess the efficacy of security defenses.
• Integration with MITRE ATT&CK: Leveraging frameworks like MITRE ATT&CK provides actionable insights into adversary tactics, enhancing defensive strategies.

Complementing Security Practices:

• EASM serves as the "tip of the spear" in cybersecurity defense, providing organizations with a broad view of their external attack surface.
• It complements traditional security practices like threat intelligence feeds, Security Information and Event Management (SIEM), and cloud security solutions.
• By streamlining investigation and remediation processes, EASM enhances organizational resilience and accelerates response to discovered vulnerabilities.

In the face of evolving cyber threats, organizations must adopt proactive measures to safeguard their digital assets. EASM emerges as a cornerstone of modern cybersecurity, offering unparalleled visibility and risk mitigation capabilities. By leveraging EASM solutions and integrating frameworks like MITRE ATT&CK, organizations can strengthen their defenses and stay ahead of cyber adversaries. As organizations navigate the complex cybersecurity landscape, EASM remains a vital tool in their arsenal, empowering them to mitigate risks and protect their most valuable assets.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff

In the intricate realm of cybersecurity, vigilance is paramount. As the digital landscape continues to evolve, organizations face a myriad of threats, from network vulnerabilities to sophisticated zero-day attacks. In this blog, we delve into the dynamic nature of cybersecurity threats and explore the role of External Attack Surface Management (EASM) in fortifying organizational defenses. Join us as we unravel the complexities of the cybersecurity landscape and discover how EASM strategies can mitigate risks and enhance security postures.

Here is the verbatim discussion:

Is causing a large organization to get breached and many of those are like Shadow it unknown assets um which are not known to the organization and then there are others which are nuclear weapons kind of stuff which is um zero day attacks I mean those are very rare very rarely somebody gets compromised because of a zero day or a very complex multi-stage attack so those are more like nuclear weapons so most of the battles are lost not because of a nuclear bomb being deployed it is lost because of a nail and that nail those small issues which are there in the attack surface this is kind of proliferating in a b very very big way so how do we then manage that so managing our external I since probably couple of decades so if I look at the way the hacking landscape has kind of changed over a period of time so it went through a lot of interesting phases so there were times when the hacking used to happen more through compromise of the network level vulnerabilities then came a phase where application Level vulnerabilities took over and then a little bit later something very strange happened when the industry went through like two decades of vulnerability assessment penetration testing and all this super cool stuff we started seeing some strange stuff happening in last few years and I'll give you an example one of the strange stu stuff is like one of the topmost names in the financial services companies got compromised because they analysts will give you some critical insights common use cases talk a little bit about some comparisons and and contrasts with a lot of the different types of uh of of again Gardner and Industry Forester and Industry acronyms that we see out there as it relates to the concept of of a tech surface Recon and and and surface management as well as exploitation and continuous testing um and talk a little bit how it relates to the mitor attch framework uh this session today will be a precursor to the 13th annual siso platform Summit which will uh which will take place next week on I believe June the 2D and 3 so it's a little little little teaser um in advance of the sessions uh that we'll all be a part of next week um we're going to touch upon understanding a little bit about this um especially in where we are in our our up crazy little upside down world that we are all living in today.

Highlights :

Evolution of the Hacking Landscape:

• Over the past decades, the hacking landscape has undergone significant transformations, from network-level vulnerabilities to application-level exploits.
• Despite advancements in vulnerability assessment and penetration testing, the emergence of new attack vectors poses unprecedented challenges to organizations.

Understanding the Importance of EASM:

• EASM addresses the critical need for visibility into an organization's external attack surface, encompassing assets, vulnerabilities, and potential threats.
• By proactively managing external attack surfaces, organizations can mitigate risks associated with shadow IT and unknown assets, thereby enhancing their security posture.

Mitigating Risks with EASM:

• EASM solutions facilitate comprehensive asset discovery, enabling organizations to identify and prioritize vulnerabilities across their digital footprint.
• Active assessment capabilities empower organizations to simulate real-world attacks and test the efficacy of their security defenses.
• Integration with frameworks like MITRE ATT&CK provides actionable insights into adversary tactics, enabling organizations to develop robust defensive strategies.

As cyber threats continue to evolve, organizations must adopt proactive strategies to safeguard their digital assets. EASM emerges as a crucial component of modern cybersecurity, offering unparalleled visibility and risk mitigation capabilities. By leveraging EASM solutions and integrating frameworks like MITRE ATT&CK, organizations can bolster their defenses against a diverse range of threats, from network vulnerabilities to zero-day attacks. As we navigate the ever-evolving cybersecurity landscape, EASM remains a cornerstone of organizational resilience, empowering organizations to stay one step ahead of cyber adversaries.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff

Embark on a journey into the world of cybersecurity resilience, where External Attack Surface Management (EASM) intersects with the powerful insights of the MITRE ATT&CK Framework. In this exploration, we unravel the key capabilities of EASM solutions and delve into the symbiotic relationship between EASM and the MITRE ATT&CK Framework. Join us as we navigate through the realms of threat discovery, active assessment, and continuous security monitoring to fortify organizational defenses against evolving cyber threats.

Here is the verbatim discussion:

that uh the you I wish I wish everybody knew the client because uh we'd like to talk to them I'd like to talk to them uh I'm just kidding um so so changeing gears a little bit we only have we have 16 minutes left but I I wanted to talk a little bit or or kind of go down the dire two two different directions first direction is back to yacos who we let you be quiet long enough here um the some of the key capabilities of external Tech surface Management Incorporated with some of the let's let's tie the modules together I'm just going to kind of go there right so there's the you know there's the easm component again Recon Discovery asset inventory whatever the buzz is right boom that's must have right and and that in a continuous kind of on a continuous basis there's also this there's a lot of new acronyms out there as well continuous automated red teaming cart continuous automated security testing cast right automated exploitation right Ed talked a little bit about breach uh attack simulation um key capabilities of a full endtoend easm solution what are your thoughts Picos on that and then I know that we had I think we have some folks on the phone as well that come from the Consulting world right right that are Consulting they're doing cyber security Consulting talk a little bit about how you think that a comprehensive easm slash continuous testing you know package could assist and potentially helping to automate what has been uh let's say automate some of what has been a traditionally manual process we will never I want to make this statement we will never get rid of the human that is not the intent of ASM or you know cart or cast or whatever right it is about making the human smarter right it is about making the human giving the human the ability to do the high dollar stuff and then I'm again I'm just focusing on Consulting right right now right in that world add you and you know and T as you live in that world because you have big you have practices that are focused on that so making the human been smarter as it relates to some of the Automation and giving and allowing them to focus on the stuff that really really the C client really needs which is that repeatable process and that you know that continuous um security architecture design or whatever it might be so talk a little bit peau about key capabilities of a of a holistic program and then maybe some of the nuances there in from a from from an overall Market perspective sure sure so if you look at esm and and these terminologies are kind of created by different groups right you have esm you have bass uh and there's some overlap there you have ASM which is there let me talk about it as broad concept like what are the key capabilities that one should look for so one of the primary capability is Discovery right so discovery of Assets Now when you look for the discovery of assets uh the key things to look for is what kind of assets does it discover does it discovered the cloud buckets does it discover the applications does it discovered the apis the subdomains the IP addresses Etc so the coverage of Discovery is one of the things the second thing is the false positives so when you do esm it's a very hard problem because there are ephemeral IPS which are continuously changing on the cloud how well can you discover those now there's no perfect solution in the world today everybody is working towards that but look for the false positives out there there are um suppose um W uh IPS and CDN IPS so you those are not exactly your IPS so how how does the system discover those and appropriately tag those assets so the coverage of asset Discovery as one thing the tagging of asset Discovery by type is the second thing the third is the false positive rate over there and the fourth thing is also going to be the false negatives what am I missing out what are those assets which are out there but the system is not able to discover so this is one part the other part is how frequently is the system doing it I mean how how many times does the database get uh refreshed I mean does it get refreshed every day does it get refreshed every week so that's the other part the frequency the quality of data source which you have does it cover the dark WB does it cover only the Deep Web Etc so that's another part of the critical capability so this is more around the discovery and let's move to the next part which is the active assessment so does the system also do active assessment because when you just do passive Discovery through Banner grabbing and open source intelligence there can be a lot of false positives the vulnerability Discovery is not going to be accurate so can does the system have the capability to run real um kind of um safe attacks so or active assessments so that's the other so if there are active assessment modules what type of modules are there knowing those I mean does it cover applications or IPS Cloud um Docker container etc etc so the the active assessment capability in depth is the other part which one should look into then the third part will be the kind of run books which are there if if also red teaming as um some of you have noticed Gartner also mentioned in the ASM report that there are two kind of directions in which the ASM Market is heading towards One Direction is more about the discovery another direction is about the red teaming and the attack so in that case what kind of red teaming capabilities does the system have uh or the solution have so these are some of the broad kind of capabilities one should look for while while evaluating a solution and uh of course the use of this tool could be in two ways one is like and and end or end user organizations using it the other could be manage services Consulting companies using it but whatever be the use um largely these are the critical capabilities but if you are a consulting company or a managed services provider then there are some more use cases which becomes more important but I'm not getting into that direction um in the interest of time so that's broadly about the critical capabilities call thanks bicash I appreciate that so I'm going to do a time check we have nine minutes left I have a couple of I I keep looking over here and I feel bad because you're seeing like my bald spot on the top of my head I'm looking at my phone but my our lady behind the curtain pulami is sending me a couple of really important questions that I like to have answered before we get off the phone but before that one kind of last point that you had mentioned earlier that I'd love to maybe get your take on and that is the kind of the overview of the miter attack framework as relates to the easm kind of world from your perspective because I know that you know those types of requirements are always kind of dangling out there as much as we like to as much as we don't like to admit it it's it is a the nature of our Beast so maybe for three or four minutes we can do that talk about that and then we can jump over to a couple questions absolutely so I'll I'll try to keep this brief so we have some time to answer questions but uh in in my opinion the miter framework.

Highlights:

Key Capabilities of EASM Solutions:

• Comprehensive asset discovery capabilities, encompassing cloud resources, applications, APIs, subdomains, and IP addresses.
• Mitigation of false positives and false negatives, ensuring the accuracy and reliability of threat identification.
• Active assessment modules for conducting safe attacks, enabling organizations to proactively address vulnerabilities.
• Runbook functionalities for red teaming and attack simulations, empowering organizations to test and enhance their security postures.

Harnessing the MITRE ATT&CK Framework:

• The MITRE ATT&CK Framework serves as a compendium of real-world attacker techniques and tactics, providing actionable insights into adversary behavior.
• Facilitates the development of robust defensive strategies by enabling organizations to understand and counter adversary tactics effectively.
• Empowers organizations to focus on high-value security initiatives by automating repetitive tasks and enhancing security architecture design.

As organizations navigate the complex landscape of cybersecurity threats, the integration of EASM solutions and the MITRE ATT&CK Framework emerges as a potent strategy for bolstering cyber defenses. By leveraging the comprehensive capabilities of EASM solutions, organizations can gain unparalleled visibility into their external attack surface, proactively identify and mitigate vulnerabilities, and enhance their security postures. Furthermore, the MITRE ATT&CK Framework equips organizations with invaluable insights into adversary behavior, enabling them to develop robust defensive strategies and prioritize security initiatives effectively. Together, EASM and the MITRE ATT&CK Framework pave the way for a proactive and resilient cybersecurity posture, safeguarding organizations against the evolving threat landscape.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff

Welcome to a deep dive into the realm of cybersecurity vigilance, where External Attack Surface Management (EASM) emerges as a critical pillar in safeguarding digital assets. In today's discussion, we unravel the multifaceted layers of EASM, exploring its role in addressing modern cyber threats and fortifying organizational defenses. Join us as we dissect real-world use cases, delve into the intricacies of threat reconnaissance, and elucidate the transformative impact of continuous security monitoring.

Here is the verbatim discussion:

in a word is awesome uh it is literally a collection of attacker techniques and tactics used in the real world uh so what merer did and merer is a US Government um Think Tank research organization they researched thousands of actual attacks on it systems applications infrastructure iot devices Etc and documented 215 discrete techniques and they organized them in in various groups and with talked about some of those groups already reconnaissance exfiltration privilege uh escalation Etc um but they don't just document the attacks they also uh document mitigations uh that you can that you can put in place for for the attacks but to me the the relevance and importance of the mitro tech framework is it delivers to you exactly what an adversary is going to be doing to your infrastructure and it allows you by practicing or implementing some of these attack techniques which is a typically a red team activity to build a lot of the defensive postures blue team technique so as you're building the products and services that run your Enterprise you can do so with that defensive mindset and a more secure mindset and that's the purple teaming concept so from an attack surface management perspective the external attack surface management um all of the the reconnaissance the discovery um the credential access um that's what attackers are doing anyways and that's what a good external attack surface management platform will do for you a lot of the easm platforms are implementing many of these 215 discret attacker techniques that the miter attack framework documents so um and the miter attack framework by the way is free um they've got downloadable assets uh it's it's just a really really use useful valuable between esm and risk protection C you know DRP um some of the Bas stuff um and you you had mentioned uh one of your clients whose name shall remain uh silent uh to protect the innocent but yeah you you had an interesting use case and it was I think it was back from 2018 and maybe you could explain that use case to the group and then maybe how you might do that differently for your client at this point three years later absolutely absolutely as you as Paul put it in the right perspective it was 2018 so that time no one had experienced this uh as remotely operating things and people who were still working off of the office and yes there were challenges but the challenges in terms of number were relatively lower because some of them were U like the not the known challenges but the seen challenges there were people you could see and you could know based Bas on their behavior but now you're treating with a complete unknown you don't even know who the person connecting if they don't turn their camera on you don't know who's operating on the other side of things so somebody might be working remotely but you don't know who's really working on it but to go into that use case I think the use case we had done for a very large uh client of mine and what we had done was they wanted to get an assessment done uh and we did it on both sides one from a external attack surface management where we compiled a list of uh external assets and uh approached it from the outside with the external attack surface management to identify the list of Discovery and the other one was from the bottom up approach using more of a security architecture and based on that we tried to uh converge and come up with a point and we added the third angle to that some of those external assets we even had some deep and dark web scans and some of the results were so so surprising and one thing which I found as a part of my research was almost 90% of the transactions happen in the dark web me which we are not even aware and a lot of people they are just scratching the surface when they think that everything happens in the clear web while so much work happens in the dark web that we are not even aware and that use case help the client show what's going on in the dark web what's going on what were their assets which were being exposed which they were completely unaware of that Discovery helped clients know about some of the tools some of the tools which were they thought they were already no longer using it but they still had ends open sitting on the internet and as Ed rightly mentioned right means you can run a scan you can try to find out and do the discovery but by the time you finish you probably may have gone and added few more assets so there's no way to go back so that continuous part which Ed was mentioning is the key because if you're not even aware what you add it then you have to wait for the next compliance scan which you're going to do so a lot of people just do it scan for the compliance reasons so they can have that checkbox and that's not going to be too useful if you're trying to be protective are you trying to be a protective or you are you just telling the attackers by put BR out a sign that yes I've done my due diligence so are you doing it for due diligence or are you doing it for proactive security monitoring of your assets that's the key and Paul to say that how we would have done it differently absolutely things would have been so much differently done had we done it right now and I'm I'm sure the results would have been very very different sorry because you are trying to say something No no im good yeah.

Welcome, everyone, to a riveting exploration of External Attack Surface Management (EASM) and its pivotal role in modern cybersecurity. As we navigate the ever-evolving digital landscape, it's imperative to understand the genesis of EASM and the critical problem it aims to solve. Today, esteemed industry leaders will shed light on the evolution of hacking methodologies, the emergence of new vulnerabilities, and the profound impact of decentralization on organizational security. Let's embark on a journey to unravel the complexities of EASM and its significance in mitigating risks and fortifying cyber defenses.

Here is the verbatim discussion:

also to uh kind of add to that so let me start with what is esm and what problem does it solve or rather let me start with the problem first so um I remember um I mean if you go back like two decades um I had been there in the industry I mean since probably couple of decades so if I look at the way the hacking landscape has kind of changed over a period of time so it went through a lot of interesting phases so there were times when the hacking used to happen more through compromise of the network level vulnerabilities then came a phase where application Level vulnerabilities took over and then a little bit later something very strange happened when the industry went through like two decades of vulnerability assessment penetration testing and all this super cool stuff we started seeing some strange stuff happening in last few years and I'll give you an example one of the strange St stuff is like one of the topmost names in the financial services companies got compromised because they had a open database without any password and I have very high respect for these guys they're great folks they have got great tools and team so the question is like why did that happen why did they com get compromised because they have they had no password for the database I mean that doesn't sound obvious or or something which is normal or common right so if you look at this as an issue there's something new which got started in last four five six years or last three four five years and that new thing that got started is that unlike say five six years before when any thing that had to go online had to go through the central it team anybody and everybody couldn't create things and make it go live online you had to go through the IT team it was difficult but today fast forward today marketing team can create things on their own and make it go live the projects team can create something on their own cloud guys devops guys can create things on their own we're talking about a agile world decentralized world so all of a sudden what has happened is this central control of the assets that goes online and the central visibility of your asset inventory all of a sudden went for a toss and that is the reason why we see a lot of these apparently strange compromises which looks like this great company got compromised because they had this simple vulnerability obviously those great companies wouldn't kind of miss out something like that and that happened with this specific FSI organization where this particular database was made online by their marketing team so this is a new problem which was not there five six years back because at that point in time things were tightly controlled and it was difficult to take things online so because of this problem I I kind of talk about like there are two kinds of compromises which I see one kind of compromise is because of uh nails and the other is because of nuclear weapons and let me explain that what do I mean so I remember during my childhood days we used to I mean or I read this poem about for want of a nail the shoe was lost and for want of a shoe the horse was lost and for want of a horse the general was lost and for one of a general the leader the the battle was lost so something like that so it's a small sorry I kind of started it wrong for want of a nail the shoe was lost so you start with a nail and because of a missing nail the Battle Is Lost and that kind of compromises are happening some small misconfiguration somewhere which is causing a large organization to get breached and many of those are like Shadow it unknown assets um which are not known to the organization and then there are others which are nuclear weapons kind of stuff which is um zero day attacks I me those are very rare very rarely somebody gets compromised because of a zero day or a very complex multi-stage attack so those are more like nuclear weapons so most of the battles are lost not because of a nuclear bomb being deployed it is lost because of a nail and that nail those small issues which are there in the attack surface this is kind of proliferating in in a bad very very big way so how do we then manage that so managing our external attack surface managing uh those small things out there which can cause a big breach so this became a problem of today which was not there five six years back and today because of remote working and because of all these uh digital transformation Cloud Etc it's just going to get worse and that is the reason why esm came into being esm got coined as a word by Gartner Gartner um call CM as external attack surface management so that you I mean the idea is about getting a visibility of all the assets that you have knowing what's your attack surface like what are the risk associated with that uh and doing it at a scale earlier or even now there are different other analysts who call it attack surface management but Gartner created this new market called external attack surface management which only focuses on the external attack surface and not the internal so that's a kind of brief Genesis uh brief or long Genesis and the reason behind why esm came into being so i would let probably ed tejas all you guys add more.

Highlights:

Understanding the Problem:

• Reflecting on the evolving hacking landscape over the past two decades, from network-level compromises to application vulnerabilities.
• Highlighting the emergence of new challenges stemming from decentralization, where non-IT teams can deploy assets without centralized control, leading to unforeseen vulnerabilities.

The Nail vs. Nuclear Weapons Analogy:

• Drawing parallels between minor misconfigurations (nails) and catastrophic zero-day attacks (nuclear weapons) as the root causes of breaches.
• Emphasizing the prevalence of breaches due to small oversights in the attack surface, underscoring the need for meticulous external attack surface management.

Introduction to EASM:

• Tracing the origins of EASM, coined by Gartner as a specialized focus on managing the external attack surface.
• Exploring the core objective of EASM: gaining visibility into all external assets, assessing associated risks, and proactively addressing vulnerabilities at scale.

In conclusion, the emergence of External Attack Surface Management marks a paradigm shift in cybersecurity strategies, necessitated by the complex interplay of decentralized deployment practices and evolving threat landscapes. By embracing EASM principles, organizations can proactively manage their external attack surfaces, mitigate risks, and safeguard against potential breaches. Today's discussion serves as a beacon of insight into the evolving cybersecurity landscape and underscores the imperative of robust EASM practices in safeguarding digital assets. Thank you for embarking on this enlightening journey with us.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff

Greetings, everyone! Whether it's morning, afternoon, or evening for you, I'm thrilled to welcome you to today's panel discussion on a topic that's gaining momentum in the cybersecurity realm: External Attack Surface Management (EASM). My name is Paul Delloo, and I have the privilege of serving as the Senior Vice President of Sales and Business Development Partnerships at Fire Compass. Today's session, organized by the CISO Platform, delves into why industry analysts like Gartner are emphasizing the importance of EASM, a term that's bound to become a mainstay in our industry's lexicon. Throughout our discussion, esteemed cybersecurity leaders will provide invaluable insights into common use cases, comparisons with existing frameworks, and effective strategies for EASM implementation.

Here is the verbatim discussion:

hello everybody good morning good afternoon and good evening I think we have folks from every every part of the of the planet which is great um my name is Paul delloo I'm the senior Vice President of Sales and business development business Partnerships here at fire Compass um I have the distinct honor today of Hosting uh what I I hope and I know will be a very informative and interactive panel um with some very talented uh cyber security leaders um this session just so let everybody know has been organized by the siso platform uh topic for our discussion today why is the gardener group uh talking about external attack surface management a new acronym that we're all going to start to see we don't have enough acronyms in our business right our industry so called easm so our panelists will give you some critical insights common use cases talk a little bit about some comparisons and and contrast with a lot of the different types of uh of of again Gardener and Industry Forester and Industry acronyms that we see out there as it relates to the concept of of a tech surface Recon and and and surface management as well as exploitation and continuous testing um and talk a little bit how it relates to the miter Tech framework uh this SE session today will be a precursor to the 13th annual ciso platform Summit which will uh which will take place next week on I believe June the 2D and 3 so it's a little little little teaser um in advance of the sessions uh that we'll all be a part of next week um we're going to touch upon understanding a little bit about this um especially in where we are in our our up crazy little upside down world that we're all living in today um understand a little B more about the external attx surface management use cases the use of esm effective strategies that are being deployed by industry leading organizations both from a direct end user perspective as well as partner perspective um and how testing external perimeters uh can validate what can and cannot be discovered so I like to use the term unknown unknowns um and that's an area that easm is really focusing on and uh we're seeing some very very interesting and very positive results um so without further Ado let me introduce the the members of our panel I will go one by one and let them talk about themselves because I what I what I say will not do them Justice in their in their exploits in their past um Ed Ed Adams like to introduce you uh to say a little few lines about yourself sir hello thank you Paul welcome everyone uh I am Ed Adams I'm the president and CEO of security innovation an organization that specializes in software security I'm also a research fellow for The pomon Institute and I am a leader and board member for the international Consortium of minority cyber Security Professionals otherwise known as icmcp happy to be on this pannel thank you ed thanks very much appreciate it.

In today's digital landscape, managing an organization's external attack surface is paramount for cybersecurity. External Attack Surface Management (ASM) involves understanding and securing all assets, including those beyond the traditional network perimeter. This capability is crucial for identifying vulnerabilities, mitigating risks, and enhancing overall cybersecurity posture. To effectively establish an ASM capability, organizations need to leverage appropriate tools, techniques, and procedures.

Here is the verbatim discussion:

sure sure thanks Paul so let me take this up into two parts Paul I recall you also asked this question on use cases which I mentioned that let's first discuss on what is the ASM we come back to the use cases so let's divide this into two parts one is the use cases and the second part is the tools techniques and procedures so when it comes to the use cases there are a few key use cases which esm tool solves so one is uh the asset inventory and today asset inventory has become a major challenge uh of course esm cannot do the internal assets it can only do the external asset inventory and for internal asset inventory you have other set of tools um so asset inventory is one use case Second Use case is Shadow it Discovery discovering those unknown unknowns in your asset inventory now when it comes to Shadow it there are multiple tools which can help you in Shadow it one is like the casby kind of tools the casby tools can find out Shadow it in terms of what kind of applications are being used by the employees of an organization which is not known to the IT team but the Shadow the casby tools cannot find out a shadow it of the kind where marketing created a new database somewhere while working with a third party vendor because that needs scanning the internet whereas casby only scans the traffic which is coming out of your network casby does not scan all the internet assets right whereas ES scans all internet assets so Shadow it but of a different flavor not of the flavor of casby so casby and ASM solves this in a very complimentary manner what casby does ASM doesn't do what esm does casby doesn't do so Shad is the other the third use case is sock augmentation so you have um today imagine um like so many kind of alerts which are coming up and we all know that sock has the challenge in terms of which one should I act upon that's a very hard challenge right so if esm can feed this information to you here is a new database that has gone online which is misconfigured or runs a old version of a database then any ping or port scan that comes there you take it at a high priority whereas a normal ping you don't take it at a high priority right so the Intelligence coming from esm could help this sock the fourth use case could also be where esm augments threat intelligence threat intelligence is more about actors and their TTP is for the broad industry level how can you make it pinpointed to a specific uh like how that uh threat intelligence that actor pose a risk for your organization if you can correlate that with your attack surface and the risk then you can make it more actionable so augmenting TI will be another augmenting vulnerability Management program is another use case because um if you don't know the assets you can't put them in under the vulnerability Management program right uh if you don't know that here is a pre-production system which is out there online and has got critical data obviously you can't take any step related to that so it also augments the vulnerability Management program it also augments red and blue teaming because esm does the first part which is the reconnaissance and then also the other set of tools esm are also coming up which which are like the continuous automated Red timming Tools Etc so that also augments red teaming capability so red teaming blue timing or purple teaming augmenting that as a capability control Effectiveness testing as a part of that that's another so these are some six seven key use cases so Paul this is kind of in continuation to your previous question so let me next move to the the um second question which you mentioned which is about the tools techniques and procedures so suppose you have to or you want to build ASM capability how do you get started with that I mean obviously there are multiple tools out there in the industry and it is maturing um red teaming is getting combined Etc all those things but let me give you a kind of um share some of those options which are out there uh which could also be part of suppose picking up open source tools so let me start with open source tools what you you can do with open- Source tools and uh I'll will also talk about later on the other Technologies which are out there available so if you look at esm the primary capability is nothing but reconnaissance right and if you find out or if you try to find out the reconnaissance tools which are out there if you just try out do a Google search you will find more than five 500 such kind of reconnaissance tools which are out there which can help you to uh discover various types of assets which can help you to do subdomain Discovery etc etc so there are I'm not naming all these tools largely these are various small small tools which you can tie together string it together and use it or or somebody a consultant could use it so you can use these reconnaissance tools but these tools are not good enough along with the reconnaissance tools you also need a lot of data like for example uh you need the IP who is information of the entire globe then you'll be able to pinpoint your assets in a more accurate in a accurate manner so you also need to find out all get all these who is information the domain registration details now these data are unfortunately you can't get everything for free so some of these data you have to buy you need uh dark wave uh information uh which could also be utilized as a part of reconnaissance so there are all this data which is out there which you need now the next part is using this tools and this data you may initially just focus on open source intelligence don't buy any uh kind of data which is um proprietary or which companies are selling so I think there's a good start where you can start with all these open- Source tools and open- Source intelligence data or publicly available data and build a initial reconnaissance capability and using that capability you can then do it a few times um depending on how big your organization is you can do it monthly or quarterly etc etc so I would say that's the level one maturity which you can get there using open- Source tools and open source intelligence the next part is where you move to something which is um Enterprise grade automated tools which are out there Etc where and there are this set of companies which has invested in terms of buying this data buying I mean creating their own uh tools doing that automation which can now help you to do it on a regular basis so if you look at these tools you can start with open source tools then gradually move to these Enterprise grid tools you can start with your internal team if you could you can go to consultants and ask them to do or you can rely on the software aser service options so there are right now various types of options and a good way to kind of find out this information and knowledge would be the keyword is reconnaissance rather than external attack surface management so esm is more of the market name but but if you want to find out the technical tools and all this stuff I mean go with the word Recon and and interestingly um um interestingly Defcon used to do this Recon Village for quite a few years they did it now obviously due to pandemic Etc I don't know what's the state this year so you'll find a lot of interesting talks at uh Defcon on reconnaissance techniques check out what all things happened at Recon Village check out uh the talks Etc so that's a good start and then uh whenever you want to scale the program Etc go for these tools which are out there available and these tools also does the internet wide scanning of every single IP address collect those data index it and stuff like that so these are some tools and techniques and procedures which I would highlight Tejas and Ed if you guys anything want to add anything more on top of it.

 In today's rapidly evolving cybersecurity landscape, the need for comprehensive defense strategies is more critical than ever. External Attack Surface Management (EASM) emerges as a crucial component, offering organizations valuable insights into their external vulnerabilities. In this blog post, we delve into how EASM complements existing security technologies and enhances overall defense posture.

 Here is the verbatim discussion:

Resource so highly encourage folks to go and learn about it any thanks Ed for that appreciate it um any anybody BOS T any to add before I throw a few questions maybe if we can get into the question considering we just have five minutes un they just add something no I I think I'm good too so please give to the questions cool um so here's a couple questions and they're from every they're at us from uh from every aspect from a business perspective from a from a technology complement perspective and then from a technical perspective so I'm gonna use the I'm gonna I'm gonna just pick one because this one I like this one I like this one the best how does um external attack surface management uh complement other security Technologies so I like to use the term all the time how do we help leverage total cost of ownership in an environment right is esm going in there to try to replace things or is it something where you can create a technology integration to again where easm can kind of you know I'm an old guy used to these BS BASF used to have a a commercial thing a commercial on TV it was called we don't make your speaker we make it louder so does BM make your speaker louder or does it replace the speaker right so I think it makes it louder but I don't know I'm not anybody answer that how do does es ASM in your mind I'm G to throw this out to tages how would this Tech uh this this type of of of security offering external tech service manag complement other security tools that have been deployed so what I would take and say compare it with something like a Digital Risk protection so if if you look at easm that focuses more on the Discovery aspects that's like because mentioned that primarily more on the Recon side well something like a Digital Risk protection provides you a 360 degree view it also does a takeown but uh esm as it stands uh like Paul you rightly mentioned in the BASF analogy right it's not replacing or it's not U taking away your speaker and creating a new one it's not doing something which has not been done before it's just possibly providing some method to the madness and organizing things uh better so that um we understand that the to treat the external attacks differently and the external assets differently in terms of the risk it brings to the table as compared to the internal so so let me add to that a little bit so the thanks the so um I mean apart from few of the key things which you mentioned esm complements a few few of the aspects like for example it complements the vulnerability Management program because a VM program is as good as the coverage of its assets right if you don't have the coverage of assets then he can't do a good job right so that's one uh the second thing which it brings is the continuity I mean you can do reconnaissance as a con Consulting exercise using team using open source tool but can you do that on an hourly basis can you do that on a daily basis it's not possible right so it complement those programs by giving you the ability to do it on a continuous basis and today if you look at the ransomware guys the the nation state actors they are doing it continuously so we should also do it continuously that's the kind of second area where it compliments uh it also compliments um the red and blue timing organization in a way because it frees up a lot of their like maybe I don't know 80% of their bandwidth in terms of doing those same old stuff so that that can be given to automated tools and they can do those deeper and more complex stuff so it can also augment your red teaming organization um it can also augment the sock like what I mentioned the last time and the ti program so I'm not elaborating on that so esm does a few things are uh which which others don't do in in in certain ways but then it also augments multiple of the those internal Security Programs which are already existing which gives the completeness which helps in the completeness and which also helps in the continuity may not be the depth as Ed mentioned esm is more about the breadth but for depth you need to go for pentesting and the other stuff so it offers or complements many of these programs in terms of breadth of coverage and continuity that's great and by the way Paul I would I know there are some more questions I I have a hard stop so I would let um AED and P yeah I was that was a great I think that was a great way to end I mean I I I think we all have you know I want to be respectful of everybody's time and all the attendees and all of our panelists we very much appreciate everything U you guys were able to do for us today this is very interactive we probably could go for five hours on this thing but then we would all be asleep and eating our arms and stuff like that but uh no uh great job today thank you all very much thank you for the attendees pulami behind the curtain thank you for all of your participation and support we'll see you all next week at the uh.

Highlights:

Enhancing Vulnerability Management: EASM complements traditional vulnerability management programs by providing a broader scope of assets to assess. It ensures that organizations have comprehensive coverage, enabling them to identify and remediate external vulnerabilities effectively.

Continuous Reconnaissance: Unlike periodic assessments, EASM enables continuous reconnaissance of external assets. This proactive approach aligns with the evolving tactics of threat actors, who continuously probe for weaknesses. By conducting regular reconnaissance, organizations can stay ahead of emerging threats and minimize risk exposure.

Augmenting Red and Blue Teaming: EASM frees up resources within red and blue teams by automating repetitive tasks associated with external reconnaissance. This allows teams to focus on more complex security challenges, such as threat hunting and response, thereby enhancing the overall effectiveness of the security operations center (SOC).

Comprehensive Security Strategy: EASM contributes to a holistic security strategy by complementing other security technologies and programs, such as threat intelligence (TI) and digital risk protection (DRP). It provides breadth of coverage and continuity, ensuring that organizations have a robust defense posture against external threats.

As organizations grapple with the evolving threat landscape, the role of EASM becomes increasingly pivotal in strengthening cybersecurity defenses. By providing continuous reconnaissance and comprehensive coverage of external assets, EASM enhances vulnerability management programs, augments red and blue teaming efforts, and contributes to a holistic security strategy. Embracing EASM as part of an integrated defense approach empowers organizations to proactively identify and mitigate external threats, ultimately safeguarding critical assets and data from cyber attacks.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff

In the ever-changing landscape of cybersecurity, staying ahead of threats requires a proactive approach. Over the years, we've witnessed the rise of Effective Attack Surface Management (EASM) products, offering valuable insights into an organization's security posture. However, as threats evolve, so must our strategies. Enter the concept of continuous testing, a paradigm shift towards perpetual security validation and attack simulation. This article explores the evolution from EASM to the broader realm of Attack Surface Management (ASM), highlighting key trends and considerations.

Here is the verbatim discussion:

continuously right um because things are changing every day what are your thoughts at about how taking that from where what we've seen over the past number of years some really good ASM easm products out there to the concept of continuous testing as well right so that's a biggie right and and I'm using the word testing to be very generic on purpose right there's testing there's red teaming there's attacking you know which again is the big red button that everybody's been afraid of forever what are your thoughts on the evolution there what are your clients saying to you about this kind of thing yeah so you know what what what I see as a growing Trend um you know I do see things like you know um attack simulation you know hitting hitting that that big red attack button um I do think that's a natural extension for some of these easm platforms um you know easm is sometimes confused with with Bas or breach and attack simulation um but it should not be um breach and attack simulation you does not do that you know kind of scanning and Reporting um what it does is it does that continuous testing of security controls by automating simulated attacks you're using techniques you know similar to those found in in the Met attack framework which I think we're going to be talking about a little bit later on um but Bas deployments uh historically are much more complex they usually require some type of agent or maybe multi multiple agents to be installed in the corporate network uh and and you know Bas is still still pretty immature in terms of its value versus other existing methods you know like internal vulnerability scanning and and penetration testing so you know I think the value of Bas in it of itself is still you know to be determined uh and and I think uh I see it being consumed with with an attack service management type of platform maybe starting from the from the outside and then just kind of you know um expanding naturally internally um I I still think that you know a tax management has a very very long Runway um you know most of our clients still cannot accurately say how many assets they have um and it does change every single day so you know we're we're presently trying to uh you know sell them on the concept of not just a tax surface management but that Perpetual continuous automated you know kind of red teing and the value of it uh because you know if you're not well let me let me put it this way um your infrastructure and uh endpoints are being tested continuously your choice is whether you want to do it as well because someone is already doing it guaranteed um so you know we I definitely see you know the the trend of um these platforms type kind of merging um and and I think you know easm uh will eventually might morph into ASM .

Highlights:

From EASM to ASM: EASM products have been instrumental in providing visibility into an organization's attack surface. However, the focus is shifting towards ASM, encompassing not only visibility but also continuous testing and validation.

Continuous Testing Paradigm: The traditional approach of periodic security assessments is no longer sufficient in today's threat landscape. Continuous testing involves automated simulated attacks, akin to those in the MITRE ATT&CK framework, to proactively identify and remediate vulnerabilities.

Breach and Attack Simulation (BAS): BAS solutions have emerged as a means to automate simulated attacks and validate security controls. While still maturing, BAS holds promise in augmenting traditional methods like internal vulnerability scanning and penetration testing.

Complexity vs. Value: BAS deployments historically entail complexity, often requiring the installation of agents across corporate networks. Despite this, the value proposition of BAS compared to existing methods is still evolving, prompting organizations to evaluate its efficacy.

The future of cybersecurity lies in embracing continuous testing and attack simulation as integral components of an organization's defense strategy. As EASM evolves into ASM, the emphasis shifts from static assessments to dynamic, real-time validation of security controls. By adopting a proactive approach to security, organizations can better mitigate risks and adapt to the ever-changing threat landscape. Continuous testing isn't just an option—it's a necessity in safeguarding digital assets against emerging threats.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff

In the dynamic realm of cybersecurity, Attack Surface Management (ASM) emerges as a critical tool for organizations seeking to bolster their defenses against evolving threats. While ASM holds immense promise in enhancing security posture and mitigating risks, it grapples with a host of challenges that shape its trajectory and evolution within the cybersecurity landscape. In this blog, we explore the challenges, drawbacks, and future prospects of ASM as it navigates through the complexities of the digital age.

Here is the verbatim discussion:

How regulation goes it is so slow uh I think this week or maybe it was last week the the White House the Biden White House Administration they just released a mandate on effectively uh I can't remember the exact verbage but you know talking about IPv6 security and how you have to now consider it and secure it how long has IPv6 been around that's how long it's taken to get regulation on it and it's not even law it may not even be passed they're just talking about it so unfortunately as much as I think ASM will benefit everybody um because think about all the major breaches in retail Insurance Finance government ASM probably could have reduced a lot of that you know uh Shrunk the blast radius considerably which helps everybody not just the vendors and not just the the people implementing ASM to protect their infrastructure but the consumers of those Services I I don't see it becoming a regulatory requirement in the next decade feces because it is kind of it has become a hot new technology but it's still kind of early days not not at the super mature stage right so what what are those uh kind of growing pains what what are the challenges which ASM as an industry is facing today what are the bad sides we talked about the good sides let's also talk about some of the bad sides and then we'll discuss a little bit about the future of ASM as an industry so let's start about what are the bad sides what what are the challenges for ASM um you thought of discussing but we just missed it as a part of the conversation anything comes to your mind before we conclude today and also we'll um uh we don't have much of time uh but we could have also opened.Yeah, so there's some questions which are also there.We can take out some of those questions. Yeah, let's do that.

Highlights:

Regulatory Lag and Slow Adoption: Despite its potential to enhance cybersecurity resilience, ASM faces a regulatory lag, with policymakers often trailing behind technological advancements. While recent mandates, such as the Biden Administration's focus on IPv6 security, highlight the growing recognition of ASM's importance, regulatory enforcement remains slow and uncertain. This delay impedes widespread adoption and implementation of ASM practices, leaving organizations vulnerable to emerging threats.

Complexity and Integration Challenges: ASM solutions encounter complexity and integration challenges, particularly in heterogeneous IT environments. The diverse array of networks, applications, and infrastructure components complicates ASM deployment and management, leading to interoperability issues and operational inefficiencies. Moreover, the need for seamless integration with existing security frameworks poses additional hurdles for organizations seeking to embrace ASM effectively.

False Positives and Alert Fatigue: A significant challenge plaguing ASM is the prevalence of false positives and alert fatigue. The inundation of alerts and notifications overwhelms security teams, leading to fatigue and desensitization to genuine threats. False positives diminish the efficacy of ASM solutions, undermining trust and confidence in their capabilities and impeding timely incident response and remediation efforts.

Maturity and Industry Acceptance: While ASM holds promise as a foundational pillar of modern cybersecurity operations, it remains in its nascent stages of maturity. Industry acceptance and adoption vary, with some organizations recognizing the value of ASM while others remain hesitant to embrace new technologies. Bridging this gap requires concerted efforts to educate stakeholders, demonstrate ROI, and foster a culture of proactive risk management and security awareness.

Speakers:

Chris Ray, a seasoned professional in the cybersecurity field, brings a wealth of experience from small teams to large financial institutions, as well as industries such as healthcare, financials, and tech. He has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.

Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud. 

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/