Here’s a capability matrix that organizations can refer to when evaluating potential attack surface management or external attack surface management or EASM vendors.
Capability Matrix for Evaluating EASM Vendors
| Capability | Key Questions to Ask |
|---|---|
| 1. Asset Discovery | - What types of assets do you cover (e.g., servers, cloud services, IoT devices)? - How frequently is the asset database updated? - Can your solution discover both on-premises and cloud-based assets? |
| 2. Vulnerability Assessments | - Do you do vulnerability scanning and assessment of discovered assets? - Do you provide custom scanning options? |
| 3. Risk Prioritization | - Do you prioritize risks based on severity? - Do you provide actionable insights for prioritization? |
| 4. False Positive & False Negative Management | - Do you have passive and active recon? - How do you validate discovered risks? |
| 5. Continuous Monitoring | - How frequently do you monitor the attack surface for changes? - What types of alerts do you provide? |
| 6. Remediation Guidance | - Do you provide detailed remediation steps for discovered vulnerabilities? |
| 7. Reporting and Analytics | - What types of reports can your solution generate? - Do you offer visual analytics or dashboards? |
| 8. Third-Party Integration | - What third-party tools can your EASM solution integrate with? - Do you support automated ticket creation in incident management systems? |
| 9. Managed Services Support | - Do you have a team to support or help in setup? - What ongoing support do you offer? |
| 10. Pricing Model | - What are the costs associated with your solution, including hidden fees? - What is your policy on contract length and renewal? |
This capability matrix provides a structured approach for organizations evaluating EASM vendors, enabling them to focus on critical aspects that will affect their cybersecurity posture. By asking the right questions, organizations can ensure they choose a solution that aligns with their needs, budget, and strategic goals in mitigating cybersecurity risks.
Here is an interesting blog on What to Ask a Vendor While Selecting an External Attack Surface Management (EASM) Vendor.
Comments