In the ever-changing landscape of cybersecurity, staying ahead of threats requires a proactive approach. Over the years, we've witnessed the rise of Effective Attack Surface Management (EASM) products, offering valuable insights into an organization's security posture. However, as threats evolve, so must our strategies. Enter the concept of continuous testing, a paradigm shift towards perpetual security validation and attack simulation. This article explores the evolution from EASM to the broader realm of Attack Surface Management (ASM), highlighting key trends and considerations.
Here is the verbatim discussion:
continuously right um because things are changing every day what are your thoughts at about how taking that from where what we've seen over the past number of years some really good ASM easm products out there to the concept of continuous testing as well right so that's a biggie right and and I'm using the word testing to be very generic on purpose right there's testing there's red teaming there's attacking you know which again is the big red button that everybody's been afraid of forever what are your thoughts on the evolution there what are your clients saying to you about this kind of thing yeah so you know what what what I see as a growing Trend um you know I do see things like you know um attack simulation you know hitting hitting that that big red attack button um I do think that's a natural extension for some of these easm platforms um you know easm is sometimes confused with with Bas or breach and attack simulation um but it should not be um breach and attack simulation you does not do that you know kind of scanning and Reporting um what it does is it does that continuous testing of security controls by automating simulated attacks you're using techniques you know similar to those found in in the Met attack framework which I think we're going to be talking about a little bit later on um but Bas deployments uh historically are much more complex they usually require some type of agent or maybe multi multiple agents to be installed in the corporate network uh and and you know Bas is still still pretty immature in terms of its value versus other existing methods you know like internal vulnerability scanning and and penetration testing so you know I think the value of Bas in it of itself is still you know to be determined uh and and I think uh I see it being consumed with with an attack service management type of platform maybe starting from the from the outside and then just kind of you know um expanding naturally internally um I I still think that you know a tax management has a very very long Runway um you know most of our clients still cannot accurately say how many assets they have um and it does change every single day so you know we're we're presently trying to uh you know sell them on the concept of not just a tax surface management but that Perpetual continuous automated you know kind of red teing and the value of it uh because you know if you're not well let me let me put it this way um your infrastructure and uh endpoints are being tested continuously your choice is whether you want to do it as well because someone is already doing it guaranteed um so you know we I definitely see you know the the trend of um these platforms type kind of merging um and and I think you know easm uh will eventually might morph into ASM .
Highlights:
From EASM to ASM: EASM products have been instrumental in providing visibility into an organization's attack surface. However, the focus is shifting towards ASM, encompassing not only visibility but also continuous testing and validation.
Continuous Testing Paradigm: The traditional approach of periodic security assessments is no longer sufficient in today's threat landscape. Continuous testing involves automated simulated attacks, akin to those in the MITRE ATT&CK framework, to proactively identify and remediate vulnerabilities.
Breach and Attack Simulation (BAS): BAS solutions have emerged as a means to automate simulated attacks and validate security controls. While still maturing, BAS holds promise in augmenting traditional methods like internal vulnerability scanning and penetration testing.
Complexity vs. Value: BAS deployments historically entail complexity, often requiring the installation of agents across corporate networks. Despite this, the value proposition of BAS compared to existing methods is still evolving, prompting organizations to evaluate its efficacy.
The future of cybersecurity lies in embracing continuous testing and attack simulation as integral components of an organization's defense strategy. As EASM evolves into ASM, the emphasis shifts from static assessments to dynamic, real-time validation of security controls. By adopting a proactive approach to security, organizations can better mitigate risks and adapt to the ever-changing threat landscape. Continuous testing isn't just an option—it's a necessity in safeguarding digital assets against emerging threats.
Speakers:
Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.
https://twitter.com/bikashbarai1
https://www.linkedin.com/in/bikashbarai/
Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.
https://www.linkedin.com/in/edadamsboston
Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.
https://www.linkedin.com/in/pauldibello11
Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.
Comments