Welcome, everyone, to a riveting exploration of External Attack Surface Management (EASM) and its pivotal role in modern cybersecurity. As we navigate the ever-evolving digital landscape, it's imperative to understand the genesis of EASM and the critical problem it aims to solve. Today, esteemed industry leaders will shed light on the evolution of hacking methodologies, the emergence of new vulnerabilities, and the profound impact of decentralization on organizational security. Let's embark on a journey to unravel the complexities of EASM and its significance in mitigating risks and fortifying cyber defenses.

Here is the verbatim discussion:

also to uh kind of add to that so let me start with what is esm and what problem does it solve or rather let me start with the problem first so um I remember um I mean if you go back like two decades um I had been there in the industry I mean since probably couple of decades so if I look at the way the hacking landscape has kind of changed over a period of time so it went through a lot of interesting phases so there were times when the hacking used to happen more through compromise of the network level vulnerabilities then came a phase where application Level vulnerabilities took over and then a little bit later something very strange happened when the industry went through like two decades of vulnerability assessment penetration testing and all this super cool stuff we started seeing some strange stuff happening in last few years and I'll give you an example one of the strange St stuff is like one of the topmost names in the financial services companies got compromised because they had a open database without any password and I have very high respect for these guys they're great folks they have got great tools and team so the question is like why did that happen why did they com get compromised because they have they had no password for the database I mean that doesn't sound obvious or or something which is normal or common right so if you look at this as an issue there's something new which got started in last four five six years or last three four five years and that new thing that got started is that unlike say five six years before when any thing that had to go online had to go through the central it team anybody and everybody couldn't create things and make it go live online you had to go through the IT team it was difficult but today fast forward today marketing team can create things on their own and make it go live the projects team can create something on their own cloud guys devops guys can create things on their own we're talking about a agile world decentralized world so all of a sudden what has happened is this central control of the assets that goes online and the central visibility of your asset inventory all of a sudden went for a toss and that is the reason why we see a lot of these apparently strange compromises which looks like this great company got compromised because they had this simple vulnerability obviously those great companies wouldn't kind of miss out something like that and that happened with this specific FSI organization where this particular database was made online by their marketing team so this is a new problem which was not there five six years back because at that point in time things were tightly controlled and it was difficult to take things online so because of this problem I I kind of talk about like there are two kinds of compromises which I see one kind of compromise is because of uh nails and the other is because of nuclear weapons and let me explain that what do I mean so I remember during my childhood days we used to I mean or I read this poem about for want of a nail the shoe was lost and for want of a shoe the horse was lost and for want of a horse the general was lost and for one of a general the leader the the battle was lost so something like that so it's a small sorry I kind of started it wrong for want of a nail the shoe was lost so you start with a nail and because of a missing nail the Battle Is Lost and that kind of compromises are happening some small misconfiguration somewhere which is causing a large organization to get breached and many of those are like Shadow it unknown assets um which are not known to the organization and then there are others which are nuclear weapons kind of stuff which is um zero day attacks I me those are very rare very rarely somebody gets compromised because of a zero day or a very complex multi-stage attack so those are more like nuclear weapons so most of the battles are lost not because of a nuclear bomb being deployed it is lost because of a nail and that nail those small issues which are there in the attack surface this is kind of proliferating in in a bad very very big way so how do we then manage that so managing our external attack surface managing uh those small things out there which can cause a big breach so this became a problem of today which was not there five six years back and today because of remote working and because of all these uh digital transformation Cloud Etc it's just going to get worse and that is the reason why esm came into being esm got coined as a word by Gartner Gartner um call CM as external attack surface management so that you I mean the idea is about getting a visibility of all the assets that you have knowing what's your attack surface like what are the risk associated with that uh and doing it at a scale earlier or even now there are different other analysts who call it attack surface management but Gartner created this new market called external attack surface management which only focuses on the external attack surface and not the internal so that's a kind of brief Genesis uh brief or long Genesis and the reason behind why esm came into being so i would let probably ed tejas all you guys add more.

Highlights:

Understanding the Problem:

• Reflecting on the evolving hacking landscape over the past two decades, from network-level compromises to application vulnerabilities.
• Highlighting the emergence of new challenges stemming from decentralization, where non-IT teams can deploy assets without centralized control, leading to unforeseen vulnerabilities.

The Nail vs. Nuclear Weapons Analogy:

• Drawing parallels between minor misconfigurations (nails) and catastrophic zero-day attacks (nuclear weapons) as the root causes of breaches.
• Emphasizing the prevalence of breaches due to small oversights in the attack surface, underscoring the need for meticulous external attack surface management.

Introduction to EASM:

• Tracing the origins of EASM, coined by Gartner as a specialized focus on managing the external attack surface.
• Exploring the core objective of EASM: gaining visibility into all external assets, assessing associated risks, and proactively addressing vulnerabilities at scale.

In conclusion, the emergence of External Attack Surface Management marks a paradigm shift in cybersecurity strategies, necessitated by the complex interplay of decentralized deployment practices and evolving threat landscapes. By embracing EASM principles, organizations can proactively manage their external attack surfaces, mitigate risks, and safeguard against potential breaches. Today's discussion serves as a beacon of insight into the evolving cybersecurity landscape and underscores the imperative of robust EASM practices in safeguarding digital assets. Thank you for embarking on this enlightening journey with us.

Speakers:

Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

https://twitter.com/bikashbarai1

https://www.linkedin.com/in/bikashbarai/

Ed Adams, a seasoned software quality and security expert with over two decades of industry experience. As CEO of Security Innovation and a Ponemon Institute Research Fellow, Ed is renowned for his contributions to advancing cybersecurity practices. With a diverse background spanning from engineering for the US Army to senior management positions in leading tech companies, Ed brings a wealth of expertise to the table.

https://twitter.com/appsec

https://www.linkedin.com/in/edadamsboston

Paul Dibello, based in Duxbury, MA, US, is currently a Senior Vice President Global Business Development at ShadowDragon, bringing experience from previous roles at FireCompass, R9B, Virtru Corporation and iSIGHT Partners - A FireEye Company. Paul DiBello holds a 1986 - 1990 Bachelor of Arts (BA) in Economics @ Princeton University. With a robust skill set that includes Software, Sales, Project Management, Development, Operations and more, Paul DiBello contributes valuable insights to the industry.

https://www.linkedin.com/in/pauldibello11

Tejas Shroff based in Boston, MA, US, is currently a Software Engineer at Tangle, bringing experience from previous roles at Aperion Studios, XPO Logistics, Inc., Oculus VR and Beach Day Studios. Tejas Shroff holds a 2019 - 2019 UX Design Immersive in Design & User Experience @ General Assembly. With a robust skill set that includes Leadership, Social Networking, Start Ups, Social Media, Teamwork and more, Tejas Shroff contributes valuable insights to the industry.

https://www.linkedin.com/in/tejasshroff