If there's one certainty in life for CISOs it is that when it is time to buy into a new or consolidating security technology niche, they're going to have to eat their fair share of alphabet soup. Tech analysts and marketers do love their acronyms after all. We've got our SIEMs, our SOCS, and our MFAs and MDRs to prove that one out.
So, it should come as no surprise that security's newest patch of hotly-contested real estate—exposure management—is now awash in 'market defining' acronyms. We've got external attack surface management (EASM), continuous attack surface management (CASM), just plain ASM, and now from Gartner, continuous threat exposure management (CTEM). Add to that mix the overlapping and adjacent tech areas like cloud native application protection platforms (CNAPP) and application security orchestration and correlation (ASOC), and the category definition for exposure management becomes about as clear as mud for security pros trying to build out their security stack.
But the fundamental driving force behind exposure management doesn't need to be so confusing once we wade through the acronyms and get to the heart of things. Exposure management is bubbling up to serve the security team's need for better visibility into the state of assets that goes beyond the rudimentary CVEs of traditional vulnerability management.
CISOs want that clear visibility for their team so they can proactively act to improve that state. And they also want it so they can prove to the board that these actions are meaningfully reducing risk.
Market Confusion Is Natural In An Evolving Security Niche
Of course, there are many ways to slice that visibility onion from a technology perspective. And that's where a lot of the confusion about exposure management has set in. It's just a natural consequence of tech evolution and consolidation, explains John Bambenek, a longtime cybersecurity practitioner and president of Bambenek Consulting, LTD.
"The reason that it is a hard market to define is because how we are using technology is shifting rapidly, and a lot of vendors are applying point solutions to solve very specific parts of this problem," he explains. "There is nothing inherently wrong with that, but it means we haven’t settled on a consensus, which takes a longer time to achieve than the time it takes to deploy a new technology paradise."
All of the experimentation in various exposure management products is driven by the new realities of how infrastructure is deployed today compared to a couple decades ago, he explains.
"Twenty years ago, you could use a vulnerability scanner because all of your infrastructure was on premises, and you had to worry about network-based attacks. In a cloud-first world you have an entirely different set of risks to worry about. For instance, no vulnerability scanner is going to protect you against your private source code being put in a public repository with secrets," Bambenek says. "Shadow IT is also another manifestation of this problem."
The Essentials For Understanding Exposure Management
In most instances the various vendors in the exposure management market are iterating on one of the oldest security niches around—specifically vulnerability management.
"Exposure management is in some ways just a new spin on vulnerability management," says Derek Vadala, chief risk officer for Bitsight, who explains that the earliest contenders in this field were not that much more differentiated from vulnerability scanners. "The first iteration of attack surface management, you were essentially saying, 'What do I have exposed to the internet?' Those internet exposed resources have vulnerabilities which stem from a variety of issues, including everything from 'I didn't configure them correctly,' to 'There was a software update and it's got some hairy vulnerability now;' all the classic things vulnerability scanners might pick up."
At the start, exposure management may well have been just a warmed over repackaging of vulnerability management marketing—and for some vendors it still may be this way--explained Erik Nost, senior analyst at Forrester, in a recent post that warns the category can lend itself to an emperor with no clothes situation for some products. As various vendors continue to roll out new iterations of exposure management products, a couple of key differentiators are coalescing between those and traditional vulnerability management tooling, he says. Chief among them is risk-based prioritization of remediation.
"We do not see exposure management as a magic bullet for solving a vulnerability risk management team’s common challenges," Nost writes. "There is one challenge, however, that exposure management is uniquely positioned to address: prioritization."
A recent analysis from KuppingerCole on the ASM market concurs, with prioritization named as one of the five most important functions of products in this market. Per the report:
Sometimes vulnerabilities marked as critical may not be the highest risk, depending on customer exposure and business context; therefore, those vulnerabilities may receive a lower risk rating. This helps security teams more effectively prioritize remediation efforts based on risk severity, specific customer asset exposure, potential impact, and available resources. Determining priorities for action is an essential built-in function for ASM solutions.
Bolstering risk-based prioritization is not just a matter of adding in new sources of contextual data to the analysis, but also layering continuous and automated discovery of new assets and new exposures to the telemetry as well.
"I don't think all attack surface management platforms have that," explains Vadala. "A lot of them you have to hydrate so to speak. You've got to put your IP blocks, you've got to put your digital assets, you've got to put your domains into the system. But the more advanced systems have this concept of automatically detecting new assets that belong to you."
The real-time nature of exposure management is key, agrees Joe Sechman, principal of offensive security solutions at Coalfire, a security advisory and assessment consultancy. He believes that the goal shouldn't be to usurp or supplant vulnerability management, but to augment it so that security teams can act earlier to fix the riskiest assets before problems arise.
"With a better understanding of how an attack surface changes over time and enriching that data with near real time insights, we can improve our ability to recognize patterns and behaviors earlier - ideally before an exposure becomes a full-fledged vulnerability or exploit," he says.
How CISOs Should Be Evaluating Exposure Management Vendors
That brass ring of proactivity has launched many a new security category, but this one has room to mature into something substantial, says Nost. He and his colleagues at Forrester predict that all major security portfolio and SecOps vendors will have an exposure management offering in the next year, alongside vendors that already support standalone portfolios.
While the marketers and analysts duke it out on exactly how to define the market and race to come up with new acronyms, consultants and practitioners say that security leaders should focus on functionality and what the results would really look like in the hands of their security team.
"As a CISO, I would keep a finger on the pulse of what’s new and exciting, but, most importantly, maintain a clear picture of your organization's pain points and how these solutions help ease said pain," says Sechman. "To succeed, exposure management solutions must deliver results - ideally, a better understanding by the organization of their assets, attack surface, and the risks represented therein. This will arm practitioners with the ability to uncover and remediate exposures faster, which, ultimately, should result in fewer vulnerabilities, fewer breaches, and a more resilient attack surface.”