Is outsourced Attack Surface Management right for your business?


As attack surfaces get more complicated, many organizations are investing in formalized processes of external asset management. Such processes can be difficult to design in-house and tend to increase the workload of security analysts. But can an outsourced solution help organizations overcome these problems? Here we examine a few of the reasons that organizations are turning to managed solutions. 

The SaaS approach

The market for Attack Surface Management (ASM) solutions is still relatively fresh. Until recently, early adopters of the idea had little choice but to build their own attack surface management strategy around a SaaS solution. Existing SaaS tools often have powerful asset discovery capabilities and are designed to integrate into SOAR or SIEM platforms. These solutions can provide a great foundation around which a security operations team can build their internal management processes to validate assets, discard false positives, and prioritize the remediation of vulnerabilities.

Is there an alternative to SaaS ASM solutions?

While SaaS is the right choice for some, there are many organizations that have neither the time nor the inclination to invest in the processes needed to support and use SaaS tools. 

Increasing numbers of vendors are now offering ASM as a managed service. This means that the service is run by humans (ideally with a background in offensive security testing) who present results back to their client in the form of insights, rather than lists.

When should you consider outsourcing ASM?

Here are a few situations in which your organization might consider outsourcing its attack surface management:

1. You need world class capability, fast

Maybe you’ve just acquired a new business and you’ve got no idea how big their external footprint is. Alternatively, your organization has been acquired, and your new owners are making strategic demands. Perhaps you need to show rapid improvement to a board following a serious breach. Whatever your reason, you need seriously good attack surface management, and you need it now. 

Building your own capability takes time. You need to integrate systems, train analysts, and devise processes for sorting vulnerabilities before you can start the work of decommissioning or fixing assets.

A good managed service can take you from zero to 100 immediately, while guiding your remediation work with expert human advice.  

2. You want to reduce your operational complexity

Cyber security operations can get really complex. A CISO once described the process to us as like ‘building a spaceship on the back of another spaceship in orbit,’ and the image has always stuck. 

Maybe you already have too many tools and you’re simply not seeing a good return on investment. Or maybe your analysts are swamped by alerts, and you don’t want to burden them further with endless lists. A managed service can give you access to results without a corresponding increase in organizational complexity. Long term, this gives you the flexibility to change or alter your approach.

3. You want the attacker’s advantage 

It’s easy to dismiss the cliched saying that attackers think in graphs and defenders in lists, but when it comes to managing an external attack surface, this matters. To effectively prioritize perimeter vulnerabilities, you need to think like an attacker who cares only about how they can use assets to gain entry. A good outsourcer will achieve this by staffing its managed service with experienced red teamers, leaving your blue team free to do what they do best.

4. You want to extend the capacities of your team with specialist knowledge

The experts running a good managed service will be able to act in an advisory role, providing insight and contextualizing the data you receive.

Furthermore, you should be able to work with your partner to achieve the outcomes that your business needs. This might mean using their service as an extension of your own strategic goals (for example, directing their hunts to search for specific vulnerabilities that match your risk concerns), or asking them to take initiative to proactively manage your attack surface on the basis of the latest threat intelligence. 

So, do you need a managed ASM service?

Outsourcing can be the right option for both cyber mature organizations, and for those who are just beginning their security journey. For the cyber mature, it can help reduce the complexity of a security operations center that is already large enough. For those with fewer in-house resources, it can be a way of quickly accessing gold-standard outcomes.

Ultimately, this is about making a choice about what you want your people to focus on, and about which processes you can efficiently design in-house. 

Reading time: 5 min
Nick Evans

Research Analyst