Team Cymru recently surveyed 440 security practitioners in the US and Europe. Each security professional queried works for a company that currently uses an ASM platform. These practitioners were able to provide first-hand knowledge about the benefits and drawbacks of ASM tools today. They shared what works well and what needs improvement about their tools.
The Team Cymru State of Attack Surface Management Report covers multiple aspects of ASM. With over 30 questions, it illuminates everything from why organizations deploy ASM solutions, to their experience, and how they would like to use ASM solutions in the future.
A critical finding of this report indicates that integration with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) technologies is essential. In fact, integration with SIEM/SOAR is the most sought-after capability for an ASM solution.
Survey participants were asked to suppose they were evaluating a new ASM solution and rank the features and capabilities they would insist on most. A plurality of respondents (34.1) said the ability to integrate with SIEM/SOAR technologies is the most important aspect they want in a new ASM platform.
Why integrating ASM with SIEM/SOAR technologies is crucial
ASM allows an enterprise to continuously discover, monitor, evaluate, prioritize, and remediate attack vectors. It approaches threat detection and vulnerability management from the attacker’s perspective, permitting security teams to protect known assets and rogue components.
A SIEM provides a means of searching and analyzing security data using analytics to generate alerts and present different views of the information to the analyst. SOAR solutions speed up the response to an attack by automating the incident detection and response process.
ASM, SIEM, and SOAR working in concert is the organization’s best hope of meeting the 1/10/60 rule. To detect an attack within one minute, understand it in 10 minutes, and contain it within 60 minutes is not possible with a SIEM alone. It requires the 360° view and risk-based prioritization provided by ASM and the automated incident detection and response from SOAR.
Conclusion
The State of Attack Surface Management Report found that users who cannot now automate and integrate are moving away from their current ASM vendor. Survey questions about which capabilities are most crucial support the premise that making risk-based security decisions and having confidence in asset mapping and classification along with the ability to integrate with essential SIEM and SOAR functionality are must-have capabilities.
Other sought-after aspects of ASM are dynamic risk and reputation scoring and the ability to inventory and classify IT assets. Survey respondents ranked these as the most important at 30.5% and 30.2%, respectively.
The message conveyed by Team Cymru’s survey is loud and clear: many security leaders do not feel their current ASM solution provides value to the security organization. More robust ASM capabilities, including integrating with SIEM/SOAR technologies, are what organizations need to meet the security challenges of modern threats.
