Since publishing my first report on attack surface management (ASM), Find And Cover Your Assets With Attack Surface Management (one of my favorite titles to date), the market has taken off in a number of different directions and developed several flavors — and acronyms. Forrester defines ASM overall as follows:

The process of continuously discovering, identifying, inventorying, and assessing the exposures of an entity’s IT asset estate.

As I said in the report, ASM is a process and should be a program within your organization that brings together multiple stakeholders — like security and risk, infrastructure and operations, application development, privacy, compliance, and marketing to name a few. These functions are often at odds on issues related to shadow IT, vulnerability management, and compliance. They would also benefit from a shared view of the vulnerabilities, misconfigurations, and other exposures ASM can bring to light. The ASM process and the decisions made by this fusion matrix organization are best enabled by an ASM tool. That’s where the acronyms come in. Here’s what I’m seeing in the market currently:

  • EASM (external attack surface management): a tool or capability that continually scans for, discovers, and enumerates unknown internet-facing assets, establishes the unique fingerprints of discovered assets, and identifies various exposures. Companies in this space include Cycognito, Palo Alto Networks Cortex Xpanse, and Randori.
  • CAASM (cyber asset attack surface management): a tool or capability that delivers unified visibility across all known assets (internal, external, cloud, on-premises) for better identification of vulnerabilities and insufficient security controls. Companies in this space include Axonius, JupiterOne, and Noetic Cyber.
  • AASM (application or API attack surface management): a flavor that is just emerging and something my colleagues Sandy Carielli and Janet Worthington will be keeping an eye on. Essentially, the ASM process is applied specifically to the discovery of rogue APIs as well as vulnerabilities and violations across the application software stack. Companies in this space so far include Data Theorem and Edgescan.

I could easily add an “M” as the first letter to any of the above acronyms, as I’m seeing more providers offering managed services around these tools to help security, IT ops, and development teams better prioritize remediation efforts. And there’s a bigger convergence story to be told with ASM. Stay tuned for research from Jeff Pollard and me on that.

Kicking Off The Forrester EASM Landscape

In my conversations with security leaders, the discovery of unknown assets, cloud misconfigurations, expired certificates, and other exposures is where they’re finding the most immediate value in ASM tools. One security pro at a European online retailer told us that their EASM tool found a full 50% more assets than he and his team thought they had! It’s time to take a closer look at the EASM tool market — both standalone solutions and capabilities in larger security platforms or services — so I’m kicking off a Forrester Landscape report (formerly the Now Tech) in the next two weeks.

The Landscape report helps Forrester clients understand, identify, and shortlist the vendors that align with their most critical business technology issues. As part of the research, I’ll identify the EASM market’s value proposition, top use cases, and top vendors.

Are you working with a great EASM tool? Do you value the EASM capabilities in a specific security platform or service portfolio? Please reach out and tell me your story!