This GigaOm Research Reprint Expires: Feb 28, 2023

GigaOm Radar for Attack Surface Managementv1.0

1. Summary

The difficulties and challenges of rapid digital growth, cloud adoption, and sprawling public internet space create a bonanza of opportunities for attackers. Organizations are unable to accurately identify their rapidly changing attack surface and vulnerabilities. Compounding this problem is the lack of visibility into the risks presented by the dynamic nature of the attack surface. In response, attack surface management (ASM) provides value through continuous discovery and insight into an organization’s attack surface.

Before going further, it is important to define a few key concepts that allow us to better understand ASM. The “attack surface” includes all of your public-facing services, APIs, applications, IPs, domains, certificates, and infrastructure regardless of the host type (VM, container, bare metal) or location (on-premises or cloud). ASM takes the attack surface (“AS”) and builds a proper management process (“M”) around it. This includes automated asset discovery and tracking of asset details. Adding this “M” to the “AS” gives us ASM.

An organization’s attack surface is a dynamic object. It can change daily, if not more often. Tracking these changes in an automated fashion is key for an ASM solution. But simply knowing the entirety and composition of the attack surface is not sufficient. Enumerating the types of assets in your attack surface and the severity of those risks, then helping teams prioritize and remediate those risks efficiently, rounds out the value proposition that an ASM solution creates.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.

2. Market Categories and Deployment Types

For a better understanding of the market and vendor positioning (Table 1), we assess how well solutions for ASM are positioned to serve specific market segments.

  • Small enterprise: In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Solutions in this category will provide simplified cost structures that make ASM achievable for small security budgets.
  • Mid-market and large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category will have a strong focus on flexibility, performance, data services, and features that improve security and data protection. Scalability is another big differentiator, as is the ability to deploy the same service in different environments.

In addition, we recognize just one deployment model for solutions in this report: cloud-only.

  • Cloud-only solutions: Available only in the cloud. Often designed, deployed, and managed by the service provider, they are available only from that specific provider. Because the data collected during ASM operations is taken entirely from the attacker’s perspective, ASM solutions do not have an on-premises, private cloud, or other required component.

Table 1. Vendor Positioning

Market Segment

Deployment

Small Enterprise Mid-Market and Large Enterprise Cloud-Only Solutions
BishopFox
Censys
Cyberint
CyCognito
FireCompass
ImmuniWeb
LookingGlass
Palo Alto Networks
RiskIQ
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

3. Key Criteria Comparison

Building on the findings from the GigaOm report, “Key Criteria for Evaluating ASM,” Table 2 summarizes how each vendor included in this research performs in the areas that we consider differentiating and critical in this sector. Table 3 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each of them will have on the organization. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Key Criteria

Flexible Asset Discovery Active Assessment False Positive Management Investigation Functionality Risk Scoring Asset Categorization
BishopFox 3 2 2 2 2 3
Censys 3 1 2 1 2 2
Cyberint 2 2 3 1 2 1
CyCognito 2 3 2 1 2 2
FireCompass 3 3 2 1 1 2
ImmuniWeb 3 2 2 1 2 2
LookingGlass 3 1 2 2 2 2
Palo Alto Networks 3 2 3 2 2 2
RiskIQ 3 1 2 2 2 2
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 3. Evaluation Metrics Comparison

Evaluation Metrics

Extensibility Frequency of Discovery Licensing User Experience
BishopFox 2 2 2 3
Censys 3 2 2 2
Cyberint 1 2 3 3
CyCognito 2 3 3 2
FireCompass 2 2 2 2
ImmuniWeb 2 2 3 2
LookingGlass 2 2 2 2
Palo Alto Networks 3 3 2 2
RiskIQ 2 2 2 3
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes–Maturity versus Innovation, and Feature Play versus Platform Play–while providing an arrow that projects each solution’s evolution over the next 12 to 18 months.

Figure 1. GigaOm Radar for Attack Surface Management

As you can see in the Radar chart in Figure 1, the space is dominated by feature players, or vendors that are primarily focused on delivering ASM solutions. There are two vendors, BishopFox and Cyberint, that offer the ASM capabilities as part of a larger solution portfolio that aims to provide a comprehensive set of solutions to address the various risks created by public internet exposures.

Focusing on the mature feature players, we can see many top vendors in this quadrant, including Censys, ImmuniWeb, Palo Alto Networks (formerly Expanse), and RiskIQ. ImmuniWeb delivers its ASM solution via a simple interface with a simple licensing model based on a per-organization cost. This simplicity most likely will be attractive to smaller teams or smaller business units because of the ease with which the solution can be acquired and managed. Censys is another pure ASM player with a mature delivery of service. Leveraging its bespoke discovery capabilities, paired with a per-asset license type, Censys offers benefits for organizations that value integration and interoperability. Moving closer to the center, Palo Alto Network’s acquisition of Expanse has developed quickly (and continues to develop) into a solution that recognizes the attack surface doesn’t end at the perimeter, and so it offers the ability to gather data from inside the perimeter as well. RiskIQ, acquired by Microsoft in mid-2021, is a strong ASM solution that we expect will be integrated into Microsoft’s larger portfolio of service offerings in the coming months.

Dropping down into the Innovation Feature quadrant, we have two vendors: LookingGlass (formerly AlphaWave) and CyCognito. Innovation through acquisition has been a powerful force in this field as of late, demonstrated again by AlphaWave recently being acquired by LookingGlass Cyber Solutions. This acquisition will pave the way for the integration of LookingGlass threat feeds into the former AlphaWave ASM solution, rebranded as LookingGlass scoutINSPECT, in the coming months. CyCognito helps organizations answer the question of “What do I do with ASM data to improve my security posture?” It answers this question by automatically combining attack surface insights, business context, and threat intelligence to prioritize the vulnerabilities and security issues that must be fixed first based on what is likely to be exploited.

Moving into the Innovation Platform quadrant, FireCompass takes an alternative approach and leverages thousands of playbooks that can be used during all phases of the attack surface management process, from validation of findings to thorough analyses of risks. In addition to this, FireCompass offers other solutions that can integrate into their ASM to assist risk reduction efforts.

Inside the GigaOm Radar

The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.

The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.

The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.

Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.

5. Vendor Insights

Bishop Fox

Founded in 2005, US-based Bishop Fox spent most of its existence providing security services to a large portion of the Fortune 100. In 2018 Bishop Fox raised $25 million to develop its Cosmos platform, an offensive set of security solutions sold as a single, homogeneous platform.

To comprehend how Bishop Fox’s solution differs from competitors, it’s essential to understand the table stakes fully. The Cosmos solution demonstrates excellence in its ability to discover a diverse set of assets in your attack surface continuously. Additionally, Cosmos can inventory and provide attribution for your attack surface assets. Finally, because Cosmos blends human-driven analyses of discovery results with AI components such as machine learning (ML), the quantity of false-positive results is effectively zero (in practice, they claim to have delivered zero false positives to clients).

Diving deeper into the Cosmos solution and analyzing the key criteria for the ASM platforms (as defined in the GigaOm Key Criteria report for ASM), we find great flexibility involving the discovery engine’s ability to identify various assets. As mentioned previously, false positives are rare, but should a false positive make it to you, Bishop Fox provides remediation through your account’s service delivery manager.

Cosmos sets itself apart from the competition through its high-touch delivery methodology. For instance, while most ASM vendors have a human-in-the-loop for the discovery phase of the ASM solution, Cosmos has the human element in the discovery phase, the assessment of risk phase, and the remediation planning phases. For example, as risks are identified, a member of its adversarial operations team will attempt to leverage the vulnerability (or misconfiguration) to provide the most accurate assessment of the risk presented. Once the risk has been identified and actively assessed, the Cosmos solution provides a step-by-step remediation plan and direct access to the adversarial operations team so that clients can facilitate timely remediation.

While the Cosmos platform provides accurate attribution of assets to asset-owners, which reduces the amount of manual effort for the client, it does not include additional investigation functionality beyond that. Asset categorization, or grouping assets together, is not yet available but is due in 2022. This missing feature could be problematic for organizations that need to bundle assets together for various business reasons.

The Cosmos platform is API-first, meaning everything that can be performed or collected through the GUI can be achieved by leveraging the API. The RESTful API is fully documented and provided to the public, which will facilitate integration into various third parties. Depending on the asset type, discovery is performed monthly, weekly, or daily. For instance, domains, which typically don’t change often, are discovered monthly; while ephemeral assets, like open ports, change frequently and are discovered daily. Regarding licensing, the Cosmos platform is priced relative to the size of your attack surface. If your surface is of unknown size, Bishop Fox is able to perform a brief discovery to provide numbers used in the sales conversation.

Finally, if you’re considering the Cosmos platform, it’s important to remember that it’s a bundled service (not just ASM). If your organization needs assistance verifying risks and creating remediation plans, this service will provide great value. On the other hand, if these are steps that you would prefer to leave in-house, the Cosmos platform is sold in a tiered model where an organization can select the capabilities they desire.

Strengths: Strong discovery capabilities. “Human-in-the-loop” provides expert insights during critical stages of ASM. Active and passive assessment capabilities.

Challenges: Minimal features that support in-depth investigation inside of the platform. Lacks asset categorization, making management of very large asset pools potentially burdensome.

Censys

Censys, founded in Ann Arbor, Michigan, in 2017, initially launched with service reminiscent of Shodan. It perpetually scanned the internet, identifying assets, services, and SSL connections. Shortly after launch, Censys found the optimum use case for its technology: attack surface management.

The Censys ASM solution delivers a very comprehensive, robust discovery capability. The discovery algorithm that searches the internet is completely automated from beginning to end, which is a departure from some other vendors in this space that integrate a human-in-the-loop during some aspect of the discovery process. Regardless, the output of the Censys discovery process has extremely low false positives and yet is very thorough.

Censys defines anything that could present or create a risk to an organization as an asset. This universe includes common objects like servers, load balancers, applications, and services, and some less common things like login screens and S3 buckets. Because of this definition, Censys can provide a more granular risk assessment. This granularity plays into its risk scoring method, which leverages default severity rankings (like High or Critical) that can be customized by users if desired. While this is a good feature, some other vendors in this space are able to integrate meta-data or contextual information that provides an even clearer picture of the risk, thus allowing for easier prioritization of work.

However, the information given to practitioners when reviewing risks is an important benefit. While some vendors state a risk and assign priority, Censys ventures to provide remediation steps (both primary and secondary) for every risk found in your attack surface. This practical guidance offers a dramatic reduction in time-to-remediate.

Regarding false positive management, Censys goes to extraordinary lengths to ensure false positivity rates are kept low. For example, before a new feature is added to the ASM solution, Censys performs thorough tests, measuring the feature’s impact on the false positive rate. If clients find a false positive, they can remove it from the portal or API, where it’s still tracked but not included in reporting or visuals.

Regarding investigation capabilities, Censys enables enterprise customers to offload the tracking of investigative actions to a service desk, either through an out-of-the-box integration or a custom integration using its API, and work within the portal to accommodate teams of any size. Censys finds that users prefer to work in their portal while investigating risks because the depth and quality of data found in the portal accelerate investigation times.

Strengths: Possibly the highest quality discovery capability, easily understood asset attribution, and very low false-positive rate. Additionally, it provides a good value, is highly extensible with a fully documented API, and offers some out-of-the-box integrations.

Challenges: Lacks active assessment capabilities, offers minimal investigation functionality, and risk scoring doesn’t integrate context or other data to prioritize risks.

Cyberint

Cyberint, founded in Israel in 2010, delivers the Argos Edge platform, which is its flagship service. Argos Edge, the ASM solution, is integrated with its other services, like social media monitoring, which could create the opportunity to grow beyond typical ASM scenarios and into the digital reputation protection (DRP) arena.

Argos Edge provides discovery like most other vendors in this space. A single piece of organizational data (like your organization’s primary URL) is provided to Cyberint, and it starts the discovery process. While some vendors leverage an industry-standard discovery infrastructure like Shodan, Cyberint has developed its own discovery infrastructure (named Porto Certo), which performs scans more frequently. This frequent scanning, in turn, offers greater detail about your organization’s often-changing attack surface.

As mentioned previously, the availability of other services from Cyberint makes it possible to integrate data sources into your ASM, which provides a level of DRP other ASM vendors cannot provide. However, expansion of data sources for DRP can grow quickly beyond the scope of ASM, and for that reason, won’t be reviewed in this report.

While Argos Edge performs frequent, thorough discovery of an organization’s internet and cloud assets, a key consideration when selecting an ASM vendor is the completeness of the solution. One aspect of a comprehensive solution is the inclusion of active assessments. Active assessments provide the greatest level of certainty when determining the risk presented by an issue. Argos Edge performs passive assessments and offers active assessments through its professional services organization (for an additional fee).

False positives are managed effectively by AI during the discovery phase, which results in a simplified onboarding process for clients. As with any vendor, though, false positives are possible and should be sought out. Asset categorization is another crucial component of ASM solutions; this feature reduces the administrative burden by logically grouping assets. This feature could, for example, be used to separate administrative workloads into appropriate teams and enable more granular tracking of compliance to security processes within an organization.

Cyberint deviates from the norm in the way it licenses its product. While it’s common to sell ASM solutions based on either a flat fee per organization or per the number of assets, Cyberint offers clients the opportunity to exclude specific assets from the licensing. This option could be useful for large organizations, wherein each team or department is responsible for its own security operations and budget. The ability to determine the scope of the ASM practice is a feature not found in other solutions.

Finally, let’s consider this solution’s UX and extensibility. Cyberint has focused on providing a simplified user experience for Argos Edge solution operators. This focus has been carried through from the initial setup to the ongoing management, and it prioritizes simplicity. Additionally, the solution offers numerous integrations with SIEM/SOAR, the details of which can be found on their website.

Strengths: Simplified user experience, AI-managed false-positive enumeration, and licensing can be adjusted to match the scope of the ASM process.

Challenges: Lacks active assessment capabilities, no method to categorize or group assets together, and modest extensibility.

CyCognito

CyCognito, with roots in the famed Israeli IDF 8200 (cyber operations) unit, was founded in 2017 in Palo Alto, California. Starting with a seed round of funding in 2018, CyCognito has experienced rapid growth and today is a company of 160 employees spread around the globe.

Unknown or under-managed assets on the internet are a common vector for attackers to use to gain entry into an organization, so the CyCognito platform approaches the challenges created by ASM the same way an attacker approaches your organization. Starting with a piece of seed data about your organization, CyCognito leverages ML, specifically graph data models, to discover the AS rapidly. In a divergence from the standard discovery phase, CyCognito grants its clients the ability to influence the discovery logic to fine-tune the discovery process. This tweaking by the client is necessary because the discovery phase of ASM determines the scope of work for all tasks that follow.

During the discovery phase, an orchestrated network of testing bots surveys the attack surface to discover CVEs, zero-days, and misconfigurations. This data is then fed into another automated process that they call the prioritization engine. This approach results in a very low false positivity rate, as well as contextual prioritization based on the discoverability and attractiveness of an asset and exploitability of the vulnerability.

CyCognito has focused heavily on the development of automating processes, while other vendors have looked for opportunities to blend in the human element wherever possible. For CyCognito, automation resulted in a platform that can rapidly discover inventory and assess the attack surface. This acceleration continues into the assessment phase of the ASM solution. While leveraging both passive and active assessment methods, the CyCognito platform assesses all issues to determine the level of risk presented more accurately. This process includes passive methods, such as TCP fingerprinting, and active methods, such as launching a script via Metasploit to emulate attacker behavior.

Investigation functionality inside the CyCognito solution is adequate but should not be used as a standalone case management solution. Instead, integrations should be established with your organization’s service desk or ticketing platforms using the RESTful API. An important factor for API and extensibility is the number of third parties with whom CyCognito can interact. This platform can integrate easily into most organizations’ existing processes, with major vendor integrations spanning the collaboration, security operations, SIEM and SOAR, GRC, vulnerability scanner, and ITSM space.

Lastly, let’s touch on licensing. This solution is packaged into different capability tiers, each tier providing more extensive testing and analysis capabilities aligned with the maturity of an organization’s attack surface management strategy. If your organization wants to get started in ASM, then the ability to select a basic feature set with a lower cost will appeal to you. A key capability tied to licensing is the frequency of discovery. Higher frequency discoveries are found in the higher cost tiers.

Unless you are transitioning from another ASM vendor, it’s unlikely you will know how large your AS is. For this reason, CyCognito will run a basic discovery to ascertain the size of your AS for the sales discussion.

Strengths: The heavily automated solution results in rapid results, offers active and passive assessment capabilities (including leveraging Metasploit), and tiered licensing makes it easy to try ASM.

Challenges: Investigation capability is basic. Discovery frequency isn’t adjustable and is tied to license type.

FireCompass

FireCompass was founded in 2019. It’s a software as a service (SaaS) platform for continuous automated red teaming (CART) and ASM. A core tenet of the Firecompass ASM solution is continuous discovery and testing.

Starting with a single piece of information about an organization, Firecompass uses its scanning infrastructure to discover an organization’s AS continuously. It leverages common sources such as the internet and OSINT sources from the deep web and dark web. But the discovery process can introduce false positives if not managed appropriately. To this end, Firecompass leverages playbooks to identify and remove false positives during its discovery process. The playbooks number in the thousands, and if a particular playbook does not exist, operators of the ASM solution can create their own.

Before moving further into the analysis of this ASM solution, it’s important to point out that Firecompass offers a separate platform for CART that’s very tightly integrated with the ASM solution. If purchased, the CART solution enables true attacker behavior emulation and multi-stage attack emulation. The results of these attacks are then used by the ASM solution to further enhance the ASM process. Alone, the ASM solution provides both passive and active assessment capabilities. Advanced active assessment and attacker emulation is available only in the CART solution.

While Firecompass has focused on building out its extensive library of playbooks and the CART integration, the risk scoring capabilities of the solution subscribe to standard methods. For example, if a risk (vulnerability) has a CVSS score associated with it, the score will determine the criticality label assigned in the ASM solution. The primary drawback with this approach is that context isn’t integrated into the risk score, thereby shifting the onus to a human analyst to make decisions. Additionally, if built-in investigation capabilities are a must-have for your organization, the Firecompass solution may not be the best choice because the investigation features are basic.

Firecompass provides out-of-the-box integrations with other tech stacks like vulnerability scanners, AWS, and Azure. For integrations that don’t yet have an out-of-the-box solution, the Firecompass API is fully documented to meet those requirements. This documentation demonstrates moderate to advanced levels of extensibility. The solution is sold by asset count, a common licensing model in the ASM space.

Finally, a novel function that’s not found with other vendors, but solves a common challenge, is how Firecompass integrates with threat intelligence feeds. Threat intelligence is a critical component of an organization’s security program; however, most threat feeds are consumed manually, or integrations are left up to vendors to figure out how to use them best. Firecompass offers the ability to integrate threat feeds into its playbooks, then the playbooks that impact your assets are selected and run automatically. This approach, in turn, delivers a timely and accurate assessment of organizational risk found in the AS by leveraging up-to-date threat intelligence.

Strengths: ASM with available CART provides a complete solution, provides native integration with AWS and Azure, threat intel feeds are integrated with playbooks, and the API is well-documented for rapid integration.

Challenges: Lacks built-in investigation features and risk scoring follows CVSS scoring, which can slow identification of critical risks.

ImmuniWeb Discovery

ImmuniWeb, based in Geneva, Switzerland, is an application security service provider that offers a suite of services focused on securing the internet-facing components of your organization. The ImmuniWeb Discovery is a SaaS that delivers the ASM solution. Discovery is a part of the ImmuniWeb AI Platform, where all work is performed, and the operator portal is accessed.

The solution offers an effortless setup; all that is needed is your organization’s name. The rest is handled by the ImmuniWeb ML algorithm, with assistance from its team of security analysts as needed. The initial setup and discovery are not instantaneous as it does take a few days for your dashboard to become available in your portal.

It’s important to understand that the discovery portion of this service is performed in the same manner an attacker would discover your internet assets. The solution leverages multiple open-source intelligence tools (OSINT) and data from the dark web to build a comprehensive view of your organization’s internet-facing assets. ImmuniWeb Discovery does not leverage network-scanning (like NMAP) or fuzzing of services to gather information, which provides a level of safety in your production applications and services.

The solution offers comprehensive asset discovery capabilities, including discovering assets hosted on-premises and across infrastructure as a service (IaaS), platform as a service (PaaS), and SaaS. This includes the unique ability to discover data in locations like Github, Docker hub, CVS, and so forth. Because of how asset discovery is performed, it achieves a low false-positive rate. Additionally, assets can be grouped based on custom criteria by the operator of the solution. For example, groups can be created according to compliance requirements (GDPR, for example) or responsible business units.

A key differentiating factor is the “Incidents” tab in the ImmuniWeb portal, culminating all traces of attacker behavior found in OSINT and dark web sources. This tab is where an organization will find leaked usernames, emails, passwords, and indicators of previous compromises within the organization’s assets.

The ability to track and manage investigations inside the solution is lacking, so organizations need to identify how the event data from ImmuniWeb integrates into their incident response and/or other security processes. Additionally, because ImmuniWeb Discovery opts to use non-intrusive discovery methods, there is no active assessment capability delivered. Active assessments can be a useful feature that helps validate security findings, and without it, manual assessment will be needed.

A final note on ImmuniWeb Discovery concerns its pricing model. Each organization has unlimited asset tracking and discovery capability for a flat monthly price of $2000 USD. ImmuniWeb clients have unlimited access to its security analysts to assist with findings in the Discovery platform.

Strengths: Very simple setup, robust discovery, and an uncomplicated pricing model.

Challenges: Lacks active assessment capabilities and integrated investigation management features.

LookingGlass Cyber Solutions

Founded in 2019 in the United States, AlphaWave ASM was acquired by LookingGlass Cyber Solutions during the summer of 2021. LookingGlass is a threat intelligence vendor that produces unique threat intelligence sources, which will provide an interesting mashup of technology once both platforms are fully integrated. This integration is slated for production release in Q3 2022, so for the time being, the solution rebranded as scoutINSPECT will continue to function in much the same way it has pre-acquisition.

Starting with discovery capabilities, scoutINSPECT performs its discovery similarly to other ASM solutions. Starting with just your organization’s name or URL, they leverage ML and human analysis to sift through open sources of intelligence and passive reconnaissance data to map out the attack surface. Of note is the depth to which scoutINSPECT goes to discover web services. They tend to go a layer deeper into the webstacks than other ASM vendors do.

scoutINSPECT also offers a unique capability in the discovery phase. Simple integration with AWS (and soon Azure and GCP), enables it to map external assets to AWS assets. This feature greatly reduces the manual effort required to identify internet-facing assets with vulnerabilities. Building on this idea, LookingGlass has indicated that additional third-party integrations designed to add more context for each asset will be added soon. LookingGlass concludes that the best information about your attack surface will be found in your existing tooling, such as cloud providers, DevOps platforms, and so forth.

Once discovery is complete, assets are inventoried, and available contextual information is added automatically. At this stage, some vendors offer the ability to assess identified risks actively, leveraging either a human or automation to perform penetration test-like analyses of risks. LookingGlass does not offer this capability but indicates this feature will be available in the future. scoutINSPECT currently provides a useful feature by which a link to a specific asset and issue can be shared with users outside of the platform via a read-only link. This feature can be very handy when coordinating remediation efforts with other business units, teams, or other organizations.

Pricing follows a flat fee model with a few variables, including the frequency of scans, retention period for data, and the number of integrations you desire. This pricing structure is predictable and suits most organizations because it won’t grow as your attack surface grows. Instead, it will increase only as your organization’s ability to use more advanced features comes online.

Strengths: Complete discovery capabilities, with emphasis on web stacks. AWS integration creates the most complete picture of ASM. Future LookingGlass intelligence integrations will enhance capabilities.

Challenges: No active vulnerability assessment methods, passive only. Asset categorization capabilities are basic.

Palo Alto Networks

Palo Alto Networks’s acquisition of Expanse, completed in December 2020, marked the moment it expanded its robust lineup of security services and platforms to include an ASM. With Expanse as its ASM, Palo Alto Networks is now placed solidly in the platform play segment of the market landscape. Since December 2020, the Expanse ASM solution has been integrated seamlessly into the Palo Alto Networks lineup.

The analysis of the Palo Alto Networks solution, named Expander, starts with a deep dive into the methods of discovery used and how discovery results are leveraged as a part of the ASM platform.

Expander offers what is likely to be the most comprehensive and frequent scanning results among all of the ASM vendors surveyed in this report. At first glance, its approach involving both ML and human analysis is like that of most other vendors in this space. However, a key differentiation is found in how it executes the discovery process.

Expanse leverages two types of scanning infrastructure: one attributed to Expanse and one that is obfuscated, whereby Expanse delivers results that stalwarts of the internet scanning industry, like Shodan, are unable to. This advantage is possible for the following reasons. As scans of internet assets are performed, often the sources are blocked to stop the scanning. If the infrastructure performing the scans remains unchanged (thus blocked), then over time, a portion of the internet will become invisible to this scanner. That will result in blind spots for organizations in their ASM. Expanse overcomes this problem through its employment of obfuscated, ephemeral scanning infrastructure. In addition, Expander performs protocol-level handshakes to determine service types, which is a nice feature that increases the certainty of results as the analysis progresses.

The discovery results are analyzed using policies that are built and maintained by the Palo Alto Networks Expander team. These policies sift through the results, looking for indicators that point to possible vulnerabilities, misconfigurations, or compliance issues. Importantly, clients of the Expander ASM solution cannot create custom policies themselves. However, they can request the creation of specific policies by the Expander team. Expander policies are updated weekly.

The value that most organizations get from any security solution, ASM vendors included, is usually derived from reports and dashboards inside the platform. While Palo Alto Networks’s solution is no different in that respect, there is room for improvement.

Expanse found its success in the Fortune 500 market, so that is where it has spent most of its development time. A strip-down version of the current solution with a periodic data refresh will make the platform more consumable for smaller organizations. Palo Alto Networks indicates this version will be available in Q1 or Q2 of 2022. As with other Palo Alto Networks acquisitions, the integration into the Palo Alto Networks ecosystem has been prioritized, and it provides a clear advantage. Organizations that already have deployed Cortex XDR, Prisma Cloud, and other Palo Alto Networks solutions can integrate with Expander to combine solution capabilities. The resulting combination provides unique capabilities, such as the ability to correlate data collected inside of your organization’s network with data found through the ASM solution and discover risks that would be otherwise very difficult to identify manually or using another ASM vendor. This correlation of internal and external risk data will become more popular in the ASM space as other vendors and clients realize its utility.

Looking at Expander’s other features, it’s clear that the platform’s extensibility is very mature. While some security solutions provide integrations that only deposit or extract data, Expanders integrations appear to be based on use cases designed to increase its utility. For example, because Expander does not offer active assessment capabilities, integration with popular vulnerability scanners has been created, allowing Expander discovered assets to be sent to the vulnerability scanner where a more thorough analysis is performed.

While various licensing methods are found in the ASM vendor landscape, Expander uses a simple per-asset approach. To determine the cost, the Expander team performs a basic discovery of your AS and then uses this data for the sales conversation.

Strengths: Comprehensive discovery capabilities, policy-driven actions that reduce operator burden, numerous integrations with third parties, and very deep integrations with other Palo Alto Networks solutions.

Challenges: Reporting and dashboards could use improvements.

RiskIQ

RiskIQ is a company that focuses on providing digital threat management solutions, with its primary solution being the ASM platform called Illuminate. RiskIQ is one of the older companies in this space, founded in 2009. Significantly, RiskIQ was acquired by Microsoft in mid-2021. The analysis of the RiskIQ Illuminate solution that follows is based on RiskIQ before the acquisition. It’s possible and even likely that RiskIQ Illuminate will soon undergo substantial changes.

The Illuminate platform is a SaaS solution, delivered in the same manner other solutions are delivered. Illuminate demonstrates great flexibility in asset discovery capabilities, particularly its ability to “chain” assets together using patented technology. This chaining of assets enables accelerated owner identification, a vital component in the remediation process.

The Illuminate platform also provides a novel risk scoring method that takes the standard CVE scores as a base for risk assessment and combines it with important contextual information like frequency of vulnerability exploitation and popularity with attackers. This process results in a tailored risk score, prioritizing risks that are commonly exploited.

While the Illuminate platform offers integrations with other RiskIQ products in the ecosystem, they are not a part of the ASM solution without additional licensing costs. This may pose a problem for the investigation functionality. By default, Illuminate offers only very basic investigation capabilities. RiskIQ offers another solution with tight integrations into Illuminate that offers robust investigation capabilities. But again, this option carries with it an additional cost.

Illuminate’s incomplete assessment capabilities are another shortcoming. While Illuminate offers passive assessment capabilities, active assessment capabilities are not offered. This active capability is often avoided because of the potential for harm if poorly implemented, but other vendors have found ways to mitigate these risks.

The solution’s extensibility is its strong suit. With native “tight” integrations into upstream and downstream technologies like SOAR, SIEM, XDR, WAF, and firewalls, the Illuminate solution offers the ability to adjust organizations’ defensive strategies proactively in response to observed attacker behavior. Traditional integrations into service desks for ticketing exist, as well as a documented API for custom integrations as needed.

The RiskIQ Illuminate solution offers a simple interface designed around the concept of cards. Each card contains easily understood information about a specific set of vulnerabilities or risks. This method of data presentation creates an intuitive experience.

Strengths: Asset discovery capabilities are among the best, the integration of risk meta-data into risk scoring is very useful, and the vendor offers proactive defense capabilities when integrated with other solutions.

Challenges: Built-in investigation capability is basic and no active risk assessment exists.

6. Analyst’s Take

When traditional vulnerability management processes were presented as a solution to the ever-expanding digital footprint of the modern organization, nearly all organizations ran into the same problems. Lack of insight into the known attack surface limited the efficacy of vulnerability management. Once assets were discovered, associating assets with owners was a time-consuming process because of the abstracted nature of internet and cloud-based assets. Finally, legacy vulnerability scanners are not equipped to discover modern cloud misconfigurations that pose the greatest threat to organizations today.

The ASM solutions surveyed in this report resolve those issues. Because ASM vendors recognize that most organizations can’t keep up with the rapid changes within their attack surface, robust discovery is a ubiquitous feature of all ASM solutions. From the discovery phase through the risk identification phase, leveraging both active and passive assessment methods, and moving onto the reporting and alerting phases, it’s clear that this field has matured rapidly to fill the gaps created by legacy vulnerability management.

Looking back at the radar chart in Figure 1, you can see most players in this space are feature players. Born of a single purpose, these vendors are relatively young organizations that have worked to solve the problems identified.

It’s important to remember that while ASM is the focus of this report, ASM is not the only method used to secure an organization’s digital footprint on the internet. Digital reputation protection, data exposure identification, and continuous automated red teaming are equally important tools. Two of the platform plays identified in the Radar address these needs (BishopFox and Cyberint), while two or more are likely to do so in the next 12 to 18 months (Palo Alto Networks and RiskIQ).

7. About Chris Ray

Chris Ray

Chris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing & tech. More recently he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

8. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

9. Copyright

© Knowingly, Inc. 2022 "GigaOm Radar for Attack Surface Management" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.