Last Updated on January 15, 2024
Between moving data to the cloud and enabling remote connectivity, early every business today is concerned about its extended network perimeter and attack surface.
The attack surface management market space is evolving rapidly, but what types of companies are among the early adopters?
To discuss the attack surface management vision, capabilities and value propositions, Michelangelo Sidagni, CTO at NopSec, joined a recent episode of The Virtual CISO Podcast. The show is hosted by Pivot Point Security CISO and Managing Partner, John Verry.
3 most common drivers
Michelangelo enumerates 3 common drivers for implementing NopSec’s attack surface management solution:
- A general lack of security expertise or challenges with deriving the necessary insights with current staff and tools
- Overwhelming numbers of vulnerabilities, making it difficult to identify the most critical exposures based on real-world risk
- Compliance requirements, especially in highly regulated sectors like banking and financial services
Mostly for SMEs
While they have a few SMB clients, these days NopSec is targeting mostly small to large enterprises. This is mainly because the NopSec solution relies on the data from vulnerability assessment tools that organizations ideally already have in place.
In addition, the more data sources a company can plug into NopSec, the greater the solution’s value. A vulnerability scanner plus an asset CMDB represents a minimum starting point. Adding a SIEM, third-party risk management, EDR/XDR, etc. creates even richer correlations to prioritize vulnerabilities.
Focus on attack paths
Michelangelo notes that NopSec doesn’t rely heavily on compliance with standards, even those as rigorous as CIS benchmarks or DISA STIGS for system hardening.
“We really focus on those attack paths, as opposed to just, ‘Oh, you meet the standard, therefore you’re secure and compliant,’” states Michelangelo.
However, as John observes, “I agree completely, but with that being said, in way too many instances compliance has budget, security doesn’t. If you’re able to have a compliance answer as part of a security solution, those are the solutions that end up getting purchased a bit more often, because they can at least share the cost.”
To help align customer priorities with known attack vectors, NopSec has begun matching CVEs with MITER ATT&CK framework techniques. This helps defenders relate vulnerabilities to exploitation pathways, such as privilege escalation, credential harvesting, etc.
What’s next?
To listen to this show all the way through, click here.
Interested in the Dark Web side of attack surface management? Here’s a blog post you’ll enjoy: Attack Surface Management: Dark Web Deep-Dives and More