Continuous Threat Exposure Management: Unify your Offsec Strategy with YesWeHack
November 9, 2023
YesWeHack recently launched an Attack Surface Management (ASM) product that can provide the missing link in your offensive security strategy.
The new product continuously maps all your internet-exposed assets, such as web applications, APIs and cloud infrastructure, and detects their potential exposure to any known vulnerabilities.
It also auto-assigns ‘priority’ levels to these vulnerabilities based on three key variables: severity (using CVSS), in-the-wild exploitability (using EPSS) and the affected asset’s criticality value (manually assigned by the client organisation).
The turnkey-deployable ASM integrates seamlessly with the existing YesWeHack platform, which benefits from a new-and-improved design and user experience.
Vulnerabilities from various security testing channels, including automated scanning by the ASM, Bug Bounty programs, traditional pentesting and Vulnerability Disclosure Policies (VDPs), are therefore integrated into the same interface – providing a unified, comprehensive and risk-based approach to security testing.
“Our clients can now efficiently reduce their exploitable attack surface by prioritising their actions and streamlining vulnerability management,” says Aïmad Berady, VP Product at YesWeHack.“In other words, focusing on what matters most to them: the assets they want to protect and the vulnerabilities impacting them.”
Continuous Threat Exposure Management
In accordance with Gartner’s Continuous Threat Exposure Management (CTEM) model, our solution enables five operational phases:
- SCOPE: Declare your domain names and IP ranges/addresses
- DISCOVER: Our backend scanners detect related subdomains, reachable services and associated technologies, then continuously detect any newly-surfaced online assets thereafter
- PRIORITISE: Target the most pressing ‘findings’ (suspected vulnerabilities) through auto-generated priority scores based transparently on severity, exploitability and asset value (criticality)
- VALIDATE: Confirm or reject a finding as exploitable in your environment. Confirmed findings automatically generate a vulnerability report
- MOBILISE: Access, edit, share, assign and track vulnerability reports from all sources to efficiently fix the most urgent security flaws first
The upshot is a significantly stronger security posture thanks to the following outcomes:
- Continuous visibility of your true digital footprint – mapping internet-facing assets and exposed dependencies
- Continuous visibility of your organisation’s exposure to known vulnerabilities within theVulnerability Center
- Automated prioritisation of vulnerabilities based on an easy-to-understand algorithm
- Strategised security testing and remediation to tackle the most critical vulnerabilities at scale
“With the time-to-exploit for new vulnerabilities plummeting, clearing the ‘fog of war’ surrounding the organisation's information system and maintaining an up-to-date big picture is crucial,” says Berady. “After all, knowing your enemy is useless if you don’t know your digital territory.”
The age of ASM
Gartner has cited continuous attack surface management as a top strategic technology trend for 2024 – why?
Well consider that more than two thirds of organisations have been compromised via an unknown or poorly managed internet-facing asset (JupiterOne) – and consider the underlying reasons why.
First, InfoSec teams struggle to identify – let alone secure – their internet-facing assets as digital transformation drives an unprecedented expansion of attack surfaces.
Second, increasingly complex tech stacks and rapid development cycles are fuelling an unstoppable year-on-year rise in new code vulnerabilities.
A haphazard approach to vulnerability management is no longer sustainable when organisations are typically able to patch only 10% of vulnerabilities in their environment each month (Cyentia Institute).
With cybersecurity budgets failing to keep pace with their growing workload, InfoSec teams are increasingly turning to ASMs in order to achieve more, but with fewer resources.
Indeed, Gartner forecasts that by 2026, organisations implementing a CTEM program now will typically benefit from a two-thirds reduction in breaches.
And given the imperative of a multilayered security testing strategy, a platform that unifies all reporting channels is a compelling route to achieving such impressive outcomes.
Unify and simplify your vulnerability management workflow
Our ASM is not a standalone solution; by integrating and standardising asset discovery and auto-scanning, Bug Bounty programs, traditional pentesting and VDP findings, it provides a one-stop-shop for all vulnerabilities – whatever their source and format.
This unified paradigm enables strategic early remediation of ‘low hanging fruits’ and the most critical bugs, and efficient hardening of assets through multiple layers (typically with automated scans first, then through pentesting, then private and public Bug Bounty programs).
YesWeHack’s ASM therefore complements YesWeHack’s existing products to great effect: namely our Bug Bounty programs, launched in 2015 to flexibly and cost-effectively enhance testing capacity; our VDP creation and management solution, released in 2019; and the Pentest Management product, launched in 2021 to simplify, centralise and standardise coordination of pentest engagements.
Amid budgetary pressures and a global cyber skills shortage, unifying these elements enables efficiencies that reduce costs, workloads and time-to-fix, such as:
- A single individual handling bugs from all sources reduces personnel and training costs
- Harmonisation – through standardised reporting formats/workflows and integration with bug-tracking tools – streamlines the remediation process
- Automation eliminates tedious manual tasks and refocuses teams on more value-added work
“A 360-degree cockpit combining unified vulnerability management with external attack surface management enables clients to think like, and therefore thwart, an attacker – spotting and sealing off the weakest, most hackable vectors,” says Guillaume Vassault-Houlière, CEO and co-founder of YesWeHack.
“This significantly strengthens your security posture, given that a single unknown asset (an ‘unknown unknown’) can be a potentially catastrophic weakness – however secure your known assets.”
ASM key features
- Dashboard with real-time overview of attack surface coverage and vulnerability exposure through multiple metrics and filters (e.g., filtering by priority score, charts showing ‘vulnerable assets by category’ or ‘top 5 most vulnerable assets’)
- Standardised format/workflows for ASM, Bug Bounty, pentest and VDP vulnerabilities
- Integrate vulnerability reports into your bug-tracking tools and track status in real time with our connectors and public API
- Daily-updated Vulnpedia module comprising information on affected vendors, detection tools, public exploits and patches for all CVEs
- Override auto-generated priority score to reflect your organisation’s risk appetite
- Subscribe to CVE Alerts for non-exposed, pre-release or other technologies not discovered by ASM to monitor their potential exposure to CVEs
- Role-based access control (RBAC) with considerable granularity
Coming soon: Asset Coverage aid to strategizing testing
YesWeHack is working on a new feature that will help ASM clients coordinate their testing campaigns more effectively.
‘Asset Coverage’ will show users scrolling through the ATTACK SURFACE channel which discovered assets have undergone automated testing and are currently subject to an active pentest or Bug Bounty program. It will also show the percentage coverage split between offensive testing methods overall, as well as by specific assets.
This powerful KPI will help clients optimise testing coverage across various assets as they become gradually more hardened (for instance, adding Bug Bounty scopes after a round of automated scanning).
The Asset Coverage feature will be added at some point in the next few months.