Hide and seek…
…or why your vulnerability management isn’t finding all your risks…
Back in the early days of the security industry, it wouldn’t be unusual to hear a potential client say the magical phrase “oh, we’ve got our security covered: we use [insert name of antivirus product]”.
Thankfully, the general understanding of security has come a long way since then, but even so, there’s often a similar level of misconception around where attack surface management fits into the puzzle too. Which isn’t really surprising, as it is a relatively new market sector, and the majority of organisations still don’t have a particularly good handle on their legacy assets, let alone the way that their cloud attack surface constantly changes.
It’s no surprise that a potential client might start by pointing out that they already have vulnerability management, annual penetration tests, management agents installed everywhere, and a SIEM/SOAR to process them. What could attack surface management possibly give them?
I like analogies. So, if you think of security as being a game of hide and seek, with the risks doing the hiding, and all your existing security tools as the ones doing the seeking, then without an up-to-date asset list and attack surface, then they’ll only be looking in a subset of the available hiding places. The best they’ll manage is to find some of the risks, but they won’t find all of them.
It’s pretty much the recipe for a false sense of security, and also a reason that a large proportion of breaches have a root cause in the basics: unmanaged assets, missing patches, and vulnerable configurations. Because, if you don’t know about it, how can you manage it?
scarlet helps an organisation to close the gap between theory and actuality. It only takes a few minutes to setup, and the result is a consistent, detailed, up-to-date attack surface that can be used with all your existing SIEM, SOAR, VM and IR processes. There’s nothing new to learn, and the value gained from all the existing security tools is immediately amplified. What’s not to like about that?
But don’t take our word for it, why not just give it a try? There’s a free, unrestricted trial available, and you only need an email address to register. You could literally be up and running, and seeing the value in ten minutes.