| 29 May 2020 | ( words)

ASM - Attack Surface Monitoring

When we joined Coalition we became responsible for monitoring thousands of companies everyday. As part of our underwriting process, as part of our continuous scanning, or even when renewals are coming up, we always look to scanning data as a data point to evaluate the cyber-security posture of our book or potential insureds.

One of the mantras in our "master plan" has been from the beginning to "invest in an all-out security platform with free tools, technology, and intelligence to protect all of our policyholders".

However part of our general vision is also to protect other companies that are outside of our book. That is why today we are happy to announce that we are making available for early access, (general availability to come soon) the same platform we use to internally monitor our policyholders.

We call it ASM (short for Attack Surface Monitoring), and today it is available for early access.

You can sign up here to start using our new platform (Coalition policyholders are guaranteed access).

But what is ASM ?

It is a platform developed to Enumerate, Scan and Notify for security vulnerabilities and changes to infrastructure on millions of companies.

Everyday, the IT footprint of organizations grows, with the adoption of cloud services, expanding SaaS usage, and vendors providing more and more services to organizations, the perimeter is something that has changed a lot over the last 5 years.

ASM helps organizations with finding assets associated with them, and issues with those assets.

Want to monitor yourself, your subsidiaries, acquisitions or vendor chain?

ASM is here for you!

We've been gathering feedback from customers and have had several iterations of this product through out the years, however we never felt that it was up to the standard of what our customers typically expected from us. In the last months we've been putting in the final touches and with today's release we have a product we are proud to present.

On this screen you can easily view your risk distribution across all companies you are monitoring, as well as individual risk for each company at the bottom.

When using ASM, companies can be monitored in two ways:

  • Lite - full domain enumeration is done actively and then assets found are checked against our worldwide scans for access to services exposed, providing faster results but also limited to 250 ports.
  • Extended - full domain enumeration is done actively and then each asset has all 65535 ports scanned in real time.

Because we use a limited set of data the price for Lite monitoring is more cost effective than Extended, making it the ideal solution to monitor large number of companies.

In both modes companies get continuously scanned and you can see this by entering the company page and looking at the "Summary tab".

Here you can find the changes detected over time to your infrastructure, the risk breakdown by category and the types of assets found. You can also see information about 3rd party data breaches and lookalike domains.

The following section is called "Attack Surface" here you can see all the technologies, hosting providers and services that we were able to detect across your assets. You can immediately click these buttons and check which assets are using said technology.

Underneath a full list of assets can be seen with association between DNS and IP addresses.

In this list you can click an asset and dig into the technical details of that asset for an individual view.

In the Vulnerabilities tab we make it super easy for you to see, filter and resolve vulnerabilities detected across your assets. We are continuously adding new vulnerabilities with a focus of trying to make sure that we surface the important and most critical vulnerabilities into this screen so you can prioritize fixing them.

At the bottom of the screen a "Latest vulnerabilities" table can be seen, which allows you to easily see the latest findings from your assets.

The plots also serve as filters, if you click on a vulnerability it will immediately filter the table underneath to the assets affected by said vulnerability.

In the 3rd Party Data Breaches tab, you can see which 3rd party breaches have been found that are associated with your assets.

One of the biggest problems we've seen in the last few months is the use of homoglyph or look-alike domains in phishing attacks. For that reason we are making sure we're continuously looking and monitoring for any look-alike, and notifying you when a new one shows up with a DNS entry or SSL certificate. Without even having to leave ASM you can see the screenshot in case the look-alike has a web service running.

We also automatically try to detect if a domain is being used for phishing and in case there is a web service running we check for a similarity score to your original domain, if that is the case we tag it as such (as you can see on the image above, because we are live in Canada, our Canadian website is of course similar to our original one).

Last but not least, on the Enrichment tab, we continuously look for your assets interacting with our honeypots and immediately notify you in case we find any of these interactions, we also monitor the torrent downloads, as often torrents come infected with Malware.

There are many more features within ASM that we could talk about, but we would prefer to leave it for exploration.

So, if you're interested, please sign up here, we look forward to welcoming you to our new platform.