Vulnerability and cybersecurity assessment firm Tenable announced on Tuesday plans to acquire 4-year-old startup Bit Discovery, becoming the latest company to acquire an attack-surface management business in the past year.
With the $44.5 million deal, Tenable aims to strengthen its capabilities for gathering external information on networks and deliver to customers more visibility into their digital footprints. Visibility is key, as misconfigured and vulnerable assets are a significant security weakness for most companies. Tenable intends to integrate the technology into all of its products, including its Nessus vulnerability scanning platform, and use the technology to augment its ability to analyze internal networks.
Acquiring Bit Discovery's technology gives Tenable and its customers an attacker's eye view of company networks, says Glen Pendley, chief technology officer at Tenable.
"Visibility is literally the first step in every single cybersecurity framework," he says. "When you look at our acquisitions and strategy ... over the last few years, we are getting a bigger breadth of coverage over the attack surface. This is the biggest part of the attack surface that Tenable has yet to get visibility of."
The acquisition is the latest industry move to underscore the importance of the technologies and services that deliver attack surface management (ASM) capabilities. This month, Google announced it would buy Mandiant, which had previously acquired Intrigue, an ASM startup, in August 2021. In February, cybersecurity automation firm Darktrace announced it would acquire ASM firm Cybersprint for nearly $54 million. And in November, cyber-risk firm Team Cymru stated it would purchase Amplicy, a 2-year-old startup company focused on attack surface discovery for an undisclosed amount.
ASM on the Rise
The interest is unsurprising. Business intelligence firm Gartner named ASM as the top trend in security and risk management for 2022, breaking down the technologies into three areas: cyber asset ASM, external ASM, and digital risk protection services (DRPS). Bit Discovery falls squarely in the external attack surface management (EASM) segment.
Companies should know all of the assets visible to attackers from the Internet, Gartner stated in the March announcement of its top 7 security and risk-management trends.
"Risks associated with the use of cyber-physical systems and IoT, open-source code, cloud applications, complex digital supply chains, social media and more have brought organizations’ exposed surfaces outside of a set of controllable assets," the firm stated. "Organizations must look beyond traditional approaches to security monitoring, detection and response to manage a wider set of security exposures."
Part of the growing importance of ASM is because companies are getting better about doing the basics. Businesses are paying more attention to common points of entry, such as remote desktop protocol (RDP) servers and virtual private network (VPN) appliances, but need to look beyond securing the front door, says Jeremiah Grossman, CEO of Bit Discovery.
"We got away with not knowing all of our assets for a long time in infosec because everything was just that insecure," he says. "But now the main front doors are getting sufficiently hardened, so the adversaries are looking for secondary and tertiary ways in."
Team Cymru, a cybersecurity risk firm, estimates that 60% of breaches start with the compromise of an exposed, unmanaged asset with an unpatched vulnerability. In addition, the company's research found that three-quarters of midsize to large companies have to rely on spreadsheets to track assets. Those companies were not ready for the shift to cloud infrastructure and employees working from home, says Lewis Henderson, a senior product manager at Team Cymru.
"The last two years have thrust organizations to expand far beyond their already eroded borders — [basically] digital transformation on steroids," he says. "When those organizations went to lean on their security vendors to understand what external assets, risks, vulnerabilities and threats they had, they were left totally exposed and on their own to figure it out."
EASM firms evolved to fill the gaps, he says.
Four Years, $45 Million
Bit Discovery launched in March 2018 with $2.7 million in funding, upon the merger with OutsideIntel, a startup founded by Robert Hansen, a cybersecurity veteran who had discovered vulnerabilities under the handle "RSnake" and had previously worked with Grossman at WhiteHat Security. Last June, Bit Discovery gained another $4 million in investment during a Series B round of funding.
Grossman estimates that about half of breaches are enabled by a vulnerable asset that the company previously did not know about. He pointed to the massive data breach as Equifax as an example of the hazards.
"Nothing is more embarrassing than getting exploited by an asset that you didn't know you owned," he says. "That was the case with Equifax. Yes, they didn't patch the [Apache] Struts vuln, but they would have if they knew the asset existed."
While the deal must still weather the closing process, Tenable expects to complete the acquisition this quarter and integrate Bit Discovery’s external ASM technology across its other products and services. In the end, the company wants to provide businesses with ways to get meaningful visibility into the state of their security, both on the internal network and from an external view, says Tenable's Pendley.
"We want to reduce noise," he says. "That has been a problem in this space forever, and it's something we can improve."