NCC Group, Qualys expand managed attack surface service

NCC Group has formed a technology partnership with Qualys to expand its managed Attack Surface Management (ASM) service, embedding Qualys' asset discovery and risk management tools into its offering for enterprise clients.

The cyber security consultancy will integrate Qualys' cloud-based technology into its existing managed service. NCC Group will provide continuous oversight and analysis on top of the automated discovery and monitoring functions.

The combined service focuses on identifying digital assets across internal and external environments. It then tracks vulnerabilities and misconfigurations on an ongoing basis.

Expanded ASM service

NCC Group said the enhanced ASM service will give organisations real-time visibility of assets, including previously unknown systems and so-called shadow IT. The firm said this visibility supports incident response by indicating where mitigation efforts should concentrate.

ASM tools scan networks and cloud environments for connected devices, applications and services. They compare this live view of the attack surface with internal inventories and known configuration baselines.

NCC Group said many organisations struggle to maintain this level of visibility because of a shortage of cyber security skills. The company said growing IT complexity, including cloud adoption and remote working, has increased the number of internet-facing assets and configuration points.

The partnership aims to address this gap through a managed model. NCC Group will provide expert-led analysis on top of Qualys' automated discovery and monitoring.

The firms said the joint service will focus on three outcomes. These are visibility over assets, prioritisation of risks and delivery of intelligence that security teams can act on.

From data to action

NCC Group said automated asset discovery and continuous monitoring reduce reliance on self-reporting by internal teams. The company said this approach replaces manual collection of asset lists and risk data with an automated feed of information.

The managed service then interprets this data. NCC Group analysts will review the information and highlight where in-house teams should focus remediation effort.

The company said this division of work allows internal security staff to spend more time fixing issues and less time identifying them. It said this also reduces exposure windows, as organisations can respond more quickly to the most significant risks.

Graham Francis, SVP, Global Managed Services at NCC Group, said many organisations overestimate how well they understand their IT environments.

"In-house security teams are stretched to breaking point trying to wade through data and prioritise mitigating threats. Many organizations believe they have full visibility of their estate, but the reality is that without advanced technology, blind spots remain.

"Working with Qualys enables NCC Group to offer a managed service that combines Qualys' automated asset discovery to eliminate those blind spots and prioritization of risk with our expert analysis, giving our clients a complete and accurate view of their attack surface and risk appetite. This means internal teams can focus their time and energy on critical remediation, rather than identification," said Francis.

Market backdrop

Vendors and security consultancies have placed increased emphasis on ASM in recent years. The discipline has emerged as organisations adopt multiple cloud platforms and expose more services to the internet, creating new entry points for attackers.

Industry studies often find a gap between the number of assets organisations believe they run and the larger number identified by automated discovery tools. NCC Group and Qualys said this gap underlines the role of continuous, automated discovery in cyber defence strategies.

ASM products commonly address external-facing assets such as web applications, domains and IP addresses. Newer approaches also cover internal systems, cloud workloads and third-party services.

Qualys offers a range of cloud-based security and compliance tools, including vulnerability management and continuous monitoring. Its ASM technology discovers and inventories assets and then associates them with known risks.

Under the partnership, NCC Group will front the managed service, while Qualys will provide the underlying technology. The arrangement gives Qualys broader reach into customers that prefer a managed model rather than running ASM tools in-house.

Christopher Catanzaro, Vice President of Global Channels and Alliances at Qualys, said the partnership would extend access to the company's ASM products.

"Organisations today already face an uphill battle guarding against a complex attack surface; it's harder still to protect against internal and unknown threats," said Christopher Catanzaro, vice president of global channels and alliances at Qualys. "By teaming up with NCC Group, Qualys is making our powerful ASM solutions accessible to more organizations to help reduce their risk. Together, we're helping security teams move from reactive defence to proactive, intelligence-driven risk reduction."

The companies said they plan to work together so that organisations can discover and monitor every asset, including those that internal teams have not yet identified, before attackers attempt to exploit them.