Questions to Ask
Ask vendors the questions that matter.
In addition to asking about specific features, there are several questions that are worth asking vendors. The following questions help in understanding the maturity of products and focus on potential breakpoints of projects.
Do you specialize by serving specific industries?
Some vendors focus on the finance industry, retail, or media. Some provide services that work across multiple industries.
Beyond the primary use cases (covered in the use case section), what other kinds of functions does your solution provide?
Examples of other features some ASMs offer include:
- IaaS and SaaS usage discovery
- IoT device discovery
- OT/ICS device discovery
- Dark web monitoring
- Brand protection
- DevSecOps integration
- Threat modeling
- Breach and attack simulation
How modern is the solution’s architecture?
The focus should be given to modern software architecture solutions, such as using microservices, container-based deployments, and APIs that provide a more modular, flexible deployment, orchestration, and customization.
What types of vulnerabilities does your solution look for and what are the sources vulnerability information that are used by your solution?
- CVEs / CVSS
- EPSS (Exploit Prediction Scoring System)
- US CISA KEVs
- NVD (National Vulnerability Database)
- OWASP Top 10 issues
- Missing patches
- Out-of-date or end-of-life software
- Missing controls
- Unauthorized access
- Overprovisioned entitlements
- Misconfigurations
Which regulations and compliance frameworks does your solution help monitor for?
The following are some of the most applicable that can be assisted with by ASM solutions:
- ISO 27001, 27002
- NIST CSF
- NIST 800-53
- NIST 800-171
- SOC 2 Type 2
- CIS AWS, Azure, and GCP
- Cloud Security Alliance
- HIPAA
- PCI-DSS
- EU GDPR
- US DoD CMMC
- US FedRAMP
Does the ASM solution under consideration provide context-based risk scoring and prioritization?
Most ASM solutions provide at least a minimum of CVE/CVSS scoring for each identified asset. Some of the more innovative solutions can analyze the business context and apply highly customized risk ratings for each discovered vulnerability, which allows organizations to better prioritize remediation efforts. A few ASM solutions include attack path modeling and Breach and Attack Simulation techniques that offer much deeper insights into specific vulnerabilities, for the fastest and most effective remediation.
What capabilities for remediation are present in the ASM solution under consideration?
Once assets and vulnerabilities are identified, the ASM solution should offer some means for remediation. At a basic level, information about the vulnerabilities should be available to the customer administrators. Reports for executives are often featured as well. Better solutions provide step-by-step guidance for how to remediate found vulnerabilities, such as how to correct misconfigurations and how to patch operating systems and applications.
What exactly does your service do with respect to dark web monitoring?
Examples of dark web monitoring features include the following items. Decide which ones are most important for your organization to know about.
- Look for compromised credential; Search for leaked or stolen intellectual property; Search for leaked or stolen personally identifiable information (PII), including passport info, eIDs, or driver’s license information; Follow APT groups and actors; Track cybercriminal forums; Monitor malware and exploit trading forums
Are there key areas of functionality for which your solution depends on third-party products or services?
CAASMs may require third-party products for identifying assets and vulnerabilities and threat intelligence. However, they are usually more extensible and interoperate with a variety of such products and services.