Last year, we released our inaugural Forrester Wave™ on attack surface management (ASM) solutions. The ASM Wave primarily focused on visibility — the first of the three principles of proactive security. ASM’s visibility is achieved through external asset discovery and ingestion of third-party information regarding asset attributes, and both features are becoming increasingly commoditized. Yet the ubiquity of visibility options cannot alone solve proactive security. Once organizations have a comprehensive asset inventory, what are they supposed to do about it?
It’s Time To Stop Fragmenting Proactive Security
Based on the three principles of proactive security, organizations need visibility to assess and then prioritize the breadth of their exposures (e.g., threat-informed weaknesses across various asset types). This exposure prioritization is typically found in exposure management, or exposure assessment, platforms.
But relying solely on assessments creates the same problem as relying solely on visibility. Organizations still need to remediate weaknesses. Just as standalone ASM solutions did not adequately address the other proactive principles, many exposure management solutions did not adequately address remediation. Currently, the best remediation capabilities exist in unified vulnerability management (UVM) solutions.
ASM Is A Feature, No Longer A Market
The market has responded. Since we published the 2024 ASM solutions Forrester Wave, many vendors have rebranded their proactive security offerings into exposure management, including CyCognito and Trend Micro. Axonius has gone so far as to declare ASM dead.
ASM is still an important feature, but it is dead as a standalone market because it doesn’t address all three proactive security principles. ASM’s value is as part of a proactive security strategy, since asset discovery and hardening are prerequisites to exposure management and residual risk calculation. Organizations need to use visibility sources as their source of exposure prioritization.
Announcing Proactive Security Platform Research
Today, security leaders need solutions that provide fulfillment of all three proactive security principles. ASM remains a feature in proactive security platforms but has also spread into other solutions, such as cloud security and threat intelligence. Exposure management offers novel prioritization strategies. UVM augments remediation processes. To complete proactive security, Forrester will now cover the ASM, exposure management, and UVM markets as the proactive security platforms market. Forrester defines a proactive security platform as:
A platform that consolidates assets and exposures with an organizational perspective, prioritizes optimal remediations, and augments and orchestrates remediation processes.
This change in taxonomy is future-proof. You will always need proactive security. This allows us to evaluate these solutions as they evolve from solution-centric to platform-centric, offered from a variety of different types of platform providers. Even with future marketing and buzzword shifts, there will always be a need to evaluate proactive use cases, and our taxonomy is future-proofed against further market shifts while providing strategic advice around your platform strategies.
We will be kicking off our evaluative proactive security platform research next month with the proactive security platform landscape report. We will cover all phases of proactive security in this research: visibility (provided through ASM features), prioritization (including exposure management but also other methods of prioritization), and remediation.
I look forward to sharing our landscape report on proactive security platforms next year. In the meantime, please set up an inquiry or guidance session to discuss how proactive security platforms can supercharge your existing security programs.
