What is Cyber Asset Attack Surface Management (CAASM)?
Cyber asset attack surface management (CAASM) is an emerging technology area focused on enabling security teams to overcome asset visibility and exposure challenges. It enables organizations to see all the assets (internal and external), primarily through API integrations with existing tools, query consolidated data, identify the scope of vulnerabilities and gaps in security controls, and remediate issues.
Before we delve deeper, let’s look at the need for CAASM via an analogy with the game of chess.
Chess is an abstract strategy game. It is played on a chessboard with 64 squares arranged in an eight-by-eight grid. At the start, each player controls sixteen pieces: one king, one queen, two rooks, two bishops, two knights, and eight pawns. One of the most favorable ways is to play an attacking game and break through the defenses of the opponent.
For a moment, think of cybersecurity as a game of chess. There is an attacker always striving to break through the organization’s defenses. The security team has to apply techniques to stay ahead of the attacker. The assets in the game of chess are- 64 squares, 16 pieces and the player’s brainpower that’s plotting the moves. This is quite similar to the hardware, users and software respectively- that makes up for the organization’s assets.
Unfortunately, the similarity between chess and cybersecurity ends here. Why is it so?
In chess, the attack surface is very well-defined. There are defined boundaries (eight-by-eight grid) and fixed assets. Think of the traditional ways of managing data and assets- an organization’s perimeter was confined to its four walls. It made managing security less complex.
Modern organizations are far more evolved and distributed. The hybrid work era and the trends like BYOD has truly made the workplace boundaryless. This has led to the attack surface becoming almost unending. A limitless attack surface implies that the organization is more vulnerable to cyberthreats and the traditional way of managing assets isn’t effective anymore.
The following excerpt from a blog by Gartner further validates this transformation-
Enterprise attack surfaces are expanding. Risks associated with the use of cyber-physical systems and IoT, open-source code, cloud applications, complex digital supply chains, social media and more have brought organizations’ exposed surfaces outside of a set of controllable assets. Organizations must look beyond traditional approaches to security monitoring, detection and response to manage a wider set of security exposures.
A CAASM solution fills in this gap and provides an accurate, near real-time view of the organization’s assets. To improve overall cyber resilience, the organizations need a CAASM strategy.
Benefits of CAASM
- CAASM provides organizations with an explicit view of organization’s assets and clearly lays out the attack surface.
- It provides a real time, up-to-date view of asset inventory.
- It enables security teams to improve basic security hygiene by ensuring security controls, security posture, and asset exposure are understood and remediated.
- Organizations that deploy CAASM reduce dependencies on homegrown systems and manual collection processes, and remediate gaps either manually or via automated workflows.
- It helps organizations visualize security tool coverage, support attack surface management (ASM) processes, and correct systems of record that may have stale or missing data.
- It helps in managing compliance and improving cyber-resilience by enabling data-driven decision making.
- It improves productivity by eliminating the need to spend time manually maintaining an asset list.
How does the CAASM solution work?
Maintaining an up-to-date enterprise inventory system is a foundational element in every organization’s cybersecurity program. At the same time, it is very challenging. Enterprise assets change constantly, with devices being added and retired, physical machines migrating to virtual, and various stakeholders installing and updating software (with or without approval).
In order for an CAASM solution to be comprehensive, it should:
- maintain an accurate asset inventory.
- ensure that the asset list is updated in real-time.
- be highly accessible.
- include cloud and on-prem assets.
- define assets holistically-not just include physical devices and hardware, but also the mobile devices, apps, software, IoT and people.
- should include information about how assets are being used.
How can a single solution meet these requirements?
Balbix recommends leveraging AI to automatically discover and inventory all assets. Once assets are in your inventory, they are readily available via real-time dashboards and search. They should be analyzed across a broad range of attack vectors to identify assets that are most likely to be compromised. And should enable you to set up automatic and continuous compliance watchdogs.
What are the key enablers for a CAASM solution? Here’s a list that provides some insights:
Comprehensive coverage and categorization:
Traditional inventory tools typically only track managed assets. Non-traditional assets like IoT are either left undiscovered or partially tracked by a collection of standalone tools, one for each asset category.
CAASM solution should automatically discover, analyze, and categorize all devices, apps, and services. It discovers and tracks the relationship between assets and users (including administrators). In addition, it should surface all relevant details for each asset, e.g., software and hardware version, open ports, usage, and so on.
Capturing Business context:
Traditional inventorying methods are not very good at tracking the business context of enterprise assets. A CAASM tool should predict the business criticality for each asset based on an analysis of usage and network traffic.
Easy to search:
With an ideal CAASM solution, you should be able to get answers to questions about your inventory, security posture, or breach risk using natural language search. For example, querying using IT vocabulary, such as “windows servers in San Jose,” or “IoT devices”
Aligning with your business:
The inventory and risk models in a CAASM solution should be customizable based on your organization’s specific business needs. For example, if you care about intellectual property more than anything else, the CAASM solution should allow you to automatically keep track of assets that create, store, or consume intellectual property.
The history behind CAASM
In the realm of computers, asset management has been around for quite some time. IT asset management has historically been a finance-related field. There are finance specific use cases that require organizations to manage and maintain an asset inventory e.g. to carry out the exercise of depreciating the physical assets, the businesses needed to be able to track them. On the similar lines, there has always been a need to track the software licensing. The practice of IT asset management was arguably born to serve these needs. The methods and technologies driving asset inventory have been in use for a while.
Over the last few decades cybersecurity became a more significant priority for the organizations. The existing asset management technologies served well initially but they were not originally designed to serve the cybersecurity needs and evolving use cases. The evolution of CAASM addresses some of the specialized cybersecurity use cases around asset management and visibility.
How can CAASM help in reducing cyber risk?
Balbix recommends that calculation of cyber risk is best done using an asset-centric approach. This requires a precise inventory of all IT assets – including systems, applications, devices, data, business processes, and users – and an understanding of two factors: breach impact and breach likelihood.
Breach likelihood is the probability that an asset will be breached. Calculating it requires accounting for vulnerability severity, threat level, exposure due to usage and security controls. The risk calculation should also understand the business significance of each asset as it is an important variable in determining the second factor – breach impact. For example, your breach impact is significantly higher for core servers containing sensitive data than for personal laptops that are signed into your guest network. While assessing business criticality of an asset, you need to consider both inherent (e.g., asset category, business unit) and contextual properties of the asset (e.g., roles, applications, user privilege, and interaction with other assets).
CAASM aggregates assets from other products that collect a subset of assets, such as endpoints, servers, devices and applications. By consolidating internal and external cyber assets, users can make queries to find gaps in coverage for security tools such as vulnerability assessment and endpoint detection and response (EDR) tools. CAASM provides mostly passive data collection via API integrations, replacing time-consuming manual processes to collect and reconcile asset information.
The comprehensive, real-time asset visibility unleashed by CAASM solutions is itself a kind of security control.
Frequently Asked Questions
- Features of Cyber Asset Attack Surface Management Software
The following features are a key in defining a CAASM solution-
- Ability to ingest data from the various tools and sources.
- Ability to normalize, analyze, deduplicate and correlate the ingested data.
- Showcasing an accurate asset inventory.
- Inclusion of hardware, device, SBOM (software bill of materials) in the asset inventory list.
- Define assets holistically-not just include physical devices and hardware, but also the cloud assets, mobile devices, apps, software, IoT and people.
- Ensuring the asset inventory data stays accurate in real-time.
- Should be highly available and accessible.
- Should be able to provide information on the business context of the assets and on how the assets are being used.
- Should provide an ease to use search capabilities.
- CAASM Use Cases
A few prominent CAASM use cases are:
- Automatic asset discovery: Continuously monitors the enterprise to discover, identify and categorize all assets.
- Unified view of asset inventory: Include devices, apps, and services; managed and unmanaged; on-prem and cloud; fixed and mobile; IoT, etc., and your users. Conflicting and duplicate data is cleaned and merged automatically.
- Risk based vulnerability management: to continuously assess the security posture and prioritize open vulnerabilities based on business risk.
- Audit and compliance assessments: By providing near real-time visibility to the assets ,how they are being used and business context- CAASM solutions provides an output that accelerates audit and compliance assessments.
- Cyber risk quantification: A CAASM solution unifies all your cybersecurity data (including asset inventory, vulnerability data and more) into a single comprehensive cyber risk quantification model. It provides a unified view of cyber risk in business terms.
- How to Get Started with CAASM?
Start your journey to a comprehensive cybersecurity posture automation solution that includes CAASM, Risk Based Vulnerability Management (RVBM) and Cyber Risk Quantification (CRQ) capabilities by scheduling a 30-minute demo with Balbix.