Four years after Axonius created the term cybersecurity asset management to explain a new approach to understanding assets and their security and management coverage, analyst firm Gartner coined the term cyber asset attack surface management (CAASM).
CAASM is an emerging technology focused on enabling security teams to solve persistent asset visibility and vulnerability challenges, according to Gartner. It enables organizations to see all assets (both internal and external) through API integrations with existing tools, query against the consolidated data, identify the scope of vulnerabilities and gaps in security controls, and remediate issues.
In a recent webinar titled “Crossing the CAASM: The Evolution of Asset Management" with (ISC)², Chris Cochran and Ronald Eddings explained how the emergence of cyber asset attack surface management (CAASM) can help IT and security teams improve security hygiene, reduce manual work, and remediate gaps.
In this excerpt from the webinar, Chris and Ronald provide insights into the factors driving CAASM adoption and why asset visibility is key.
Editor’s note: The following transcript has been edited for brevity and length.
Why is “attack surface” a part of CAASM?
Chris Cochran: It’s because the additional technologies that we've brought on over time are widening our attack surface. We’re leveraging better technologies to become more efficient, more innovative. But as we do that, we add additional connections and applications to our networks, and that’s broadening this attack surface.
As we widen that attack surface, we have to manage and control that complexity so that we're operational.
We need to focus on that asset visibility because you can't protect what you can't see. If we don't have that comprehensive view, it’s going to make it difficult for us to do things that really rely on asset management.
What are the IT and security drivers for CAASM adoption?
Ronald Eddings: There are many things in security that are driving CAASM adoption. But there are many functions outside of security that are going to start really needing this type of solution to maintain their environment.
The IT drivers are really device discovery, endpoint management, and configuration management.
I'm sure that some of us in the audience have used something like a CMDB to get somewhat of a view of the assets that you manage. But oftentimes these tools get out of date. Oftentimes we need to log into many applications to understand how many devices were discovered.
Endpoint management itself is a tough beast to tackle just due to the sheer amount of users that companies are onboarding and also users that are within the cloud.
Chris: And then when you look at the security drivers, incident response would be incredibly difficult if we don't have a handle on our asset management. How can you even identify the spread of a particular incident if you don't know where everything is or what everything is? If you have a very myopic view of your network, and there's things on the periphery that you can't see or have no way to investigate, you might not be able to identify the entire spread, you might not be able to contain that spread, you might not be able to understand what's going on in your environment holistically. Ultimately that’s going to impact remediation as well.
Now, let's look at vulnerability management. I can't tell you how many times as soon as a vulnerability comes out, a disclosure comes out, immediately the first question is, “Does this affect me? Do I have this software in my environment?” Next question is going to be, “If we have this in our environment, how pervasive is it in our environment? How many nodes do we have out there that have this particular software or application that we have to then remediate?” These are questions that are going to be incredibly important when it comes to looking at those vulnerabilities.
And even for GRC and audit, we get some really really tough questions from auditors. The better and clearer our answers are, the quicker it is that we move on to that next part of the audit. But if we don't have a good view of what we're doing and what our environment looks like, it's going to be increasingly difficult to give those very clear and thorough answers to our auditors. So even looking at that, you're going to want to have that complete understanding of your environment.