Inventorying, managing, and securing assets was simple back in the day.
The attack surface consisted of servers and any asset (like, laptops and desktops) with an internet connection.
Boy, have times changed!
The perimeter of the attack surface has grown. And still continues to do so. Now, it’s about applications (SaaS apps, too!), mobile devices, websites, cloud services, collaboration tools, social media pages, and more.
For IT, security, and risk teams, it’s essential to discover and secure all assets — devices, cloud services, software, and users. But trying to identify and manage these very assets includes a lot of complexities.
Conducting asset inventories — and the data that’s included — are an important step in understanding what’s in IT environments. And there are six essential questions about every asset:
Yet the old way of doing asset inventories (spreadsheets and other manual methods) don’t provide an accurate understanding of the attack surface. Cybersecurity environments are in constant flux, so the results are stale by the time a traditional asset inventory is complete.
Cybersecurity Asset Attack Surface Management (CAASM) is looking to fix that by doing the following:
Another element that CAASM highlights in the attack surface: asset visibility.
If there isn’t an understanding of what’s happening in IT environments, or knowing what assets there are, the potential risks for shadow IT, cloud misconfigurations, external threats, and other vulnerabilities only increase.
Asset visibility is crucial to protect against threat actors looking to breach IT environments. Otherwise, the view of the attack surface is incomplete. IT, security, and risk professionals don’t know which assets are the most critical or susceptible to attack. The data is siloed, making it challenging to piece together. Or worse, there are threats but the lack of information that’s available so teams aren’t sure what action to take.
But to comprehend what’s happening, it’s important to look at the attack surface in four steps:
This kind of assessment provides a bunch of information, like a list of all asset inventory technologies, endpoints missing agents, and devices that aren’t being scanned for vulnerabilities.
To get there, attack surface management provides teams with another way to understand their IT environments — a way that is more in line with how attackers think. IT, security, and risk professionals know what’s going on both internally and externally. They have insight to know what devices and user accounts could be compromised, and the ability to take actions to reduce the risk of compromise.
By connecting and correlating this data, the attack surface isn’t siloed anymore. Teams have a complete view of their attack surface, so they can better prioritize.
And IT, security, and risk professionals will have what they need the most — managing and reducing the attack surface.
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010