Since CAASM is a relatively new cybersecurity technology, you might not know how to evaluate a solution. Once you identify your use cases, you should consider a CAASM’s responses to the following questions.
How does the CAASM’s monitoring work?
A comprehensive CAASM should provide visibility into all cyber assets across on-premises and cloud environments. For real-time cyber asset discovery, the CAASM should use APIs and ingest logs that aggregate and correlate:
Network traffic: Firewalls, netflow, load balancers, routers/switches, VPC flow
Scanner data: Vulnerability management systems, vulnerability scanner, Nmap
Endpoint data: Endpoint Detection and Response (EDR), anti-virus
Configuration management data: Configuration management database, spreadsheets
Identity and Access Management (IAM): Single Sign-On, Authentication logs, Active Directory, LDAP
Network logging data: DHCP, DNS
Cloud logs: AWS, Azure, GCP
A CAASM built on a foundation of logs provides visibility into the on-premises and cloud assets. For example, by ingesting firewall logs, it gains real-time visibility into the on-premises assets. With the VPC flow logs, it gains real-time visibility into the cloud assets. The CAASM then normalizes this data so that you have the comprehensive visibility necessary across your complex environment.
Can the solution identify and integrate with IoT and OT assets?
Problematically, an agent-based CAASM won’t be able to identify and integrate with these assets.
The CAASM should be API-based to seamlessly identify and integrate with IoT and OT assets without disruption. It should also focus on identifying assets by ingesting logs rather than connecting to asset lists since IoT and OT generate logs but may not always be found in known lists of assets.
How does the CAASM identify code-based virtualized assets?
These cyber assets are notoriously difficult to discover, identify, and categorize. Simultaneously, they are also high-risk assets.
While these can be short-lived assets, they still make an imprint on your digital footprint. For example, they all have unique identifiers like a hostname. When the CAASM parses network traffic logs, it can determine whether that identifier communicates with the network.
How long does a deployment take? What is the average time-to-value?
The more data sources you need to connect, the longer the deployment takes. Along those lines, the time-to-value takes longer.
A CAASM’s deployment process provides visibility into the underlying technology. If the tool requires a lot of integrations, it’s likely aggregating asset data from known lists as part of its inventory capabilities.
Meanwhile, when logs are the CAASM’s primary data source, the solution can provide value once it has:
Network traffic data
Vulnerability scanner data
EDR logs
How does the CAASM analyze business risk?
Identifying, inventorying, and categorizing assets only helps if you can use the data to mitigate business risk, especially when using business operational impact to define critical assets.
When determining risk, the CAASM should help you understand the potential financial impact that a security incident involving a critical asset would have. You want analytics that include the following business impact and technology data when defining critical assets and risk:
Open-source actuarial data
Industry
Company size
Distance from the internet
Risk level of connected assets
Mitigating controls
Open-source threat intelligence
When a solution combines the data that matters to business leadership and IT leadership, you gain a comprehensive understanding of cyber risk.
Can the solution extend beyond core security teams?
CAASM should have cross-functional capabilities that enable collaboration across various IT and line-of-business stakeholders. For example, it needs to enable communication between:
Security: visibility into security tool coverage gaps
Threat hunters: ability to trace suspicious activity from the identified location through connected assets
Vulnerability management: prioritizing critical assets with exploitable vulnerabilities that impact business operations or create financial risk
Patching team/asset owners: visibility into assets that have been updated or need updating
IT Infrastructure/IT Ops: CMDB reconciliation to document secure configuration data
Chief Information Officer/VP of Infrastructure: changes to security and risk postures arising from new technology deployments
Senior leadership team/board of directors: connecting security posture to data breach costs and financial outcomes
Compliance/audit: risk mitigation documentation for audits
KeyCaliber: CAASM Built for Business Impact
KeyCaliber’s CAASM gives security and IT leaders a cyber asset risk “balance sheet,” enabling them to prioritize activities based on business impact data. Our solution ingests log data, correlating activity across your network, for visibility into on-premises and cloud cyber asset risks.
Our analytics enable cyber resilience by giving you a way to make data driven-decisions that reduce risk, re-focus resource allocation, and efficiently prioritize remediation activities. With our solution, you can correlate financial impact, asset usage, user privilege, vulnerability risk, mitigating controls, and connections between assets for visibility into business impact.
Our platform enables data-driven decisions that enhance cyber resilience, re-focus resource allocation, reduce risk, and efficiently prioritize remediation activities.