You’ve got 99 problems, and 98 of them are on cyber assets that you may, or may not, know exist on your network. The good, the bad, and the ugly of cyber asset management paints a picture detailing your challenges. 

The ugly focuses on visibility issues. One article notes that:

  • 43% of IT and business leaders state the attack surface is spiraling out of control

  • 73% of IT and business leaders are concerning with the size of their digital attack surface

The bad focuses on cloud adoption rates. According to research, companies continue to expand their use of cloud services:

The good tells a story about Cyber Asset Attack Surface Management (CAASM). Gartner identifies CAASM as a risk management solution companies can use to gain visibility into and control over the continuously expanding enterprise attack surface. 

By understanding the problems CAASM solves and how it fits into your broader cybersecurity technology stack, you can evaluate technologies and make informed purchasing decisions. 

The State of External Attack Surface Security Hygiene

According to research, 67% of organizations say that their attack surface increased between 2019 and 2021. Additionally, the research outlined the most important security hygiene and posture management metrics:

  • 38%: vulnerability scanning coverage as a percentage of all internal/external IT assets

  • 36%: cyber-risks calculated in monetary terms (i.e., dollars, euros, etc.)

  • 32% attack surface discovery coverage as a percentage of all internal/external IT assets

Unfortunately, nearly 7 in 10 of the same responding organizations experienced at least one cyber attack through the exploit of an unknown, unmanaged, or poorly managed internet facing asset. 

Tool Proliferation

As companies added more business-critical technologies, they also added more security tools. Looking at the data, organizations can deploy as many as:

Both types of tools expand the organization’s attack surface by adding more access points that threat actors can exploit. 

Visibility

Companies not only adopt more SaaS apps, they also incorporate new device types. Increasingly complex environments include Internet of Things (IoT) devices and virtual machines. For some industries, enterprise IT convergence with Operational Technology (OT) adds another layer of complexity. 

In the cloud, identity and access management is a fundamental security protection. However, organizations need to manage new identity types with privileged access, including machine identities like service accounts and robotic process automation (RPA). 

In increasingly complex and code-based environments, companies lack visibility into risk. 

Shadow IT

In some cases, IT and security teams may not even know that a risk exists. Third-party and line-of-business cloud apps are easy to integrate without going through the traditional IT procurement processes. When employees and departments integrate these SaaS apps on their own, IT has no control or governance over them. When the IT team doesn’t know people are using these apps, the security team loses visibility, too. A company can’t protect something its teams don’t know about. 

Lack of Documentation

As governments enact more data privacy and protection laws, companies need to comply with increasingly strict mandates. IT and security teams need to report risk to leadership and document their activities for auditors. Manual documentation increases human error risks. For example, many companies document their configuration management activities in their configuration management database (CMDB), but this process may be manual leading to stale data. 

Inability to Collaborate

Securing today’s IT environments requires collaboration across various internal stakeholders. IT operations, security teams, and vulnerability management often have siloed visibility into threats and risks. Threat actors can exploit any access point, meaning that low risk assets connected to critical assets can be used during an attack. Everyone involved in security needs the same visibility into assets, risk, threats, and vulnerabilities. 

What is Cyber Asset Attack Surface Management (CAASM)?

Cyber asset attack surface management (CAASM) is an emerging technology that gives visibility into internal and external assets using passive data collection from API integrations across:

  • Endpoints

  • Services

  • Devices

  • Applications

Security teams can:

  • Query consolidated data

  • Identify vulnerabilities

  • Discover gaps in security controls

  • Remediate issues

The risk-informed insights replace time-consuming manual processes enabling organizations to enhance security by:

  • Visualizing security tool coverage

  • Supporting attack surface management processing

  • Correcting stale or incomplete systems of record

What is a cyber asset?

A cyber asset is any digital information asset, physical or virtual, that is critical to a company’s business processes. Examples of cyber assets include:

  • Hardware, including workstations, mobile devices, IoT, and OT

  • Software

  • Cloud infrastructure and applications, like Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS)

  • Code-based assets, like containers, instances, and storage buckets

  • Databases

Fundamentally, cyber assets are any system components, on-premises or in the cloud, connected to a company’s internal networks and the public internet.

How Does CAASM compare to the other ASMs and aaS’s?

Every year, leading analysts define new products and services to help security teams manage their overwhelming tasks. Understanding the different tools and how they compare to CAASM gives you a better understanding of what you have and what you need. With CAASM, you can fill in security gaps that other tools create. 

External Attack Surface Management (EASM)

EASM tools monitor public-facing assets, meaning those directly connected to the public internet. The automation provides an outside-in view of a company’s environment with visibility into known and unknown digital assets. 

While EASM discovers public-facing assets, it fails to discover internal assets embedded within the environment, including users, security gaps, policies, and controls. 

API Attack Surface Management (AASM)

Application Programming Interfaces (APIs) enable on-premises and cloud resources to share data, making them critical to automation and integration in digitally transformed environments. To secure applications, organizations often look for AASM as part of their EASM tool. 

Similar to EASM, these tools primarily focus on public-facing APIs, alerting teams to potential misconfiguration that attackers can exploit. However, they often fail to discover internal asset-to-asset API security issues. 

Digital Risk Protection Service (DRPS)

DRPS monitors a company’s digital footprint across social media channels, IoT, and third-party vendors, complementing threat intelligence services. DRPS typically focuses on risks like:

  • Data leaks

  • Data breaches

  • Brand compromise

  • Account takeovers

  • Fraud

  • Reputation damage

While these services are important, they fail to respond to internal risks, leaving a security gap.

Cloud Security Posture Management (CSPM)

CSPM identifies cloud misconfiguration issues and compliance risks, typically across hybrid cloud and multi-cloud environments. These tools focus on:

  • Cloud configurations

  • Ensuring consistent configurations across different services

  • Compliance with security frameworks and regulations

  • Standardizing visibility across IaaS, SaaS, and PaaS tools in containerized, hybrid cloud, and multi-cloud environments

  • Monitoring storage buckets, encryption, and account permissions to ensure secure configurations and compliance

These tools enable cloud security but lack visibility into devices or on-premises assets.

Software-as-a-Service (SaaS) Security Posture Management (SSPM)

SSPM monitors SaaS security risks, focusing on the expansive application layer, monitoring and remediating issues like:

  • Misconfigurations

  • Unnecessary user accounts

  • Excessive access permissions

  • Compliance risks

These solutions enable external and internal security monitoring for SaaS apps, but lack the ability to manage on-premises security. 

Configuration Management Database (CMDB)

CMDBs store the configuration information about hardware, software, systems, and facilities, including:

  • Hardware and software inventory

  • Network infrastructure information

  • System component configuration settings

  • Configuration change documentation

  • Personnel information

CMDBs provide visibility into the organization’s internal security and IT infrastructure. However, updating CMDBs often lack accuracy since they rely on tools that lack real-time asset discovery, increasing human error risks. Further, they only monitor certain asset types, many of which are not cloud-based. 

Cyber Asset Attack Surface Management (CAASM)