Better Together: Cyber Asset Attack Surface Management and External Attack Surface Management

by

In a previous blog, we explored the differences between attack surface management and vulnerability management.

“Attack surface management is the practice of continuous asset discovery, inventory, classification, and prioritization of remediation as vulnerabilities are detected for assets.”

Gartner recently introduced the term "attack surface assessment" (ASA). This involves discovering, inventorying, and contextualizing threats, which is more accurately described as an assessment process rather than a management one. Therefore, "attack surface assessment" is a more precise term compared to "attack surface management."

Today, we’ll dig deeper into attack surface management and explore the benefits and differences across cybersecurity asset management (CSAM), external attack surface management (EASM), and cyber asset attack surface management (CAASM). 

To help illustrate these terms, let’s start with an analogy.

Imagine you’ve just purchased a car. To keep it running smoothly, you take note of everything and the current condition: the engine, tires, brakes, and all its parts. You keep track of the condition and schedule regular maintenance. This is similar to asset management—knowing what you have and the state of each component.

Now, to protect your car from theft, you might install an alarm system and use a steering wheel lock. But what if you went a step further and hired an expert to inspect every part of your car—the windows, doors, locks, and even the garage it’s parked in—to identify any vulnerabilities that could be exploited by a thief? This would be like attack surface management at its core—understanding what assets you have and which ones are most susceptible to threats.

So what do the fancy acronyms mean and how do they differ from what we already know?

Let’s dive in. 

What’s on the inside matters

For more than a decade, companies have been migrating to the cloud and transforming their processes in order to ship products faster. Enterprises increasingly recognize that traditional approaches with siloed tools, rules-based policies, and fragmented security data not only fall short but also introduce more security risks. These outdated methods create an expanded attack surface for malicious actors, making comprehensive and integrated security strategies more crucial than ever. When containers and microservices hit the mainstream in 2016, the disruptive shift in delivering software unearthed three key challenges:

  • Assets mean something different in the modern world: The term “asset” evolved from describing physical resources, to virtual resources, and eventually to cloud resources and their respective configurations and attributes. Traditional asset management systems aren't able to support the amorphous nature of all of the resources that accompany the move to cloud.
  • Constant changes in assets mean your inventories are obsolete: Cloud assets can easily be spun up or decommissioned, leading to much shorter life cycles. Traditional asset management systems weren’t built for such a rapidly changing environment. Considering asset inventories anecdotally take 45 to 60 days to complete, they’re obsolete as soon as discovery begins.
  • Assessing risk is ineffective without the right context: While IT asset management systems may support the financial and operational aspects of hardware management and software licenses, security teams have to exercise supreme sleuthing skills to connect the dots between threats, vulnerabilities, assets, people, and remediation steps.

Enter cybersecurity asset management (CSAM).

CSAM is the natural evolution of traditional ITAM. Both ITAM and CSAM take an inside-out approach to achieving visibility into what the organization owns. Just as ITAM is IT’s way of aligning resources and initiatives to business outcomes, CSAM is built for cybersecurity teams to align resources and initiatives to business and security outcomes.

CSAM takes it a step further than ITAM and maps security-related contextual data to the inventory of assets so that security professionals can protect the ‘crown jewels’ of the organization and effectively right-size security efforts. Visualizing the impact of security issues related to the organization’s infrastructure provides a system of record to answer two key questions:

  • What do I have?
  • Where am I most vulnerable?

Companies have typically answered the second question through vulnerability assessments, penetration tests, and bug bounties, which brings us to our next topic — external attack surface management.

The view from the outside

To answer the question “Where am I most vulnerable?” companies have had to rely on the services of other security professionals to tell them whether there were any holes in security from the outside. Many companies follow a predictable cycle — perform the vulnerability assessment, receive a report, hopefully fix the most glaring issues (because red-hot critical issues are all that people have time for), and retest to confirm remediation worked. There are three big issues with this cycle:

  1. Vulnerability assessments are point-in-time and don’t take into account the dynamic nature of a company’s cloud and other ephemeral resources.
  2. These engagements are usually narrowly scoped in nature, providing feedback on a limited view of the company’s assets.
  3. The time given to ethical hackers for a pentest is disproportionate to the time attackers get to find an opening.

Enter external attack surface management (EASM).

EASM technologies take an attacker’s perspective by automatically and continuously discovering public-facing assets and determining risk. This includes not only network scanning, but also discovering related and joint ventures that could be used against an organization to gain unauthorized access to systems.

By itself, EASM only provides a piece of the picture (the external view), but when it is combined with the internal perspective of CSAM, security teams have an up-to-date system of record with full visibility of their attack surface.

Say hello to cyber asset attack surface management (CAASM). 

CSAM + EASM = CAASM

With CSAM providing the cybersecurity view of all assets internal to an organization, and EASM providing the attacker’s view of all assets accessible externally and exploitable by the public, CAASM bridges the gap between security and infrastructure. It provides the best breadth of asset discovery to answer those two fundamental questions in a modern, scalable manner:

  • What do I have?
  • Where am I most vulnerable?

To illustrate the beauty of this powerful combination of technologies, let’s circle back to the analogy from the beginning of this blog. 

Imagine you just purchased a car.

  • CSAM is the condition of the engine, the tire pressure, the oil level, and every service history entry. You regularly check these components and ensure they are all functioning correctly and are well-maintained.
  • EASM is you want to protect the car from outside threats. You install a car alarm, lock the doors, and maybe even add a GPS tracking system. You are aware of potential threats like car theft, vandalism, or damage from hail and take steps to mitigate these risks.
  • CAASM is when you take your car to a mechanic who inspects not only the car itself but also the garage it’s stored in, the routes you drive most frequently, and your driving habits. They provide a comprehensive analysis of all these factors to identify potential vulnerabilities, such as a weak garage door lock or high-risk driving areas.

CAASM technology provides security and infrastructure teams with the ability to:

  • Gain complete visibility across all of their assets (both internal- and external-facing, cloud and on-premise) via API integrations with their existing tools
  • Query their consolidated data
  • Identify the scope of vulnerabilities and gaps in security controls
  • Accelerate incident response, add context to security investigations, and remediate issues with greater precision

Choose the richer relationship. Choose CAASM.

Schedule a demo with us today to learn more.

John Le
John Le

John is the Director of Product Marketing at JupiterOne. He is an experienced cybersecurity product marketer and excels in crafting consistent messaging, extracting valuable insights from data, and connecting different teams to ensure alignment across the organization. Outside the office, John enjoys wakesurfing, carving down slopes, and supporting his beloved Texas Longhorns and Austin FC.

Keep Reading

Introducing Continuous Controls Monitoring (CCM) | JupiterOne
November 7, 2024
Blog
Introducing Continuous Controls Monitoring (CCM)

CCM delivers real-time visibility, proactive risk management, and streamlined compliance for security.

Now Available: JupiterOne’s Public Postman Workspace | JupiterOne
October 31, 2024
Blog
Now Available: JupiterOne’s Public Postman Workspace

Explore JupiterOne’s Public Postman Workspace to streamline your workflows and enhance your security operations.

Prioritizing Exploitable Vulnerabilities to Protect Your Business Critical Assets | JupiterOne
October 16, 2024
Blog
Prioritizing Exploitable Vulnerabilities to Protect Your Business Critical Assets

Vulnerability scanners flood teams with alerts, but CTEM helps prioritize based on exploitability and business impact, ensuring focus on the most critical threats.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.