CAASM is the Future... CSPM is Dead

by

Cloud Security Posture Management is a commodity

Beyond the classic CSPM tools like Dome9, DivvyCloud, etc. now even infrastructure and workload scanners claim CSPM as part of their capabilities. Cloud Security Posture Management capabilities should be evolving because cloud configuration management is only becoming more complex, instead we are seeing the same old misconfiguration checks coming out of every CSPM offering with no depth or flexibility to modify the monitoring rules. How can we monitor user defined configuration baselines? There are many configs that are unique to our cloud environment. How can we monitor more than just basic property checks such as the relationships between assets?

Cyber Asset Attack Surface Management is the evolution

CAASM can do everything CSPM does and more. Even though it's a mouthful of an acronym (I didn't invent it), CAASM goes beyond the basic cloud configuration checks and allows us to monitor custom configurations important to our unique security architecture. CAASM also visualizes and monitors our entire attack surface from the public cloud and beyond, exposing unique toxic combinations of misconfigurations and relationships that CSPMs simply cannot.

Here are 2 cloud attack surface monitoring use cases that JupiterOne can handle that any traditional CSPM cannot.

1) Identify all your assets and services that are accessible by any of your EC2 instances that are on publicly configured VPCs (publicly configured includes ACL, internet gateway, and routing table configs), and whose security groups allow public SSH ingress over TCP.

Think about how much effort it would typically take to determine the blast radius for this attack vector. Using JupiterOne I literally tweaked a question to find the result in 20 seconds. This is the power that every security engineering team needs at their fingertips. Not to mention I could set this up for continuous monitoring and trigger alerts workflows via API. Notice in the image how we can monitor the specific actions allowed on each service or resource.

CAASM is the Future - 01

2) Identify the attack surface defined by all production VPCs and their respective VPC endpoint configurations (including all the services and resources allowed/denied).

VPCs are becoming the defacto mechanism for securing logical access to resources in AWS. VPC endpoint configs are extremely important and typically unique to each business. Monitoring vpc endpoint policies, internet gateway configs, VPC peering, route tables, ACLs, load balancers, cloud front distributions, NAT gateway configs, etc. should all be table-stakes for a cloud monitoring solution.

The query to monitor this attack surface in JupiterOne takes only a little effort to understand:

Find aws_vpc with tag.production=true
that has aws_vpc_endpoint
that (allows|denies) *

Notice how we parse the vpc endpoint policy as well and illustrate the connections. The allowed relationships are in green, the denied relationships are in red, and we will even note which relationships are allowed but rendered ineffective by a deny.

CAASM is the Future - 02

JupiterOne, Data Graph Model and Knowledge Graph Visualizations

JupiterOne's query language, graph data model, and knowledge graph visualizations allow users to define custom controls, and allow us to easily and automatically analyze complex attack surfaces. I haven't even talked about how we integrate with and connect your assets beyond the cloud into the same knowledge graph! JupiterOne can help manage the attack surface across an entire security program. I'll save that for a follow up blog, but please reach out if interested in hearing more.

Additional CAASM Resources and Related Blogs

Akash Ganapathi
Akash Ganapathi

Akash Ganapathi comes from an enterprise security, data privacy, and data analysis background, working exclusively in the B2B software solutions space throughout his career. He is currently a Principal Security Solutions Architect at JupiterOne.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.