It's a good time to be a hacker. Evolving IT architectures and workplace models now offer more entry points than ever for an attack, while simultaneously making it harder than ever to prevent, detect, and respond to breaches. Without a simpler, more comprehensive way to manage their security posture, organizations face a constant increase in risk.
A recent ESG survey commissioned by JupiterOne provides insight into the urgent challenges in attack surface management. According to ESG's 2021 Security Hygiene and Posture Management Survey, two-thirds (67%) of organizations say that their attack surface has increased over the past two years. The reasons given come as no surprise—in fact, most organizations will recognize several or all of these factors within their own environment:
- IT connections with third parties (32%)
- User device type diversity (32%)
- Use of public cloud infrastructure (32%)
- Use of SaaS applications/services (30%)
- My organization has increased its remote worker population (28%)
This increased exposure to attack has dire implications. According to the Ponemon Institute, the average total cost of a data breach spiked to an all-time high of $4.24 million in 2021.
While cyberthreats come in many forms, from ransomware to phishing to cloud jacking, there's one thing they all have in common: when your organization is attacked, it's through your cyber assets—in other words, your users, cloud assets, devices, or elements of your digital environment. Any attempt to strengthen your security posture has to begin with better visibility, understanding, and management of this landscape: what you have, what it's connected to, and who owns it.
More cyber assets and connections mean more vulnerability
The expanding attack surface of today's organizations is an unintended consequence of a legitimate—even vital—business priority. The increased adoption of API-first, cloud-first, and digital transformation initiatives helps companies accelerate the delivery of new business initiatives and new experiences for customers. The rise of remote work enhances business continuity, workforce flexibility, and employee satisfaction. Even shadow IT, while an ongoing headache for administrators and security teams, can offer valuable flexibility, speed, and efficiency for business units and developers.
But these benefits come at a cost. The more cyber assets in an organization's environment, the harder it becomes to fully understand its full scope. In fact, 69% of organizations admit that they have experienced at least one cyber-attack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset. And the companies with the most cyber assets were nearly twice as likely to fall victim.
It's not just the cyber assets themselves that matter. Companies also have to consider the relationships among them. If a user or asset is compromised, it's critically urgent to understand the full scope of the blast radius. Does this user have access to an Amazon Web Services (AWS) environment? Does this IoT device connect to critical production systems? How can we limit the scope of the attack before it reaches sensitive business data or applications? Answering these questions can be a time-consuming exercise involving a plethora of tools, from IT asset management systems to endpoint and cloud security posture management tools to network access controls—and with an attack underway, every second counts.
Even in a non-crisis situation, maintaining an accurate inventory of assets and their relationships is notoriously difficult, often involving different organizations, the reconciliation of conflicting data, and an ever-changing environment in which an inventory is out-of-date even before it is completed. In a security event, SecOps teams are literally flying blind.
CAASM innovates the front lines of security
Organizations are well aware of the risks posed by an expanding attack surface. According to the ESG report, 80% of organizations plan to increase spending for security hygiene and posture management over the next 12 – 18 months, and more than one-third (34%) have created a dedicated budget for security hygiene and posture management. These efforts bring a new focus on CAASM.
Simply put, CAASM enables organizations to discover all of their assets, internal and external, known and unknown, and see them in a single view. With a better understanding of both cyber assets and the relationships among them, SecOps and IT teams can improve detection and response, close security gaps, and avoid compliance drift. During a security event, they can determine the blast radius of a compromised asset, then respond more quickly and effectively to the breach.
As a relatively new function, CAASM is still finding its place in the organizational structure and budget of many organizations. Considered by some an offshoot of asset management—a configuration management database (CMDB) by a different name—CAASM is often seen as the purview of IT service management (ITSM). But given its foundational role in cyberdefense, it's at least as relevant for security and SecOps. In the past, organizations have faced challenges validating the data captured through IT asset management tools such as CMDB, while the vast amount of data provided by security tools such as SIEM can be overwhelming to work with. By making accurate, timely cyber asset data both visible and queryable, CAASM enables security teams to answer specific questions across all of their organization's cyber assets to understand the potential blast surface of an incident, and take fast action to mitigate this impact.
In our next blog, we'll take a deeper dive into the management of cyber assets, exploring requirements and challenges, pros and cons of different approaches, and emerging best practices to keep your expanding attack surface from exposing your organization to risk.
In the meantime, make sure to check out the full ESG report highlighting illuminating trends from their 2021 Security Hygiene and Posture Management Survey if you're looking to level up your cyber hygiene and security posture.