Adopt CAASM First, then EASM

Adopt CAASM before EASM to thoroughly understand and protect your infrastructure

The Origin of Attack Surface Management

In 2019, I created the Attack Surface Management category at Gartner as a top research analyst. Leading up to that event, the vast majority of organizations I was interacting with over the course of my time there did not know what their internal and external attack surface was across their corporate infrastructure. Over half of the organizations I spoke with on a multi-daily basis did not have an active ledger or list of critical business assets and the out-of-date ‘system of record’ was managed out of a simple Excel spreadsheet for over 75% of them.

It was clear there was a very strong call for improvements in the way CIOs, CISOs and IT leaders were going to address this wide scale problem. 

Noetic Pioneers Cyber Asset Attack Surface Management

Fast forward to last year where I reconnected with the outstanding leaders at Noetic Cyber. Noetic has been advocating the importance of Cyber Asset Attack Surface Management (CAASM) since inception to programmatically enhance organizations’ cyber security postures. We have been helping organizations around the world to get a clear visibility into what their true risk exposure is across ALL their assets so that they can take proactive steps to mitigate the impact of any attacks that might take place. Now with the Gartner Report “Innovation Insight for Attack Surface Management,” Noetic’s vision touched a new landmark. 

Log4J Pushes Things into 5th Gear

This security gap was made evident around the world as almost every organization was impacted with Log4j. Jen Easterly, director of the U.S. Cybersecurity & Infrastructure Security Agency, called Log4Shell ‘the most serious vulnerability’ she’s seen in her decades-long career and it could take years to address. There have already been millions of attempts to exploit the vulnerability. Many organizations spent collectively hundreds to thousands of resource hours to manually identify assets in their corporate environments that were vulnerable.

Leaders and organizations alike have felt the pain that not having a mature solution in place can incur. And Log4Shell continues to be a problem, as it has not been practical for all organizations to identify and patch affected software libraries. This has led to many security leaders to prioritize solutions like CAASM to ensure these lessons are not repeated. 

Gartner States Investing and Adopting Attack Surface Management as the Top Priority for 2022

As a pioneer in the CAASM space, this is a great validation not just for Noetic but also for the expansive CISO community who trusted in their vision. And the truth is in the numbers, as Gartner states in the report, “By 2026, 20% of companies will have more than 95% visibility of all their assets, which will be prioritized by risk and control coverage by implementing cyber asset attack surface management functionality, up from less than 1% in 2022.” That is 20x growth in less than 3 years. 

Get complimentary access to the full Gartner report: Innovation Insight for Attack Surface Management.

CAASM vs. EASM: What’s the difference?

The role of CAASM: Understanding what assets you have

If you’re going to defend your infrastructure, you first need to know what assets you have in that infrastructure. CAASM tools use API integrations to connect with your existing software stack and provide full visibility into your attack surface – first from inside your network, so it can be combined with an outside view. By prioritizing your internal assets first, it allows a strong foundation that has embedded business context. With this level of visibility and actionability, organizations can implement automation with certainty at a state that has never been able to be achieved before. 

Overcoming Security Challenges with CAASM Tools

Given the ever-expanding infrastructure that many corporations rely upon to do business in a heavily digital-dependent environment, these assets can easily operate in silos without the security team being aware of them. With all assets detected, the CAASM tool can identify surface coverage gaps and validate your policies and controls – not just once, but continuously. 

From there, you can take control of defending your attack surface with automated actions. By providing context for the various assets, the security team can better understand actions and have a refined understanding of what activities are normal and what activities need to be shut down immediately. Of course, some threats are more dangerous than others. A CAASM tool allows the security team to prioritize threats and their remediation actions.

It’s likely that your infrastructure has a multitude of points of entry for threat actors through endpoints, cloud systems, your users, etc. That’s too much to handle manually, so you need a CAASM tool to not only keep track of the security issues, but also address them logically rather than chaotically. 

And beyond immediate responses, you’ll want to implement a security practice that ensures that approved controls are enforced and maintained and that your system is continuously improving. A well-designed CAASM tool can do all of that.

The role of EASM: Discovering unknown external-facing assets

An external attack surface monitoring tool is used to discover unknown external-facing assets and networks. The idea is that by using an EASM tool, you’re able to see your infrastructure – both your own and those of others connected to you – as a cybercriminal might. The tool is essentially identifying infrastructure-based vulnerabilities.

That’s all well and good, but if you don’t have a good way of knowing what’s inside your system now, or taking steps to address those shortcomings it can make for some discomfort at best—and random responses at worst. 

There’s no way to use the information provided by an EASM to make informed moves, or ones that are based on context and prioritization. Without that knowledge, your security team might overreact and interrupt important business operations needlessly.

Where does EASM fit in?

Yes, it’s helpful to have as complete an understanding of your security posture as possible. But with limited budgets, time and staffing, you need to start with a tool that gives you the greatest immediate return, then build from there.

To see how Noetic’s cyber asset attack surface management platform can serve your organization, request a demo. We think you’ll see how we can help you optimize your security posture now, and improve it continuously.