Abstract: Cyber Asset Attack Surface Management (CAASM) is an emerging technology that fills the gap between external attack surface management (EASM) and asset management. As an emerging technology, most CAASM solutions evolved as an extension of asset management, but Cymulate took a different approach by applying the attacker’s perspective to the cyber asset attack surface.
In this post, we look at the strengths and weaknesses of an asset management approach to CAASM vs. the attacker’s view of cyber asset attack surface
Table of Contents
Cyber Asset Attack Surface Management (CAASM) is viewed by Gartner as an emerging technology filling the gap between external attack surface management (EASM) and asset management to measure the scope of exposure, identify security control weaknesses/gaps, and recommend remediation options. As an emerging technology, most CAASM solutions evolved as an extension of asset management, but Cymulate took a different approach by applying the attacker’s perspective to the cyber asset attack surface.
CAASM (cyber asset attack surface management) is an emerging technology focused on enabling security teams to achieve comprehensive visibility into an organization’s internal and external assets. The end goal is to identify gaps in security tool coverage, prioritize vulnerabilities, and recommend remediation actions.
As Gartner explains, CAASM solutions aggregate asset data from endpoints, servers, devices, cloud objects, applications, and more to provide a consolidated view. In that sense, CAASM evolved as an extension of IT asset management tools like configuration management databases (CMDB). CAASM builds off this unified asset visibility and focuses on security use cases while CMDBs cater more to IT service management processes.
CMDBs track assets for purposes like financial management and lifecycle monitoring. The asset data and attributes managed in CMDBs are insufficient for security teams. CAASM enriches IT asset data with additional context needed for risk analysis. For example, CMDBs may not contain security vulnerabilities associated with assets.
CAASM also fills a critical need not covered by external attack surface management (EASM), which focuses purely on discovering an organization’s external-facing assets through internet scanning. While EASM and CMDBs are data feeds for CAASM, neither provide the comprehensive visibility required into both internal and external assets.
A better understanding of the actual uses of CAASM can be derived from looking at what it does in practice.
Typical CAASM capabilities include:
- Leveraging API integrations to aggregate asset data from CMDBs, vulnerability scanners, identity systems, security tools, and more, into a consolidated inventory.
- Generating an asset listing akin to an inventory, yet without correlating those assets to their business/operational value or contextual risk.
- Gathering evidence on the existence of security controls for compliance and audit reporting yet without validating their contextual efficacy.
- Measuring the exposure scope based on ingested EASM findings.
- Identifying security gaps, prioritizing vulnerabilities, and providing remediation options based on collected EASM and static data.
Most CAASM solutions evolved from an IT asset management foundation focused on creating a comprehensive listing of assets. While consolidating assets into a single view is the first step of any CAASM tool, the Cymulate exposure management platform goes beyond simple asset inventory by adding the attacker’s view of those cyber assets.
With this attacker’s view, the Cymulate platform delivers key CAASM use cases in an exposure-centric way:
- Measuring and benchmarking actual cyber resilience by integrating attack surface management, breach simulation, and automated red teaming to understand attack paths and the effectiveness of controls protecting those assets.
- Prioritizing mitigations based on correlations between exploitability and the assets’ business/operational value.
- Facilitating IT compliance and audit reporting by automatically generating customizable reports populated with detailed information about security controls efficacy and trends in resilience.
- Strengthening IT governance through providing visibility into shadow IT and quantifying assets and third-party applications’ operational/business risk based on their exposure and criticality.
|CAASM Functionality||Asset Management Approach||Attacker’s View Approach|
|Asset Inventory||Consolidated listing of assets||Risk-profiled asset inventory with business context|
|Security Gap Identification||Static analysis of vulnerabilities and findings||· Consolidated findings from third-party vulnerability scanners, ASM, and other tools
· Integrated internal and external attack surface management for discovery
|Remediation Prioritization||By vulnerability severity||Based on contextual exploitability, asset accessibility, and ease of achieving extracting data or taking disruptive or destructive actions|
|Compliance Reporting||Gathering evidence of controls’ existence||Automatically generated reports that include security controls comprehensiveness, validated efficacy, and efficacy trend over time|
|IT Governance||Visibility into Shadow IT||Risk analysis of unmanaged assets|
The Cymulate exposure management platform delivers on core CAASM capabilities but with an attacker perspective:
- Cymulate Exposure Analytics provides risk-based asset inventory and prioritization based on exploitability validation and business context.
- Integration with breach simulation enriches control gap identification with continuous testing.
- Unified platform measures and baseline security posture to quantify cyber resilience.
Ultimately, taking an attacker view of the cyber asset attack surface provides more exposure-centric CAASM capabilities focused on security outcomes vs. just asset visibility.
Rather than starting from static assets and vulnerabilities, the Cymulate platform analyzes the interconnected attack paths and dynamic exposures that attackers continuously seek out.