Covering Your Assets: 5 Most Common Questions About Cyber Asset Management

This blog was originally published by JupiterOne here.

Written by Jennie Duong, JupiterOne.

The cybersecurity forecast for 2022: More of the same—only worse. Yes, the sophistication of cyberattacks is growing by the minute. Unfortunately, so are the rewards for ransomware and stolen data. But a new survey from ESG points to the real reason the threat landscape is likely to worsen over the next year. In an era of remote workforces, digital transformation, and cloud-first everything, the task of understanding and securing an expanding ecosystem of devices, users, systems, repositories, workloads, and other cyber assets grows more complex. Unfortunately, as a growing number of other organizations are discovering, it's hard to protect what you don't know exists. With attacks coming from every angle, 69% of organizations in the study report falling victim to at least one exploit originating with an unknown, unmanaged, or poorly-managed Internet-facing IT asset.

As the attack surface expands, managing our IT is more challenging; vulnerabilities, and potential system compromises proliferate. Without a clear understanding of what you're trying to defend, it's nearly impossible to put appropriate security controls in place. To turn the tide, security and risk management professionals need a comprehensive approach to cyber asset management. But many have questions.

Let's look at the five cyber asset-related questions we hear most often.

Question #1: What Exactly Is Cyber Asset Management?

Cyber asset management is the process of gaining full visibility into all the assets you have—and to whom and what they're connected. Spoiler alert: it's no small feat.

Nearly one-third (32%) of organizations in the ESG study report that inventorying assets requires as many as 10 different tools. Approximately half (48%) say it takes more than 89 person-hours to generate an asset inventory. For many enterprises/companies/cloud-first organizations, siloed tools and manual processes make tracking and maintaining an accurate picture of thousands of continuously changing assets unrealistic.

As a growing number of companies are discovering, the visibility required to implement a strong security program requires cyber asset attack surface management (CAASM). CAASM is an emerging technology that solves persistent asset visibility and vulnerability challenges. According to Gartner, solutions leveraging the technology gain complete visibility and centralized inventory control over all assets, both internal and external, through API integrations with existing tools.

Most importantly, CAASM-based solutions enable organizations to gain an in-depth understanding of all of the relationships between their cyber assets:. That includes everything from users and identities to code repositories, endpoints, ephemeral devices, and more—all updated in real-time, automatically, and continuously.

Question #2: What Makes CAASM Different Than IT Asset Management?

IT Asset Management, or ITAM, is a set of practices and technologies for managing the endpoints, servers, devices, applications, and other hardware and software assets within an IT environment.

While this can include aspects of security, ITAM primarily focuses on using a Configuration Management Database (CMDB) or other tools to catalog IT assets and their configurations. This approach helps IT organizations manage access controls, optimize costs, and maintain licenses. Not only do CAASM-based technologies give organizations a unified view of all their cyber assets, but they also place those assets within the proper context. With CAASM, it's not the cyber assets that truly matter, it's the relationships between them. If a cyber asset is compromised, it's critically important to understand the full scope of the threat, including all the access privileges, connections, and context in an asset's relationship chain.

CAASM largely automates the work required to catalogue all assets and the context. Before CAASM there were no good options for SMB or cloud-first businesses to automate these crucial actions. CAASM solutions enable organizations to quickly identify the scope of vulnerabilities and gaps in security controls and gain context into breaches, issues, and other security program requirements.

Question #3: How Does Improving Cyber Asset Management Translate into Enhanced Cybersecurity Hygiene & Posture Management?

The obstacles to inventorying assets I discussed just a moment ago aren't exactly rare. Nearly 66% of organizations have an incomplete or obsolete asset inventory leading to security issues and vulnerabilities.

Cyber asset management, using CAASM style technology, allows security teams to improve basic security hygiene by helping them ensure security controls, security posture, and asset exposure are continuously understood and remediated across the environment.

Organizations that deploy CAASM reduce dependencies on homegrown systems and manual collection processes and improve remediation through automated workflows and accurate asset context. In addition, such organizations can visualize security tool coverage and correct source systems that may have stale or missing data. Today's most robust CAASM solutions monitor asset compliance through automated security enforcement, which is critically important as needs scale. This includes "Security Policy as Code" (SPaC), which entails the automated discovery and management of cyber assets connected automatically with required security policies. It can even include continuous monitoring for compliance drift across all cyber assets to help avoid any compliance gaps or security issues.

Question #4: Why is Comprehensive Asset Visibility a Necessary Foundation for Businesses?

Full, up-to-the-moment asset visibility is the bedrock of every organization's management and security apparatus.

Enterprise assets change continuously, devices and staff are added or removed every day, and stakeholders install and update applications regularly (approved and otherwise). Throw in digital transformation, IoT proliferation, virtualization, and cloud-native and hybrid cloud migrations, and asset visibility becomes all the more critical. Different groups manage assets differently, adding significant complexity. If you're running security operations a consolidated view of exactly what's where, and what it's connected to, is mandatory. CAASM-based solutions automatically update your inventory across your entire ecosystem providing you the context to build a strong cyber security program.

If a user or asset becomes compromised, it's critical to understand the extent of the potential blast radius to minimize the damage. At a time when the average cost of a data breach is now $8.6 million per incident for US-based companies, ransomware extortion runs as high as $40 million, and threats like the Log4Shell bug surface with troubling regularity, every second counts.

Question #5: What Strategies Are Most Important When Managing Cyber Assets for Cybersecurity?

Modern cybersecurity is built on an organization's knowledge of its IT ecosystem and cyber assets. Knowing what exists, where it exists, and all pertinent meta-data around each asset makes it possible to create an effective security program on top of that contextual knowledge.

To run a cyber asset management program effectively, organizations need to reduce complexity and gain a single view of their IT assets and their relationships to one another. They also need the ability to ask the right questions—not just the "what," but also the "why" across all cyber assets. Deploying a CAASM-based solution is the best place to start.

By integrating with and connecting assets into a powerful knowledge graph, vision and context are built. The more integrations you connect, the more you can see and understand across your cyber asset environment.

Important Questions, One Critical Answer

Put it all together, and it's clear that limited visibility equals more risk. Cyber asset counts are rising, opening new attack vectors. If you don't know what's in your IT ecosystem, and how it's all interrelated, you can't secure it. Cyber asset management is a comprehensive approach to gaining the visibility security teams need. Spending hundreds of hours across multiple tools trying to gain this visibility is hard to manage and impossible to scale. Instead, CAASM-based technologies are proving highly effective at integrating existing security and IT tools into a single view.

With the right solutions, security teams can discover, analyze, and query any cyber asset within their environments. They can understand the connections across those assets to determine and contain the blast radius of new attacks. And they gain the visibility and control they need to simplify security and governance as never before possible.

For more information, read ESG's full 2021 Security Hygiene and Posture Management Survey to learn more about the key trends impacting vulnerability management. Then check out Gartner's recent report on CAASM to learn why this emerging technology should be on your team's radar as you set the security agenda for 2022 and beyond.