The Debate: Should You Build or Buy CAASM?

This blog was originally published by JupiterOne here.

Written by Jasmine Henry, JupiterOne.

Should you build or buy a CAASM solution? It’s a valid question, especially in an ecosystem rich with open source and low-cost security tools. You don’t need enterprise software to create API integrations or correlate logs. So, is it possible to build your own cyber asset attack surface management (CAASM) solution or use an available open-source tool?

Gartner's definition of CAASM includes four distinct capabilities, or outcomes, which are listed below:

1. See all assets
2. Query consolidated data
3. Identify the scope of vulnerabilities and gaps
4. Remediate issues

Using Gartner’s definition, it’s possible to make an objective, vendor-agnostic comparison of enterprise CAASM vs. homegrown solutions.

CAASM vs. Alternatives: Pros, Cons & Outcomes

Historically, CAASM has replaced manual, error-prone processes in spreadsheets. A homegrown alternative to CAASM could consist of CSV uploads and pivot tables or an internal tool that uses data compilation scripts to create a centralized inventory of assets.

CAASM also may be viewed as an alternative to well-established technologies like configuration management databases (CMDB) or cloud security posture management (CSPM), although it’s not a strict alternative. Most of these well-established technologies have limitations that make CAASM a better option for various organizations and needs.

Any of these solutions are better than nothing since each can improve your understanding of assets and attack surfaces. But, alternatives to CAASM can also carry long-term costs and disadvantages.

CAASM vs. Spreadsheets

Many organizations still maintain asset inventory, vulnerability management, and risk assessments via spreadsheets. Commonly, security-maintained spreadsheets include things like:

• Quarterly system owner surveys
• Manual risk registers
• Threat modeling
• Routine or ad hoc reporting

Spreadsheets are not without some merit - they’re generally free. You may be able to pass an audit with a spreadsheet-based asset inventory. But, spreadsheets don’t scale, they’re not real-time, and the margin for error is massive. It’s challenging to answer questions about your exposure to an emerging threat by querying a spreadsheet.

CAASM can shave hours off manual attack surface modeling while significantly increasing accuracy. And, the real-time capabilities of CAASM simply aren’t possible with spreadsheets.

CAASM vs. Homegrown Scripts

Engineers can create DIY data compilation scripts to correlate data from multiple cloud and premises-based systems, leading to a comprehensive picture of all assets. The sophistication and efficiency of these homegrown systems vary immensely.

The homegrown approach can support dynamic querying of assets and attack surfaces - especially if a significant effort is made to normalize data outputs for querying. But any set of data compilation scripts requires active maintenance when there is a change to integrated systems to avoid broken integrations.

The right team of highly-skilled engineers can build a homegrown implementation that approximates many capabilities of CAASM. The compiled dataset can include crucial metadata characteristics, which can be queried for anomalies and policy exceptions.

Homegrown systems, however, rarely offer value quickly after the onset of a project and can detract security engineering resources from other projects. These tools are generally not valuable for individuals outside security engineering since it’s rare for organizations to dedicate frontend development resources to build a user interface (UI). Lastly, many organizations significantly underestimate the effort and scarce talent required to maintain a homegrown CAASM.

And perhaps most importantly, homegrown systems need an immense amount of effort to provide the same contextually-rich insights as a CAASM solution since they’re virtually never based on a data model to describe cyber assets and the relationships between these entities. (You can check out JupiterOne’s data model on our Github).

CAASM vs. CMDB

Configuration management databases (CMDB) are a well-established technology with ITIL roots. They vary significantly in terms of sophistication and scope; however, they generally provide a centralized register of assets, data, criticality, configuration requirements, and users. CMDB isn’t the same as strict IT asset inventory systems since pure IT asset inventory tools generally do not include configuration data.

A CMDB can be a valuable tool, especially for organizations already achieving cross-functional adoption. They can include features to automate asset discovery and exception reporting or patch tracking. CMDB is not, however, designed to support a DevSecOps practice or dynamic cloud configuration management, and features to support remediation and querying are generally limited.

CAASM v. CSPM

Cloud security posture management (CSPM) is a broad and very well-established category of technology that’s expanded to include some open-source tools like infrastructure scanners. In such an enormously varied market, the benefits of CSPM is likely to vary, too. CPSM value depends on the solution you’re using, how effectively you’re using it, and how much of your ecosystem it covers.

While the ability to understand changes in cloud configurations is important, CPSM isn’t designed to reveal configuration drift out of compliance with internal policy or the blast radius of an emerging threat. CPSM is valuable, but it isn't CAASM and is not designed to reveal the “unique toxic combinations of misconfigurations and relationships.”

For additional information, we recommend CAASM is the Future… CSPM is Dead.

Making an Internal Case for CAASM

CAASM offers unique value that’s hard to replace with alternatives - including spreadsheets, homegrown solutions, CMDB, and CSPM. But is CAASM necessary for “doing the basics” of security and compliance?

CAASM is an important early investment for security functions and covers a surprising number of foundational security controls. (Related: CAASM Should Be an Early Security Investment in Every CISO’s Playbook). The following list is not an exhaustive look at how CAASM maps to security and compliance best practices. Instead, it’s a look at how CAASM covers key control areas for some common frameworks to help you make an internal case for investment.

Download the comparison chart

Can you achieve the same capabilities with a homegrown CAASM solution? Again, your mileage will vary depending on the number of resources you invest into your internal solution, but the answer is “probably not:”

• It’s rare for homegrown solutions to act as a centralized portal for remediating anomalies.
• It requires extensive engineering to configure a DIY CAASM to cover custom policy monitoring.
• Homegrown CAASM rarely offers the sophistication to understand the impact of potential changes.
• Without a homegrown data model, a DIY CAASM can reveal limited context on overprivileged service accounts or anomalous events.

So, Should You Build or Buy CAASM?

Anything is possible with enough engineering talent and hours. But, a DIY CAASM solution requires a surprising amount of ongoing effort to maintain a complete, comprehensive, and accurate inventory of both cyber assets and metadata. Many data science hours are also required to normalize outputs for querying or creating a data model that reveals policy exceptions and risks based on asset classification.

Purchasing a CAASM solution can offer much faster time-to-value and coverage for many foundational security and compliance requirements, leaving security teams free to focus on continuous improvement and scaling.