CAASM Should Be an Early Security Investment in Every CISO’s Playbook
This blog was originally published by JupiterOne here.
Written by Jasmine Henry, JupiterOne.
It’s possible to improve your security posture on a shoestring budget. There are a growing number of open source tools for security and compliance, but there are also key areas to invest in at the beginning of a multi-year initiative. Creating a baseline for risk-based decision-making is a prerequisite to scale security, which can include cyber asset attack surface management (CAASM).
CAASM is a key early investment for security programs because it creates a paved road for security - an idea introduced by Netflix to describe creating a path of least resistance for secure habits. Adherence to the principles of CAASM can establish a secure baseline for security, DevOps, compliance, and leadership teams by creating visibility into the entire ecosystem. Context-rich visibility is the basis for data-driven decision making at all levels of the organization.
CAASM is designed differently
CAASM - pronounced like chasm - is a natural evolution of security principles for asset inventory, cloud security posture management (CSPM), and other security guidelines in the market today. Unlike these predecessors, however, CAASM is tailored to highly-dynamic modern cloud workloads. It is the first answer for a world of workloads that are much more distributed, immutable, and ephemeral than yesterday’s legacy systems.
The vast majority of modern organizations live and die by the principle of “move fast, break things.” DevOps adoption is soaring in a world where every company competes on technological speed and agility. CAASM is designed to move as quickly as the release cycles and cloud architecture of the world’s fastest organizations, to help security practitioners understand the true impact of fast-emerging anomalies and manage blast radius.
Why CAASM Should Be an Early Investment
Often, security leaders at the helm of a newly-established program are forced to make difficult decisions about controls. Security program resources can be severely constrained, and the cost of external security compliance audits alone are a major investment for many startups and small-to-medium enterprises (SME). It’s common for security leaders to invest in some controls with clear intent to replace the technology as soon as it’s financially feasible.
Decisions about how to maximize a security budget by adopting DIY and open source tools should be highly-individualized based on risks. But, CAASM is an investment that can yield immediate value as an early investment at startups, fast-growth organizations or cloud-native companies.
If you plan to scale up your organization’s security function or digital transformation efforts, the framework of CAASM is a key early investment.
1) CAASM Creates Cross-Functional Value
Security is an inherently cross-functional domain, but that does not mean it’s simple to drive adoption of a fledgling security initiative. Newly-minted security leaders often struggle to get buy-in from product and engineering teams for administrative security efforts, especially if a new security program requires that developers change the ways they’re already working.
CAASM can rapidly unify teams around shared security and compliance goals by offering distinct value to each team who uses the solution. It can be hard to justify another technology investment, but it’s much easier to justify a purchase when it creates a paved path to security for security, product, and leadership.
Here’s a few of the most common ways that CAASM can deliver value to multiple internal teams and quickly:
- Security teams can automate asset discovery and perform quantitative assessments of attack surface and vulnerabilities.
- DevOps teams can create alerts for common cloud configurations and remediate anomalies.
- Governance and compliance specialists can automate heavily-manual efforts to review access or assess critical assets.
- Business and technology leaders can access real-time risk insights to understand their current risk profiles for stronger decision-making.
2) CAASM Moves Beyond Visibility and Gives Context
Visibility is a prerequisite for security, but visibility is not necessarily the goal of a security program. Instead, security practitioners should strive for observability.
Visibility, to paraphrase Joe Vadakkan in DARKReading, can be achieved in many different ways such as “monitoring systems, networks, applications, performance, through-point, or several-point solutions and aggregating that data.” Any given point solution for cloud security can create visibility, but a point system doesn’t create ecosystem-wide observability.
CAASM enables the correlation and analysis of data from multiple sources. Contextually-rich CAASM tools allow practitioners to create an active practice of data mining to be more proactive and thoughtful in their decisions.
CAASM allows security functions to create context immediately and make decisions based on rich metadata that reveals configuration changes, blast radius, and the criticality of assets - even based on the sheer attributes of assets. CAASM helps security practitioners see and understand emerging patterns before they spiral into disaster.
Context should be the vision for any security program, since context is connected to continuous improvement.
3) CAASM Creates a Continuous Security Practice
Many approaches to both asset and attack surface management have been manual, time-consuming, and prone to human error. Quarterly system owner surveys aren’t only laborious for everyone involved, they’re unlikely to capture the full picture and rapidly become obsolete. CAASM allows organizations to create a continuous approach to security and compliance, and responsiveness in between quarterly and annual control assessments.
As organizations evolve away from waterfall development practices and stagnant legacy systems to continuous, cloud-native development practices, a security program that’s based on periodic sampling doesn’t make sense. It’s time to evolve security practices to become more dynamic and responsive. CAASM offers alerts and contextual insights for more accurate, continuous security practices.
4) CAASM Drastically Reduces Compliance Burden
Traditional approaches to compliance are extraordinarily costly. Research shows the average enterprise spends over $10,000 each year per employee on compliance, while organizations in highly-regulated industries have seen a 60% increase in compliance spend in the past decade.
Compliance can be a prohibitively expensive drain on resources for fledgling security programs, especially if security audits are treated as a distinct set of efforts from attack surface and posture management.
The future of compliance is continuous. CAASM allows organizations to put much of their compliance efforts on auto-pilot by offering real-time visibility into how systems, users, and configurations comply with both audit frameworks and internal policy. It can automate enormous percentages of efforts to collect evidence or assess controls, while allowing organizations assurance of their compliance posture between audits. CAASM is a key investment since it creates continuous, automated momentum toward both compliance and security, ultimately reducing the resource requirements to comply.
5) CAASM is a Clear Picture of Blast Radius and Risk
Threat actors don’t rely on spreadsheets to exploit vulnerabilities. Instead, hackers generally use automated attack surface discovery tools to identify a company’s most critical assets and navigate a carefully-planned set of steps to exploit human weaknesses, misappropriate user credentials, escalate privileges, and move through networks undetected.
69% of organizations admit that they have experienced at least one cyber-attack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset, according to a recent ESG study commissioned by JupiterOne. While understanding the full scope of cyber assets is critically-important, the relationship between assets is even more important. Risks live in the relationships between assets, like users with privileged access to a sensitive resource, or a cloud bucket that’s out-of-compliance with policy.
CAASM yields immediate value since it allows organizations to better understand risk profile and relationships between users, systems, components, policy, and risk. As threats and incidents unfold, security teams have an immediate understanding of true blast radius and can move quickly to remediate.
CAASM Creates Immediate Value
Virtually all security practitioners have to carefully weigh their technology investments, especially when they’re first starting to scale up their controls. Decisions about whether to build, buy, or draw from open source solutions are challenging, especially in a resource-constrained environment. While there’s a growing number of open source and free tools for security compliance, there’s also some areas of key investment that can create enormous value early in a security journey - including CAASM.
CAASM creates immediate value and can be a valuable baseline for observability and response for security, compliance, DevOps, and leadership teams. While it’s possible to attempt a DIY CAASM using homegrown solutions or open source tools, all alternatives have significant drawbacks. Investing in CAASM can create a paved road for security and a baseline for more proactive, data-driven decisions.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.