CAASM Blog Series: Why Business Context is Critical to Understanding and Securing the Attack Surface
Over the past ten years, our digital landscape has expanded beyond what many ever thought possible. Enterprises are connecting a new generation of devices, workloads, cloud platforms, and applications to their corporate networks, adding infinite benefits, but also greatly expanding the attack surface. This has resulted in many new risks to the enterprise.
NIST defines this attack surface as “the set of points on the boundary of a system, a system element, or an environment [the assets] where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.” This attack surface must be managed as it expands if we want to realize the full potential of our connected assets, while also mitigating any risks they might pose.
Attack surface management was born from this need, and has evolved into two core areas: internal attack surface management (recognized by Gartner as Cyber Asset Attack Surface Management or CAASM,) and External Attack Surface Management (EASM). Organizations need both components if they are to be successful around securing the overall attack surface. EASM addresses internet-facing enterprise assets and systems, including servers, credentials, public cloud misconfigurations. CAASM, meanwhile, focuses on allowing organizations to see all assets internally through API integrations, data queries and other methods to identify potential risks and remediate issues.
Helping companies solve the internal attack surface challenge is one of the many reasons I decided to join the vArmour Board of Directors last month. I understand this challenge well after more than 20 years in executive leadership at companies solving challenges of endpoint and asset access and management companies and recognize the new frontier we are entering when it comes to securing the growing attack surface.
Legacy companies have done well historically at helping enterprises manage large parts of this growing web of connected assets. For instance, there exists strong and capable technologies for enterprises to gain visibility into their devices, map those devices and even implement policies and controls to help manage them. I have seen this trend evolve first-hand through my executive career at some of the leading asset access and management companies.
However, for internal attack surface management, while the first generation may have focused on managed and unmanaged devices, the new generation needs to elevate asset visibility to the higher order applications of which they comprise. This is the only way to truly understand the impact of risk to the business. For example, knowing whether a compromised workload is a non-critical or a key component of a critical business service (e.g. an application managing bank-to-bank SWIFT transactions) will greatly dictate the remediation plan.
The next frontier of asset access and management is to not only see connected devices or workloads, but also to understand the applications connecting the enterprise. Applications have exploded across the enterprise, with the average company having more than 200 different types installed across their infrastructure, according to a recent survey. Each of these applications typically connects across the organization, creating a complex web of relationships across apps, services, workloads, users, devices and clouds.
Traditional infrastructure security and protection approaches are insufficient to discover and protect the internal attack surface because they have siloed or “castle-keep” view of the infrastructure, provide a limited asset inventory view without any business context, and do not account for all the constantly changing relationships and dependencies between the interconnected applications, users, and data.
vArmour plays a strong role for its customers in this type of scenario by managing the internal attack surface through discovering, observing and controlling the relationships and dependencies of applications, users, devices and data both vertically and horizontally across the organization. It is through these means that their customers are able to address difficult challenges including protecting against cyber risks such as ransomware, ensure cyber resiliency, and segment critical applications and business services from non-critical systems. With vArmour, enterprises can manage the growing attack surface, and take the next step in securing them:
- Discover: Continuously discover the entire estate of application assets, relationships, and dependencies to build a baseline understanding of communication traffic with contextual relevance and relationships
- Observe: Continuously monitor both the vertical and horizontal relationships between applications and other assets on the network, as well as provide business context into those relationships to pinpoint anomalous behavior that deviates from the baseline
- Control: Create systems of action to mitigate risk from insights, including the ability to isolate, segment, and control critical applications and business systems leveraging existing controls. Additionally, simulate changes to an environment to ensure that any policy updates will not disrupt any business-critical operations.
Each of these tasks help organizations manage the complexity that comes with today’s modern enterprise landscape, as well as the business context to confidently enforce policies to secure that environment. Additionally, it helps an organization do so in a more cost-effective way than existing manual methods. In doing so, organizations can shine light on the blind spots within their organizations and mitigate risk.
Our complex digital landscape is only going to become more complex, not less, in the years to come. The value that applications and their connectivity with other internal assets provide is clear, meaning organizations need to act sooner rather than later to address these concerns and ensure they have the business context to secure their complex environments with confidence.