The shift to software-defined everything and reliance on IT infrastructure scattered across the Internet has boosted corporate productivity rather spectacularly.
Related: Stopping attack surface expansion
And yet, the modern attack surface continues to expand exponentially, largely unchecked. This dichotomy cannot be tolerated over the long run.
Encouragingly, an emerging class of network visibility technology is gaining notable traction. These specialized tools are expressly designed to help companies get a much better grip on the sprawling array of digital assets they’ve come to depend on. Gartner refers to this nascent technology and emerging discipline as “cyber asset attack surface management,” or CAASM.
I sat down with Erkang Zheng, founder and CEO of JupiterOne, a Morrisville, NC-based CAASM platform provider, to discuss how security got left so far behind in digital transformation – and why getting attack surface management under control is an essential first step to catching up.
For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:
Shoring up fast-and-risky
For most of the past 25 years, company networks were made up of clearly defined internal boundaries encompassed by a hard-and-fast perimeter. And the role of the security team was straightforward: defend the network, protect IT.
But then along came digital transformation. Internal and external network boundaries gave way to agile software development and everything-as-a-hosted-service. Organizations today move as fast as they can, expect to break things and count on iterating improvements on the fly. Fast-and-risky has become the working definition of software innovation.
Rock star developers in cutting-edge organizations are encouraged to make things happen. They live-and-die by the tenants of open-source and DevOps and lean on cloud-native IT infrastructure. Accelerating complexity has been the result.
The problem with following the fast-and-risky mantra is that many failures turn out to be architectural in nature, are not easy to fix and can all too easily escape notice or, worse, be ignored. Meanwhile, security teams, for the most part, have been stuck in a legacy mindset of striving to keep things as simple and as consistent as possible, Erkang observes.
And this, he argues, is where threat actors foment chaos. It seems ludicrous, but in one sense it’s easier than ever for malicious hackers to get deep access, steal data, spread ransomware, disrupt infrastructure and gain long-run unauthorized access.
Zheng
“There’s a fundamental disconnect between what the business wants and what the security team wants,” Erkang told me. “And this is where the chaos comes from . . . the bad guy hackers aren’t necessarily taking advantage of the complexity; they’re really taking advantage of this disconnect.”
Embracing complexity
The opportunity, going forward then, is for security to jump fully onboard the digital transformation bandwagon.
Legacy defenses at the gateway, firewall, endpoint and application levels must be rearchitected and scaled-up. That’s what a passel of emerging security frameworks like Zero Trust Network Access (ZTNA,) Cloud Workload Protection Platform (CWPP,) Cloud Security Posture Management (CSPM) and Secure Access Service Edge (SASE) are all about. Network security must be architected to effectively blunt non-stop malicious probing and cut-off the breaches enabled in a fast-and-risky operating environment.
At the same time, the expansion of the attack surface somehow needs to be slowed — and ultimately reversed. And this is where CAASM technology and practices come in – by fostering cyber hygiene on the ground floor.
Erkang is in the camp making the argument that security teams have an opportunity to lead the way by not merely tolerating complexity but by embracing it. “Security needs to focus on supporting innovation and advancement by understanding complexity; this is now possible with data, with automation and with an engineering mindset,” he says.
Anything and everything that supports any element of digital operations ought to be considered a cyber asset that needs constant care and feeding — with security top of mind, he says. CAASM technology leverages APIs to make it possible for security teams to impose context on the ephemeral connections flying between things like microservices, virtual storage and hosted services.
With context, granular policies can then be set in place and enforced. Machine learning and automation can be brought to bear in a way that infuses security without unduly hindering agility. A lot can be gained by simply imposing wise configuration of all cyber assets, Erkang says. What’s more, this same level of granular analysis and policy enforcement can — and should — be directed at identifying, monitoring and patching software vulnerabilities, he argues.
Taking the security angle
In one sense, taming complexity is all about understanding context. Erkang makes a strong argument that the best way for an organization to gain actionable understanding of its cyber assets in a fast-and-risky operating environment is to come at it from the security perspective.
Erkang gave me the example of a company seeking to take stock of its cloud data stores. Let’s say an organization wants to more proactively manage its Amazon Web Services S3 buckets. JupiterOne, in this scenario, would assemble and maintain a detailed catalogue of the configuration status of all these assets.
Granular policies could then be enforced that consider the sensitivity of data held in any given S3 bucket, as well as the associated access privileges. These are privileges that often are allowed by default to cascade across several tiers of user groups — in support of the go-fast-and-break mindset. Tightening these privileges with just the right touch shrinks the attack surface.
According to Gartner, CAASM capabilities can help companies “improve basic security hygiene by ensuring security controls, security posture and asset exposure are understood and remediated across the environment.”
It strikes me that the beauty of this is that improving visibility is more about creating operational effectiveness, strengthening security and lowering risk for organizations is also paving the way for more effective cyber asset management.
“Security needs to transform from an enforcing function to a business enabling and a wellness function,” Erkang says. “Understanding your cyber assets and how all the dots connect can be the starting point to proactively manage different functions, not just within security, but also outside of security, as well.”
It’s notable that an unprecedented number of fresh security frameworks are vying for traction at the moment. For company decision-makers, this can be confusing. But the effort to sort things and determine what works best for their organization is well worth it. This is all part of raising the security bar. CAASM could be a cornerstone. I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
I had the chance at Black Hat 2022 to visit with Sudeep Padiyar, founding member and director of product management, at Traceable, a San Francisco-based supplier of advanced API security systems. Traceable launched in 2018, the brainchild of tech entrepreneurs Jyoti Bansal and Sanjay Nagaraj; it provides deep-dive API management capabilities — as software is being developed and while it is being used in the field.
