RSAC insights: ‘CAASM’ tools and practices get into the nitty gritty of closing network security gaps

By Byron V. Acohido

Reducing the attack surface of a company’s network should, by now, be a top priority for all organizations.

Related: Why security teams ought to embrace complexity

As RSA Conference 2022 convenes this week (June 6 -9) in San Francisco, advanced systems to help companies comprehensively inventory their cyber assets for enhanced visibility to improve asset and cloud configurations and close security gaps will be in the spotlight.

As always, the devil is in the details. Connecting the dots and getting everyone on the same page remain daunting challenges. I visited with Erkang Zheng, founder and CEO of JupiterOne, to discuss how an emerging discipline — referred to as “cyber asset attack surface management,” or CAASM – can help with this heavy lifting.

Based in Morrisville, NC, JupiterOne launched in 2020 and last week announced that it has achieved a $1 billion valuation, with a $70 million Series C funding round.

For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

Imposing context

Remediating security gaps in modern networks, not surprisingly, can quickly devolve into a tangled mess. Both the technology and the teams responsible for specific cyber assets tend to operate in silos. And because network security teams lack direct control, coordinating people, policies and infrastructure scattered across the organization has become impossible to get done in a timely manner.

This is more so true as organizations accelerate cloud migration and dive deeper into an interconnected digital ecosystem. Software-defined everything is the mantra and mushrooming complexity is the result. On the flip side, security gaps are multiplying as network attack surfaces expand exponentially. These gaps must be closed or digital transformation will be in danger of stalling out.

Enter CAASM which is designed to make it possible for security teams to impose context on the ephemeral connections flying between things like microservices, virtual storage and hosted services. JupiterOne’s platform, for instance, puts a security lens on discovering, managing and governing all types of cyber assets — from software in development to all aspects of private cloud and public cloud IT infrastructure.

CAASM systems leverage APIs to help security teams gain comprehensive visibility of all components of IT infrastructure be they on-premises or in a private, public or hybrid cloud. This enables the implementation of granular policies that can be enforced, at scale, and that each organization can dial in to boost security without unduly hindering agility.

This is the heavy lifting that’s easier said than done, especially in a massively-distributed, fast-changing operating environment. The pressure bears down on security teams from two directions, Zheng says. They must do as much as they can to directly prevent intrusions; and they must also rally the asset owners to prevent breaches as well as respond with alacrity to security incidents as they crop up.

Smart questions

Connecting the dots and getting everyone on the same page comes down to asking the right questions, Zheng observes. And cloud-hosted, data analytics technology is now readily available to ask smart questions about network security, at scale, and get actionable answers.


“The concept is simple, but the execution is not,” he says. The first obstacle is the underlying technology; networking infrastructure components come from hundreds of different vendors, each using a proprietary implementation. Then there’s the issue of having to change the behaviors of the asset owners, many of whom are stuck in a siloed mindset.

JupiterOne’s solution prepares the way by discovering, normalizing and consolidating  basic information about all cyber assets, such as what the asset is, who owns it and who can access it. This creates a scenario where the security team can ask simple questions that can and should be directly answered.

“Know what you have and focus on what matters,” Zheng told me. “It really boils down to that.”

By focusing on common-sense questions, legacy workflows can be altered in a way that keeps pace with a fast-changing digital ecosystem – and recalcitrant asset owners will be more likely to take charge of facilitating remediation, he says.

“We can help provide a workflow that focuses on questions like, ‘How do I fix it?’ ‘Who can fix it?’ ‘How do I notify, assign and track and verify?’ ” Zheng observes. “The security team really is the gatekeeper and the auditor and a consultant, to some extent, to the people who must actually do the work . . . CAASM is not only a data platform and an analytical platform, but also a collaboration platform.”

Solutions at hand

Collaborating to swiftly close severe zero-day security gaps that regularly get disclosed, like Log4J, has become a must-have capability, for obvious reasons. Yet there is a much greater impact CAASM systems could have, going forward. CAASM is one slice of a new security architecture that’s taking shape, one in which companies begin to systematically discover and remediate security gaps – gaps threat actors are proactively seeking out.

Zheng walked me through an example of how easy it is for a security team to overlook gaps created, for instance, in the mixing and matching of cloud resources leased from Amazon Web Services:

“Let’s say you have an internal resource that’s not configured to be public facing by itself. However, you have an external-facing workload that has an authentication policy giving it API level access . . . it could be an instance where you have an Internet-facing Lambda function that’s given access to an internal S3 bucket or DynamoDB table. That’s a specific example of identifying a security gap that you previously didn’t see.”

This technical detail vividly illustrates attack surface expansion in action. There are countless more examples like this. Companies absolutely should begin flushing out security gaps and remediating them. The technology to do this at scale and in a timely manner are at hand.

The sooner closing gaps rises to a standard best practice, the more secure we’ll all be. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone