The Cybersecurity Convergence: Cyber Asset Attack Surface Mapping in the Cybersecurity Mesh Architecture

July 20, 2023

Today’s cybersecurity landscape is increasingly complex with a constantly changing attack surface. The rate of change often obscures cyber assets in their entirety, which presents a growing challenge for organizations seeking to safeguard their critical cyber assets. Enterprise network sprawl includes on-premises systems, public clouds, and Software-Defined Networks (SDNs). Different networks, managed by different teams, all using different tools, complicate the task of maintaining comprehensive visibility and control. This is a common scenario for enterprise IT and security teams for one simple reason.

Many security teams have tried to tackle the issue of visibility by purchasing specific tools for each unique problem rather than addressing the bigger picture. While these individual tools solved immediate issues, they unintentionally created security ‘silos’. These silos might be effective in their specific areas, but they often fail to give a complete overview of the organization’s overall security posture.

In light of this common trend, the industry has been embracing Cyber Asset Attack Surface Mapping (CAASM) solutions. CAASM aims to aggregate data about all assets to offer a comprehensive cyber asset and risk overview. Reliable and detailed cyber data is critical for IT and security teams to work effectively. With more trustworthy data, many processes can be automated to reduce the need for human involvement. Adding more context, such as application dependencies or network access, provides the ability to implement business-specific risk prioritization. This interconnected security approach which ties together cyber assets, risk to applications, and network context aligns perfectly with the Cybersecurity Mesh Architecture (CSMA) framework, a topic you can read more about from Gartner here.


Addressing Security Fragmentation with CAASM


CAASM tools have been developed with the best of intentions to accommodate diverse network environments, from on-premises, and SDN, to public clouds, and advanced infrastructures like Kubernetes. Despite the intent, the issues brought about by selective tooling also extend to CAASM. Many vendors offer tools that support one network environment, creating their own isolated views, and thus generating new silos within the cybersecurity landscape.

Cloud-native security tools are abundant because of the declarative nature of the cloud. Given that the environments are virtualized, the already centrally located data is both easily accessed and enriched through correlation. However, these environment-specific solutions come with limitations set by the vendor. Some limitations are applied due to political reasons, such as the vendor promoting their product suite as a complete solution. They may also work to prevent interoperability with another product as it’s seen as a competitive threat. Or they may simply find it difficult to extend their R&D beyond their comfort zone.

Consequently, despite the vast number of vendors at cybersecurity events, there’s a noticeable trend where many ignore the existence of alternative security controls, resulting in an industry full of competing yet isolated solutions.


The Emergence of Cybersecurity Mesh Architecture (CSMA)


In the face of budget consolidation and tool rationalization, executives are now focused on reducing costs and improving risk reduction through automation. This is where CSMA, a recent cybersecurity framework coined by Gartner, steps in.

CSMA is premised on ensuring the interoperability of network and security services. However, for any successful CSMA implementation, IT and security teams require high-fidelity centralized data for its successful implementation. CAASM providers may excel in certain network environments while failing in others (e.g. supporting cloud-native environments). Or CAASM products may meet one team’s needs and miss the requirements of another’s. Each CAASM product’s specialization often results in network environment-specific data silos. While this may eliminate siloed tools for a specific environment, it still results in silos for each network environment.

These network specializations embody in-depth knowledge and domain-specific information, making specialized CAASM platforms valuable data sources. These platforms can then be leveraged to form an authoritative data set for IT and security teams to base their analytics and automation efforts on, establishing CAASM as a crucial component to make CSMA implementation effective.


The Role of CAASM in CSMA


As Cybersecurity Mesh Architecture continues to gain traction, we see CAASM increasingly incorporated into the novel framework to establish a centralized data plane of cyber assets. Highly accurate data drives subsequent actions through existing workflows or playbooks through the interoperability of network and security services – a core tenet of CSMA. That’s why existing CAASM tools can be leveraged to establish an authoritative data source – they may already have a portion of converged data to assemble the broader picture.

When the bigger picture is achieved, the contextual data set results in unprecedented capabilities to leverage existing automation and workflow tools to secure the enterprise.

The goal of every IT team is to reduce costs and increase the resiliency of the business. Incremental testing and adoption of automation is a key component to realizing that success. Automation can lead to significant efficiency gains, or compound problems due to poor implementation or poor data to drive actions. That’s why all paths to automation necessitate a high-fidelity enriched data source complete with all perspectives of assets. It enables organizations to accurately prioritize risk based on business impact, accelerate incident response, automate actions based on security and compliance standards, and provide the business-specific impact of the security operations center (SOC). As an example, consider 800 servers impacted by the same vulnerability. Only 20 of them have ingress from the internet. Simply creating tickets to remediate these servers as a priority is a step in the right direction, but often asset ownership is a mystery due to personnel changes or availability (e.g. vacation). Rather than wait through escalations for management to review or assign asset owners, including analytics to automate ticket assignment to employees that logged in with admin credentials for assets without listed ownership login activity for three months decreases MTTR. 

In the context of CSMA, the environment-specific data sources of CAASM are treated as any other data source – another integral piece of data to create an understanding of the environment and assets. When networking and security data mesh together, each network in the enterprise estate becomes accessible and understood by non-specialists, and automated analytics create closed-loop healing processes such as security control gap analysis and remediation.


The Way Forward with CSMA


As seasoned cybersecurity practitioners ourselves, we understand the immense value that these capabilities would bring to our work within a SOC. These capabilities would make our roles not only more effective but also more enjoyable. Security is a collaborative endeavor, requiring data exchange, education, and effective communication.

At appNovi, we sought to solve the very problems we faced daily. And through happenstance, we found ourselves aligning with CSMA driven by our desire to solve the same problems we faced a decade ago in the SOC. We believe that the CSMA platform is the first to achieve this convergence of network, business, and security services inclusive of CAASM. The outcomes are holistic visibility and control across a diverse and expansive IT environment contextualized with business data.

We also understand the importance of humans in security operations. Automation is not a blanket solution for security challenges. But leveraged correctly, it uplevels analysts and empowers them to make decisions far more effectively and efficiently. The result for the SOC is reduced MTTR, higher adherence to security control requirements, and fewer disruptions from network changes during incident response. The converged and accessible perspective of network, security, and business data to IT and security teams enables them to better interact with stakeholders and serve the business.

Our CSMA platform deploys in seconds in your environment or can be hosted, integrates with your existing tools or SIEM/data lake with out-of-the-box integrations, and provides same-day results.

Most important, we value the human aspect of security operations. Our mission is to create the tools we didn’t have to enhance the work of security teams, improve interaction with stakeholders, and serve the business.

There’s many ways to learn more about CSMA. You can read our whitepaper, check out our videos on YouTube, or catch up with us at Black Hat next month.