In a previous blog, we explored the differences between attack surface management and vulnerability management.
"Attack surface management is the practice of continuous asset discovery, inventory, classification, and prioritization of remediation as vulnerabilities are detected for assets."
Today, we'll dig deeper into attack surface management and explore the benefits and differences across cybersecurity asset management (CSAM), external attack surface management (EASM), and cyber asset attack surface management (CAASM).
To help illustrate these terms, let's start with an analogy.
Imagine you just bought a house and moved in.
You take stock of what you bring in and out of the house and you know the specifications of your particular house. This is asset management at its core - know what you have and the state of each item.
To detect intruders, people typically install cameras and alarm systems, but what if you hired someone to look at all of the pieces that make up your home (windows, doors, mailbox, etc) and see if there is risk in having those pieces accessible to the world? This is attack surface management at the most basic level - know what assets you have and which are most vulnerable.
So what do the fancy acronyms mean and how do they differ from what we already know?
Let's dive in.
What's on the inside matters
For more than a decade, companies have been migrating to the cloud and transforming their processes in order to ship products faster. When containers and microservices hit the mainstream in 2016, the disruptive shift in delivering software unearthed three key challenges:
- Assets mean something different in the modern world:

- The term "asset" evolved from describing physical resources, to virtual resources, and eventually to cloud resources and their respective configurations and attributes. Traditional asset management systems aren't able to support the amorphous nature of all of the resources that accompany the move to cloud.
- Constant changes in assets mean your inventories are obsolete: Cloud assets can easily be spun up or decommissioned, leading to much shorter life cycles. Traditional asset management systems weren't built for such a rapidly changing environment. Considering asset inventories anecdotally take 45 to 60 days to complete, they're obsolete as soon as discovery begins.
- Assessing risk is ineffective without the right context: While IT asset management systems may support the financial and operational aspects of hardware management and software licenses, security teams have to exercise supreme sleuthing skills to connect the dots between threats, vulnerabilities, assets, people, and remediation steps.
Enter cybersecurity asset management (CSAM).
CSAM is the natural evolution of traditional ITAM. Both ITAM and CSAM take an inside-out approach to achieving visibility into what the organization owns. Just as ITAM is IT's way of aligning resources and initiatives to business outcomes, CSAM is built for cybersecurity teams to align resources and initiatives to business and security outcomes.
CSAM takes it a step further than ITAM and maps security-related contextual data to the inventory of assets so that security professionals can protect the 'crown jewels' of the organization and effectively right-size security efforts. Visualizing the impact of security issues related to the organization's infrastructure provides a system of record to answer two key questions:
- What do I have?
- Where am I most vulnerable?
Companies have typically answered the second question through vulnerability assessments, penetration tests, and bug bounties, which brings us to our next topic — external attack surface management.
The view from the outside
To answer the question "Where am I most vulnerable?" companies have had to rely on the services of other security professionals to tell them whether there were any holes in security from the outside. Many companies follow a predictable cycle — perform the vulnerability assessment, receive a report, hopefully fix the most glaring issues (because red-hot critical issues are all that people have time for), and retest to confirm remediation worked. There are three big issues with this cycle:
- Vulnerability assessments are point-in-time and don't take into account the dynamic nature of a company's cloud and other ephemeral resources.
- These engagements are usually narrowly scoped in nature, providing feedback on a limited view of the company's assets.
- The time given to ethical hackers for a pentest is disproportionate to the time attackers get to find an opening.
Enter external attack surface management (EASM).
EASM technologies take an attacker's perspective by automatically and continuously discovering public-facing assets and determining risk. This includes not only network scanning, but also discovering related and joint ventures that could be used against an organization to gain unauthorized access to systems.
By itself, EASM only provides a piece of the picture (the external view), but when it is combined with the internal perspective of CSAM, security teams have an up-to-date system of record with full visibility of their attack surface.
Say hello to cyber asset attack surface management (CAASM).
CSAM + EASM = CAASM
With CSAM providing the cybersecurity view of all assets internal to an organization, and EASM providing the attacker's view of all assets accessible externally and exploitable by the public, CAASM bridges the gap between security and infrastructure. It provides the best breadth of asset discovery to answer those two fundamental questions in a modern, scalable manner:
- What do I have?
- Where am I most vulnerable?
To illustrate the beauty of this powerful combination of technologies, let's circle back to the analogy from the beginning of this blog.
Imagine you just bought a house and moved in.
- CSAM is what it's like for you to live in a house you just bought. You probably have the blueprints somewhere. You make sure your appliances are in good working order so you don't accidentally start a fire, and you lock all the doors and windows to make sure thieves cannot enter freely. You know what your most valuable items are and where you put them.
- EASM is like a team of bodyguards with mildly shady backgrounds that you hire to continuously survey the premises because they know exactly how the bad guys think. They observe your routines and see if there are any openings to enter the house and take your valuables. Is the garage open? Are any of the doors unlocked? Are there relationships they could use to social engineer their way into your house? As the team continuously reports what they find, you choose whether or not to make any suggested changes.
- CAASM is when the bodyguards become your friends and you invite them to stay with you. They become constantly aware of what happens inside and outside of the house. And you make informed decisions based on the observations, whether it be to improve internal appliances, your habits and routines, or external protections.
CAASM technology provides security and infrastructure teams with the ability to:
- Gain complete visibility across all of their assets (both internal- and external-facing, cloud and on-premise) via API integrations with their existing tools
- Query their consolidated data
- Identify the scope of vulnerabilities and gaps in security controls
- Accelerate incident response, add context to security investigations, and remediate issues with greater precision
Choose the richer relationship. Choose CAASM.
To learn more about, read our definitive guide to CAASM.