CAASM is the Future... CSPM is Dead

By

Cloud Security Posture Management is a commodity

Beyond the classic CSPM tools like Dome9, DivvyCloud, etc. now even infrastructure and workload scanners claim CSPM as part of their capabilities. Cloud Security Posture Management capabilities should be evolving because cloud configuration management is only becoming more complex, instead we are seeing the same old misconfiguration checks coming out of every CSPM offering with no depth or flexibility to modify the monitoring rules. How can we monitor user defined configuration baselines? There are many configs that are unique to our cloud environment. How can we monitor more than just basic property checks such as the relationships between assets?

Cyber Asset Attack Surface Management is the evolution

CAASM can do everything CSPM does and more. Even though it's a mouthful of an acronym (I didn't invent it), CAASM goes beyond the basic cloud configuration checks and allows us to monitor custom configurations important to our unique security architecture. CAASM also visualizes and monitors our entire attack surface from the public cloud and beyond, exposing unique toxic combinations of misconfigurations and relationships that CSPMs simply cannot.

Here are 2 cloud attack surface monitoring use cases that JupiterOne can handle that any traditional CSPM cannot.

1) Identify all your assets and services that are accessible by any of your EC2 instances that are on publicly configured VPCs (publicly configured includes ACL, internet gateway, and routing table configs), and whose security groups allow public SSH ingress over TCP.

Think about how much effort it would typically take to determine the blast radius for this attack vector. Using JupiterOne I literally tweaked a question to find the result in 20 seconds. This is the power that every security engineering team needs at their fingertips. Not to mention I could set this up for continuous monitoring and trigger alerts workflows via API. Notice in the image how we can monitor the specific actions allowed on each service or resource.

CAASM is the Future - 01

2) Identify the attack surface defined by all production VPCs and their respective VPC endpoint configurations (including all the services and resources allowed/denied).

VPCs are becoming the defacto mechanism for securing logical access to resources in AWS. VPC endpoint configs are extremely important and typically unique to each business. Monitoring vpc endpoint policies, internet gateway configs, VPC peering, route tables, ACLs, load balancers, cloud front distributions, NAT gateway configs, etc. should all be table-stakes for a cloud monitoring solution.

The query to monitor this attack surface in JupiterOne takes only a little effort to understand:

Find aws_vpc with tag.production=true
that has aws_vpc_endpoint
that (allows|denies) *

Notice how we parse the vpc endpoint policy as well and illustrate the connections. The allowed relationships are in green, the denied relationships are in red, and we will even note which relationships are allowed but rendered ineffective by a deny.

CAASM is the Future - 02

JupiterOne, Data Graph Model and Knowledge Graph Visualizations

JupiterOne's query language, graph data model, and knowledge graph visualizations allow users to define custom controls, and allow us to easily and automatically analyze complex attack surfaces. I haven't even talked about how we integrate with and connect your assets beyond the cloud into the same knowledge graph! JupiterOne can help manage the attack surface across an entire security program. I'll save that for a follow up blog, but please reach out if interested in hearing more.

Additional CAASM Resources and Related Blogs

Akash Ganapathi
Akash Ganapathi

Akash Ganapathi comes from an enterprise security, data privacy, and data analysis background, working exclusively in the B2B software solutions space throughout his career. He is currently a Principal Security Solutions Architect at JupiterOne.

To hear more from Akash, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

The top 11 questions that every CISO should be able to answer
January 30, 2023
Blog
The top 11 questions that every CISO should be able to answer

In part one of this two-part series, we polled some of our top security experts to see what it takes to succeed secure and manage resources effectively.

Best of Cyber Therapy, Season 1
January 25, 2023
Blog
Best of Cyber Therapy, Season 1

Take a look at the top 5 episodes from Season 1 of Cyber Therapy, a video podcast featuring the humans of cybersecurity!

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.