The 3 Biggest Challenges of Cyber Asset Management and How to Solve Them

by

To protect your IT ecosystem, you need to know what's in it, but for a growing number of organizations, that's easier said than done. According to the latest ESG "Security Hygiene and Posture Management" survey, 69% of organizations report falling prey to at least one cyber attack that started with an exploit of an unknown, unmanaged, or poorly managed Internet-facing asset.

Top 3 Challenges for Cyber Asset Attack Surface Management  (CAASM) - JupiterOne

It's easy to see why. As companies continue to scale up cloud-native, multi-cloud, and API-first initiatives, the task of identifying and securing an expanding ecosystem of devices, users, cloud workloads, code repositories, and other assets grows ever more complex. 

Nearly one-third of organizations in the survey (31%) said they discovered sensitive data in previously unknown locations. Twenty-nine percent uncovered employee login credentials or misconfigured user permissions, while 28% exposed previously unknown SaaS applications. 

When vulnerabilities like these result in a ransomware attack, it can cost an average extortion of $792,493, though it can go much higher. It can also endanger lives, critical infrastructure, or even national security. When vulnerabilities lead to a data breach, it costs an average of $8.6 million per incident for US-based companies ($9.23 million in healthcare). And that's before any regulatory fines. 

Complete understanding of cyber assets is critical to any organization's efforts to fend off these attacks and an explosive array of other cyber threats. But gaining that kind of visibility has never been so challenging. 

Magnifying the Obstacles of Improving Cyber Hygiene

As discussed in part one of this series, today's blistering threat landscape is expanding just as quickly as your cyber asset ecosystem. As a result, any attempt to strengthen your security posture requires a whole new level of visibility into the cyber assets you have, and to whom and what they are connected.  

If any cyber asset becomes compromised, it's critical to understand the extent of the potential blast radius to minimize the damage. The average time-to-discovery for a breach is 316 days for organizations with 50% remote work adoption. When exfiltration can start within seconds of compromise, every moment matters. 

Top 3 Challenges for Cyber Asset Attack Surface Management  (CAASM) - JupiterOne

Of course, you need to know what assets were compromised to contain the attack. Organizations in the ESG study report sustained efforts to collect, process, and analyze data in order to inventory their asset ecosystem. But for nearly one-third (32%), that process requires accessing as many as 10 different asset inventory tools. Nearly half (48%) say it takes more than 89 person-hours to conduct a full security asset inventory. To their credit, more than three-quarters (79%) attempt to complete this arduous task every month or two. 

According to respondents, three significant challenges consistently stand in the way.

  1. Cumbersome Coordination Across Multiple Organizations

    Mergers, acquisitions, suppliers, partners, and customers can all extend the cyber asset ecosystem outside the purview of any single group or organization. For 44% of organizations in the study, establishing an inventory of hybrid IT assets across organizations that manage and provision assets is distressingly hard to manage.

  2. Incompatible Tools and Conflicting Data

    Forty percent (40%) of study participants say that siloed tools and conflicting data can make it difficult to track and maintain an accurate picture of assets with any level of confidence.

  3. Constantly Changing & Ephemeral Cyber Asset Landscape

    Nearly as many (39%) report that the chances of keeping up with several thousand changing assets is vanishingly small. It's also worth noting that one-third of organizations depend on manual processes to do that—making it nearly impossible to scale cyber asset management.

Crossing the CAASM to Safeguard Cyber Assets

Maintaining visibility while hamstrung by siloed systems and manual processes grows less viable as you expand your operational infrastructure. When survey respondents were asked how their organizations could improve cyber asset management, roughly a quarter suggested establishing business-centric KPIs or the ability to analyze risk scores to determine which assets are truly at risk.

This suggests security management programs in these organizations lean on the informal, disorganized, and immature end of the spectrum. However, as a growing number of companies are discovering, the visibility and context required to implement a strong security program require a layered approach that includes cyber asset attack surface management (CAASM), cloud security, endpoint security, application security and more. 

Top 3 Challenges for Cyber Asset Attack Surface Management  (CAASM) - JupiterOne

Context is key. It's not the cyber assets themselves that truly matter—it's the relationships between them. If a cyber asset is compromised, it's critically important to understand the full scope of the threat, including things like access privileges in an asset's usage chain.

For those unfamiliar with it, CAASM is an emerging technology focused on enabling security teams to solve persistent asset visibility and vulnerability challenges. According to Gartner, solutions leveraging the technology give SecOps complete visibility and centralized inventory control over all assets, both internal and external, through API integrations with existing tools.

Context and A Single Source of Truth Across the Ecosystem

In the article, "CAASM Should Be an Early Security Investment in Every CISO's Playbook" we make the argument that CAASM should be an early security investment. Also, check out ESG's full 2021 Security Hygiene and Posture Management Survey to learn more about key trends impacting vulnerability management.

More about CAASM

2021-12-15 Early Investment - JupiterOne - Featured Image

 

CAASM should be an early security investment in every CISO's playbook
December 15, 2021

2021-12-15 CAASM Definitive Guide - JupiterOne

The Definitive Guide to Cyber Asset Attack Surface Management (CAASM)
December 13, 2021


CAASM is the Future... CSPM is Dead
September 1, 2021

 

Jennie Duong
Jennie Duong

Director of Product Marketing at JupiterOne. Eternal cynic and privacy advocate. Prior to JupiterOne, Jennie spent the past three years living, traveling, and working abroad across 25+ countries. She consulted and advised for several B2B cybersecurity and cloud startups.

Keep Reading

Shopping for DSPM tools - What to know and where JupiterOne fits in
May 30, 2023
Blog
Shopping for DSPM tools - What to know and where JupiterOne fits in

When are Data Security Posture Management tools useful and how can JupiterOne be used for basic DSPM functions?

2023 SCAR expands on context and depth of analysis over inaugural report
May 19, 2023
Blog
2023 SCAR expands on context and depth of analysis over inaugural report

The 2023 SCAR report builds in some important contextual analysis of the findings, including company size breakdowns and CSP adoption details.

Why IT teams should be using JupiterOne, Part 3
May 16, 2023
Blog
Why IT teams should be using JupiterOne, Part 3

JupiterOne can assist many functions within your IT department, including one very visible and important team: Help Desk Support.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.