In a recent summary of the top seven security and risk management trends for 2022, Gartner ranked “attack surface expansion” as the top trend.
In virtually all enterprises, attack surfaces and threats are expanding exponentially due to the rapid proliferation of connected assets. And in manufacturing and critical infrastructure environments the use of cyber-physical systems (CPS), industrial control systems (ICS), connected operational technology (OT), industrial internet of things (IIoT) assets, and small form factor (SFF) devices are contributing to the rapid rise of risks, threats, and vulnerabilities. In other words, when it comes to security, enterprises need to think well beyond traditional managed assets to identify and protect every connected asset that contributes to the growing attack surface.
The challenges have grown so large that Gartner has coined new terminology, including digital risk protection services (DRPS), external attack surface management (EASM), and cyber asset attack surface management (CAASM), to support CISOs in visualizing internal and external business system risk and addressing security coverage gaps.
Peering Into the IT/OT CAASM
Traditionally, OT processes were localized to their serial connections, communication buses, and their gated sub-networks. Their attack surface was effectively secured by their underlying obscurity. With the evolution of industrial protocols, however, OT now presents an entirely new field of exposure. Between routed protocols, wireless devices, Windows machines, and more intelligent OT endpoints, the differences between OT and IT networks are quickly blurring. And business needs related to extracting valuable OT data to improve things like competitive advantage, safety, and organizational resiliency are accelerating the paradigm shift.
As OT begins to look more like IT—and the number of OT connections into and through IT increase—operators must monitor and secure an entirely new attack surface. The problem is that although IT security toolsets number in the thousands, the number of OT security sets and experienced operators have lagged considerably leaving an IT/OT chasm filled with risks and unknowns.
And that’s where the CAASM framework comes in. According to Gartner, the CAASM framework “…enables organizations to see all assets (both internal and external) through API integrations with existing tools, query against the consolidated data, identify the scope of vulnerabilities and gaps in security controls, and remediate of issues.” Gartner coined the term CAASM because of the rapidly changing threat landscape and the importance of having a complete security posture for protecting every digital asset.
In the world of cyber-physical systems, the CAASM framework provides a potential fix for a key challenge OT operators are facing; it provides complete visibility into every connected wired and wireless asset, regardless of age or type, through a single pane of glass through their entire lifecycle. That means operators can quickly identify and address non-compliant, misbehaving, and unknown assets the moment they attempt to join a network.
Overall, CAASM is a proactive risk-based approach for reducing:
- Threats—Considers attacker profile and objectives, availability of tools, likelihood of tools, target of choice, and potential eEffectiveness)
- Vulnerabilities—Asset susceptibility to an attacker’s technique, aggregate susceptibility, and effectiveness of existing safeguards)
- Consequences—Unauthorized modification of data (integrity), and/or denial-of-service (availability) and their potential bottom-line and brand-related (trust) impacts to the business
Simply put, CAASM focuses on identifying risk in a proactive manner as opposed to reacting to threats as they arise. Instead of the continual cycle of threat hunting and reacting, a CAASM approach mitigates the risks that are obscured by hidden devices and siloed toolsets. Conceptually, we are talking about bringing the skillsets of all the villagers together (the existing IT and OT technology stacks and their operators), leveraging them in conjunction with each other (via pre-built API integrations), and offering up a unified view of risk (a unified asset platform) to address the true vulnerabilities of the enterprise before threats actually arise.
In the end, this technology proposes to fix a challenge that many businesses face: gaining and maintaining complete visibility into all assets, risks, and threats, through a single, unified view.
Figure 1: OT/IT attack surface management covers the full array of connected enterprise assets.
Can your OT infrastructure benefit from CAASM technology?
Whether you’re a large enterprise or a midsized business, it’s worth asking:
- Can I ‘do’ CAASM?
- Can I protect OT using CAASM principles?
- Can I leverage my existing investments in tools and people?
The answers to these questions will undoubtedly bring you to the conclusion that CAASM principles are certainly worthy of consideration when addressing critical infrastructure.
Since your enterprise likely uses a bevy of technologies, security solutions, and outsourced services to support the protection of targeted IT assets, there are some key questions to support the CAASM principle on the OT side of the house:
- Do you have a real-time asset inventory, including vulnerabilities, for all Purdue level 0-3 wired and wireless assets in and around your OT environment?
- Do you monitor command and control activities called against your critical infrastructure?
- Are you confident an OT outage will not result from a connection to/from IT or the Internet?
- Does OT benefit from the tech stack and people found in IT?
- Are you confident your alerting platforms are minimizing noise and amplifying true risk?
- Do you have OT tools in place to orchestrate the remediation of RISKS before they become THREATS?
If you find yourself answering “no” to several of the questions above, you are not alone. Fortunately, when it comes to effectively applying the CAASM framework, the Armis Asset Intelligence Platform provides essential foundational capabilities and more.
“Armis provides a complete, unified, and authoritative view of every asset across enterprise environments.. Our authoritative view even includes the critical infrastructure found within OT operators’ networks, enabling you to visually comprehend your entire asset attack surface. Moreover, Armis works seamlessly with your existing technologies to amplify their input to protect OT and maximize the potential of CAASM. ”.
— Nadir Izrael, CTO and Co-founder, Armis
The Armis Asset Intelligence Platform extends CAASM concept by providing a proactive security approach to both IT and OT,providing a complete, real-time asset map of your enterprise that includes:
- Unmatched asset identification across all wired and wireless IT, OT, and IoT devices
- API integrations from hundreds of IT and OT sources to cross-correlate signal and risk
- Real-time monitoring and deep packet inspection of OT activities and connections
- 100% passive monitoring without endpoint software agents on any IT or OT assets
- Immediate risk remediation and resolution via the same API integrations
The Armis platform provides a “live map” of your assets.
Today’s enterprise environments are much greater than the sum of their parts. After all, hardware, software, and cloud-based assets everywhere in the environment are constantly collecting, storing, and sharing data to drive efficient operations. But the proliferation of connected assets has also introduced unprecedented security risks. And managing these assets for cyber risk is at the heart of CAASM.
The Armis platform is purpose-built to protect both OT and IT environments. It can ingest meaningful signals from hundreds of IT and OT platforms and enable easier management of the overall attack surface to help you accelerate your organization’s adoption of CAASM.
View our on demand Armis webinar, Enabling CAASM across your IT/OT environments, to learn more.
Ready to experience the power of the Armis Platform for yourself?