Cyber asset attack surface management (CAASM) is one of the more important practices in terms of securing your critical systems. It is a blend of internal asset management and external attack surface management, to have known, context-rich inventories. The ultimate goal is knowing what you look like to potential attackers to shore up your defenses. Good CAASM helps keep attackers out, speeds up incident response processes, and helps with any audits or regulations that ask for attack surface data.

In practice, CAASM means getting a full picture of your entire network-accessible architecture. This empowers security teams to understand where they are most exposed to cyberattacks, as well as adopt a more risk-based approach to defending your riskiest, most visible, and accessible assets with appropriate measures. 

The external attack surface discovery component of CAASM ultimately helps to resolve shadow IT problems in the enterprise as well. Security teams struggle with knowing about every asset or cloud service in their organization. Cyber asset attack surface management tools and processes resolve this problem. Especially when continuous discovery is included as a capability. 

With the average attack surface growing 133% year over year, the power of CAASM technologies to discover assets attached to the organization is vital. Knowing what assets are attached to your systems also helps you gain a more accurate picture of where an attacker might try to gain initial access. Unknown assets pose a special threat because they may harbor unpatched vulnerabilities that are easier to exploit. 

This is also the case with unknown Internet of Things (IoT) devices. Cyber asset attack surface management solutions can discover IoT assets attached to your networks as readily as software assets. Doing so is as critical to your security as finding unknown IT assets on a regular basis, to keep up a real-time attack surface inventory and eliminate any blind spots.

The Role of IoT in Cyber Asset Attack Surface Management

Every asset attached to your network can be part of the attack surface. Internet of Things devices like security cameras, HVAC systems, and even network-accessible printers all are part of the growing attack surface that threatens the average organization. 

As more IoT devices are used in the enterprise, the risk of a breach occurring from an unknown connected speaker or smart TV increases. Especially because it’s often possible for any employee to bring an IoT device into work and connect it to the corporate network. 

CAASM technologies need to take into account all assets attached to the network, not only IT or software assets. Connected devices – IT or IoT – need to be discovered and integrated into the asset database to ensure that they can be tracked and vulnerabilities are identified and patched. This can help find gaps in your security controls as well, including missing agents (when deployed)

Continuous discovery is a vital feature of cyber asset attack surface management. It’s an especially key capability when it comes to IoT devices, which connect to the internet quickly and can be easily discovered on the corporate network. When someone connects a new smart device to your network, it’s vital that you’re made aware of it as quickly as possible. This way, you can more readily be made aware of the model, function, and potential weaknesses of the IoT device as soon as possible. 

Cyber asset attack surface management is only effective when it’s set up properly, however. To do that, you need to follow a few best practices. 

Best Practices for IoT Cyber Asset Attack Surface Management

Cyber asset attack surface management for the Internet of Things has much in common with CAASM more generally. Part of the issue with traditional CAASM is that depending on the scanning method it’s possible to have a much larger attack surface than might truly be the case. 

A single IoT device could, for example, have multiple IP addresses depending on how it connects to the network and how the IP is assigned. Many digital assets also may broadcast across multiple IP addresses, which means creating an accurate attack surface can sometimes be challenging. A true inventory requires intelligent duplication handling and correlation to get to a true, accurate, and real-time attack surface measurement.

Because of that risk, a few key best practices around CAASM for the Internet of Things include:

• Continuous Asset Discovery: Get a comprehensive understanding of everything on your network. This includes devices, applications, cloud instances, and any other connected systems. Use automated tools and scans to identify even hidden assets and minimize blind spots. New devices on a network should appear automatically, without any manual intervention. Deduplication must be in effect, so the same device discovered from 2 different data sources should show up as 1 device, not 2.   
• Vulnerability Assessment and Patch Management: Regularly scan your assets for vulnerabilities and prioritize patching the most critical ones. Consider risk-based management to focus on vulnerabilities that could be exploited most easily and have the biggest impact.
• Powerful Visualization and Analysis: Understanding attack surfaces benefits from contextual analytics and graphical presentations to find trends and weak spots. Having numerous options for dashboards, ways to slice asset data, and the ability to jump from one analytic approach to another without losing context can help get the most value from a CAASM solution. 
• Configuration Management: Ensure your IoT devices are configured securely by enforcing best practices and using configuration management tools. This helps reduce the attack surface by minimizing misconfigurations that can create vulnerabilities. Taking snapshots of known, good IoT device configurations also can aid the recovery process.
• Continuous Monitoring and Threat Detection: Continuously monitor your network for suspicious activity and have a system in place to detect and respond to threats quickly. This means having policies in place for what acceptable IoT behavior is, and taking actions or sending alerts when the behavior deviates from what it should be. Also, knowing the attack surface aids incident response when it is necessary. It can more rapidly make it clear that packets need to be captured as part of the process.
• Address Third-Party Risk: Don’t forget about your third-party vendors and partners. Their security posture can impact your own, so factor this into your risk assessments and consider incorporating security requirements into your vendor contracts.

By following these best practices, you can significantly reduce your attack surface and improve your organization’s overall cybersecurity posture. 

How Asimily Supports Cyber Asset Attack Surface Management Best Practices 

The Asimily platform is designed to monitor and scan your network architecture and automatically detect any connected IoT devices. It surfaces the model, firmware version, MAC address, other data or applications, and any possible vulnerabilities. This detection is performed continuously, ensuring that your IoT inventory is kept up to date. The ability to perform this function makes Asimily a key part of your cyber asset attack surface management strategy. Numerous other sources can be integrated (with deduplication) as well, such as CMDBs and active scan results (if they are appropriate for the environment).

The Asimily platform also includes anomalous behavior detection to aid with incident response. It monitors network traffic to and from IoT devices to ensure that they’re not behaving maliciously. This traffic monitoring is key to limiting the risk to your attack surface. Should IoT devices be communicating with unauthorized destinations, that could indicate an attack in progress or a misconfiguration. 

The next benefit from CAASM is using the data to make security improvements and remove the most risk quickly.  Our patented exploit analysis does this better than other methods and is based on two critical components. First, we conduct thorough research on every vulnerability to understand how an attacker can exploit it. Second, we apply this research to the network, taking into account device configurations, connections, and other relevant factors. The MITRE ATT&CK framework serves as the guiding principle for these analyses.

While MITRE is essential, other sources are used to determine the next best action to take – deciding which risk to remove (and how to remove it safely). These sources include EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, and NIST Guidelines.

Asimily customers are 10x more efficient because the engine can pinpoint and prioritize the top 2% of problem devices that are High-Risk (High Likelihood of exploitation and High Impact if compromised). Asimily’s recommendations can be applied through seamless integration with NACs, firewalls, or other network enforcement solutions.

The Asimily platform ensures that Internet of Things devices can be readily integrated into your cyber asset attack surface management strategy. Asimily’s inventory and vulnerability detection capabilities ensure that you can identify unknown assets and apply mitigations to reduce the risk of an attack. If an attack is under investigation, packets can be quickly captured to aid the incident responders. With Asimily, security teams can keep a handle on their IoT attack surface and ensure they are as safe as they can be. 

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.