As information systems become increasingly complex, it becomes more and more difficult to have a complete and detailed view of your IS. As a result, it is also becoming increasingly complex to secure it effectively. Regaining visibility of your information system is therefore a prerequisite for implementing the necessary security measures. This is where CAASM (CyberAsset Attack Surface Management) tools come into their own. By providing cybersecurity professionals with an exhaustive, contextualized list of the various assets of the information system, they help to protect it more effectively.
What are the main use cases for CAASM? How do you implement a CAASM solution and integrate it into your IT environment? François Devienne, Head of Operational Security (RSO) at OverSOC, explains the main steps involved in implementing a CAASM solution.
Understand the benefits of CAASM and identify its main use cases
Mapping your information system, assessing the level of coverage and protection of your assets, preparing the incident response phase: these are just some of the major needs met by CAASM tools.
IT system mapping
Shadow IT, multiplication of layers and overlays, interconnections between the various assets of the information system... In the memory of CISOs, it has perhaps never been so complex to have an exhaustive overview of one's information system. And yet, setting up an exhaustive cartography is an essential step towards better understanding your IS... and therefore better defending it. For example, it can be used to manage asset vulnerabilities according to their level of criticality.
Assessment of the level of coverage and protection of its assets
"CAASM tools can be used to check the level of antivirus and EDR coverage, and whether they are up to date and cover all machines. By correlating vulnerability scanning, EDR and CMDB, we can have a virtually exhaustive overview of all our machines, and become aware of Shadow IT", explains François Devienne. And that's the great strength of CAASM tools: cross-referencing data and highlighting inconsistencies and gaps between different solutions, and correcting them.
Incident response
Incident response is another use case for CAASM tools, which enable us to better identify, understand and thus block an attack: to become aware of the vulnerabilities exploited by cybercriminals, to identify their targets, their intentions, the entry points used, and so on.
Relying on a CAASM tool improves decision-making efficiency by giving all teams involved in incident response the same level of information. Actions are better prioritized and therefore more effective.
Assessing cyber risks and vulnerabilities
"At this stage, you need to use a vulnerability scan to feed the CAASM. This gives a cyber risk score for zones and assets," explains François Devienne. "And by coupling these elements with the criticality of assets and zones, we can involve the business lines and make them accountable".
The aim of this step? To enable everyone to be fully aware of the risks associated with the cyber score, and to consider actions to be taken. By highlighting the weak points of the IT system, we can then propose a plan of action and measures designed to increase the level of security. "This provides a vision and facilitates decision-making," adds François Devienne.
Choosing the right CAASM solution for your needs
For François Devienne, the best CAASM solution is the one that best enables you to "play" with data, to "take the data the company needs". In other words, a good CAASM solution is one that enables :
- Talk to all types of people (CIOs, RSOs, SecOps teams, etc.).
- Respond to the needs of each audience (a CISO who wants to know the current status of EDR deployment, an RSO who needs to see the results of the latest vulnerability scans, etc.).
- Set up filters, record and share them (to share results, prioritize vulnerability patches, report to Codir with relevant KPIs, etc.).
The strength of a CAASM solution also lies in the way it visualizes data. "This is the famous user-friendly aspect, very important for getting people on board and successfully deploying a CAASM solution," notes François Devienne.
Integrate CAASM into your IT environment
"Deploying OverSOC in your IT environment is relatively simple, since our tool is based on a cloud solution," explains François Devienne. For IT teams, all that remains is to feed the tool from several data sources, notably csv or xml files, but above all APIs so that it can interconnect with existing security tools. If data aggregation and tool feeding are carried out via APIs and connectors, deployment can be completed in as little as half a working day. Teams can then access the first indicators.
"The bulk of the work consists in finding useful data to feed the tool," explains our RSO. A CAASM tool can initially be set up using three main sources of data:
- A vulnerability scan,
- CMDB,
- An antivirus or EDR (retrieving only the relevant fields to feed the tool).
CAASM will obviously become increasingly powerful as it is provided with relevant data sources.
Would you like us to help you deploy a sovereign CAASM tool? Please contact us.
