Uksecuritypro Would You Rather Featured Image

Why CAASM is about more than a cybersecurity gap

BySteve Chambers

I’ve been dabbling in CAASM (don’t shoot me! I didn’t make it up. HE DID!)

Image

— and don’t switch off when I tell you that it stands for (take a deep breath) Cybersecurity (keep breathing) Asset Attack Surface (nearly there) Management.

And breathe.

Sorry. But we made it. I’m patting your back. Your face is red, but relieved.

One of the good things about being an old bastard (“You’re not old, Steve! You’re just a ….”) is that you see patterns in things. Some people call it survivor bias, even as I tip them overboard and don’t sound the alarm.

Me and a few other CxO/IT/Security friends have been dabbling in CAASM for a bit, mostly with Axonius.

And it turns out, it’s not quite what we thought….

What surprised me about CAASM – it’s not just for cybersecurity

The C, the first letter, stands for Cybersecurity but here’s the thing — CAASM tools like Axonius can be used for all kinds of purposes.

Like, migrations. You must have (Shirley?) read about cloud repatriation, VMware off-boarding… and all that stuff?

Well, years ago when I wrote a six-piece part on how to migrate to the cloud, one piece of that was called “Lift and Shift” — except, I called it Lift and Shit. Why shit?

Because dragging a VM (a file on a disk) from one location to another was the easy bit.

The harder bit was the network it (less easy), and then bloody difficult bit was all the management tools, scripts, and (urgh) PEOPLE that looked after that baby. If you’re thinking pets and cattle, then 2010 just called and wants its joke back!

But how is this true?

Why I now use CAASM as part of migrations

When I plug something like Axonius into an enterprise, it means I’m connecting it (via adapters) to every system you have:

  1. Active directory for users.
  2. Zendesk ticketing.
  3. That SaaS thing that Billy-Bob bought that wasn’t approved.
  4. Your EDR.
  5. Google Workspace.

The list goes on. What a CAASM like Axonius does is “listen and learn” from all these sources, and then “rationalize” them into a view that answers the age-old question “What the fuck have we got here, then?”

Because, guess what? We asked that question in 2004 when I was at VMware when virtualisation was starting:

  • “How many servers do you have?”
  • “500?”
  • “No, really, how many?”
  • “500!”
  • …..does an inventory scan using tools that didn’t exist before because CMDBs are crap…
  • “1200”.
  • NO WAY.
  • WAY.

Now, imagine this isn’t “just” servers, but it’s “all yo shit”. Network. Storage. Management systems. And — worst of all — USERS.

I need to find a way to use those words and spell the words CHAOS and ENTROPY.

Sooooooo…. the CAASM shows you “all yo shit” and now your “migration plans” look a bit different, so now there’s only one question left…

Would you rather find out now, or later?

Steve Chambers