This is the third in a three-part discussion about cyber asset inventories with Tom Kennedy, vice president of Axonius Federal Systems. Part one explored the role that cyber asset inventories play in establishing a zero trust approach to cybersecurity, and part two examined Federal government requirements for reliable asset inventories and their many benefits. Part three addresses the emerging need for cyber asset attack surface management and how agencies can best meet that need.
MeriTalk: Axonius coined the term “cybersecurity asset management” to explain its approach to understanding assets and their security and management coverage. Four years later, in 2021, Gartner coined the term “cyber asset attack surface management (CAASM)” and included the category in its Hype Cycle for Network Security 2021. Today, CAASM is an emerging technology in the Gartner Hype Cycle for Security Operations 2022. Was Axonius ahead of the curve with cybersecurity asset management?
Tom Kennedy: Yes. Our CEO, Dean Sysman, has an interesting story around how he got into this space. He came out of the military, and he was in the cybersecurity space. There was so much focus on cyber threats and finding the bad actors. But he realized that it’s harder to get a current asset count – one of the fundamentals in cybersecurity – than it is to find an advanced cyber threat.
That was the big idea that led to the creation of Axonius. We were the first mover in this space. We’re a market creator and we’re excited about the Gartner coverage. It validates the big problem we’re solving. We imagine the Hype Cycle will evolve into a Magic Quadrant at some point, and Axonius will be reflected as a leader.
The idea of CAASM puts shadow IT in context. If you think about your overall enterprise as an attack surface, and you can’t see a portion of it, that’s pretty scary. It’s like a boxer. If they don’t have their full vision to block punches, it typically ends very badly.
MeriTalk: According to Gartner, CAASM “enables organizations to see all assets (internal and external), primarily through API integrations with existing tools, query consolidated data, identify the scope of vulnerabilities and gaps in security controls, and remediate issues.” Am I right that this is exactly what Axonius does?
Kennedy: Absolutely. I’ll read you some customer words that I think do a nice job of capturing the issue. “The government seeks to increase comprehensiveness, speed, and accuracy of cyber asset inventory management on its network. The government must be able to recognize vulnerabilities in a comprehensive and timely manner to patch in each of its systems, including a growing array of devices, IoT sensors, and cloud connected solutions. An integrated view into the details of each and every system on the government networks is a crucial starting point to accelerate the process of learning about a new vulnerability, determining which systems in the inventory are affected, applying the patch, and verifying systems are no longer vulnerable.”
That was in a requirements document for something we did with the Department of Defense. But I find it interesting how our customers approach it. It’s pretty similar to our position.
MeriTalk: CAASM is an emerging technology. What’s your assessment of awareness and adoption of it, particularly in the government space?
Kennedy: It’s a longstanding need whose time has come (especially given the government’s recent asset management and zero trust guidance). The lack of a comprehensive cyber asset inventory is just starting to get a lot of attention. Axonius is a relatively young company. We’re out there educating the government marketplace and growing our brand. Raising awareness of CAASM is our biggest challenge and our biggest opportunity. First and foremost, we raise awareness by taking care of our customers. If you take care of your customers, they’re your biggest advocates. Make them successful, delight them, and they will sell for you through word of mouth. This is especially true in the Federal government, which is a big reference-based buyer.
The executive orders and directives from the Biden administration are also helping to raise awareness. The current administration cares about cyber more than we’ve seen in past administrations, partially due to priorities and partially due to a better understanding of the vulnerabilities. Budget appropriations are helping as well.
MeriTalk: Looking at the big picture, what could be the potential impact of CAASM on Federal cybersecurity?
Kennedy: I’d be really proud if CAASM officially became a foundational step for zero trust. If everyone thought, “In my zero trust strategy, I need a tight cyber asset management strategy,” it would be great for cybersecurity overall.
MeriTalk: Agencies and organizations everywhere use many different cybersecurity tools. Thinking more granularly about CAASM, how can agencies justify investing in this new solution? What sort of quantifiable benefits can they expect?
Kennedy: We have this conversation a lot. Often, CIOs will say, “I have enough cybersecurity tools. I can’t afford more. I don’t have the bandwidth to manage more. Unless you’re going to replace something, I can’t talk to you.”
CAASM doesn’t necessarily replace any tool. We will make all your tools more effective by pulling the information together and correlating it against other tools. Now downstream, once they get Axonius into production, it might lead to customer cost savings by flushing out some unused tools that they’re paying for. Likewise, Axonius also saves you the manual labor and time of identifying and resolving vulnerabilities, as well as stitching together the comprehensive cyber inventory. When audit season arrives, your agency will be well-prepared without the typical scramble to ensure all systems are accounted for. What was a multi-day process is now available in real time.
MeriTalk: Beyond the visibility into assets and vulnerabilities that CAASM offers, how does CAASM – and specifically Axonius – help with things like incident response or endpoint management?
Kennedy: Axonius has the Enforcement Center, which can take action once a vulnerability is identified. We have a pretty cool rollback feature. Axonius takes a snapshot of all the data in a customer-defined time period, such as every day or every eight hours. Then, you can walk back time to see your IT environment in a prior state. That’s important in incident response. If you had an attack 28 days ago, you might not know exactly which devices were on the network at that time. That feature helps you understand the scope of the attack. If the attacker targeted your mobile phones, you could identify which phones were on the network that day to determine the exact blast radius.