Attack Surface Management: CAASM and EASM Overview and Practical Implementation

Author: vivo Internet Security Team - Peng Qiankun

This article combines the principles of two emerging attack surface management technologies, CAASM and EASM, to briefly describe four key modules—asset management, comprehensive view (visualization), risk assessment, and risk remediation—providing practical guidance for enterprise attack surface security risk management.

1. Attack Surface Overview

An attack surface is the sum of all possible entry points that can be accessed and exploited by unauthorized parties across an enterprise’s network assets.

With the development of IoT, 5G, cloud computing, and ongoing digital transformation, the scope and types of network assets have dramatically changed, creating new challenges for security operations to build efficient security frameworks for managing attack surface risks.

Industry Trend: Gartner’s 2021 Security Operations Maturity Curve highlights two emerging technologies—Cyber Asset Attack Surface Management (CAASM) and External Attack Surface Management (EASM)—aimed at enabling security teams to manage exposed assets and attack surfaces scientifically and efficiently, covering detection, analysis, intelligence, response, and continuous monitoring.

Both CAASM and EASM are still in the startup phase, but they have already attracted widespread attention.

CAASM

CAASM is an emerging technology that helps security teams address continuous asset exposure and vulnerability issues by integrating with existing tools via APIs to view all assets (both internal and external), merge data, identify gaps in security controls, and remediate problems. It replaces manual asset collection processes, improving efficiency and visibility.

Key benefits include:

Comprehensive visibility of all assets under organizational control, revealing attack surface areas and existing security control gaps.

Faster compliance audit reporting through accurate, timely, and complete asset and control reports.

Integrated asset view that reduces manual effort.

EASM

EASM focuses on discovering external-facing enterprise assets, systems, and related vulnerabilities (e.g., servers, credentials, cloud misconfigurations, third‑party software bugs). It provides services such as DRPS, threat intelligence, third‑party risk assessment, vulnerability assessment, and vendor capability evaluation.

EASM consists of five modules:

Monitoring : Continuously scan internet‑exposed environments (cloud services, external infrastructure, distributed systems).

Asset Discovery : Identify and map external assets and systems.

Analysis : Determine whether assets have risks or vulnerabilities.

Prioritization : Assess and alert on risk severity.

Remediation Recommendations : Provide guidance for fixing identified risks.

2. Practical Implementation of Attack Surface Risk Management

Attack surface management is defined as an asset security management method that detects, analyzes, warns, responds to, and continuously monitors the attack surface from an attacker’s perspective.

The first and most critical step is asset management .

2.1 Asset Management Module

Before managing assets, organizations must inventory the entire network, defining asset scope and types.

2.1.1 Asset Inventory

Asset inventory is organized along four dimensions: business, system, host, and others.

Business Dimension : domain names, URLs, public IPs, package‑managed assets, application assets.

System Dimension : API interfaces, public‑to‑internal IP mappings, public port mappings, internal cluster VIP‑LVS, internal application cluster VIP‑Nginx, internal port assets, internal IP resource status assets.

Host Dimension : host IP assets, container assets, k8s assets, host port assets, middleware assets, database assets, OS assets, account information, process information, other application service assets.

Other Dimension : asset patch status, asset owners, and organizational affiliation.

Asset libraries typically draw data from three sources:

CMDB : Primary source of asset information.

HIDS : Supplements host‑related data such as processes, accounts, and network connections.

VCS : Actively collects asset information to enrich the asset repository.

Building a reliable asset repository often faces technical challenges (tool compatibility, stability, production impact) that can be mitigated with open‑source, commercial, or custom tools. The greater difficulty lies in extensive communication with asset owners (business teams).

2.1.3 Proactive Asset Discovery

Proactive discovery addresses issues such as delayed asset updates, frequent changes, and unauthorized assets. Methods include:

Traffic Analysis : Identify hidden, aging, or shadow assets.

Scanning Tools : IAST/DAST/SAST, NMAP, etc., for asset identification and maintenance.

Security Logs & Alerts : Use untagged assets to supplement the asset repository.

Scanning frequency and timing must be carefully managed to avoid production impact.

2.2 Comprehensive View Module

The comprehensive view is not just a diagram; it is a data‑driven, business‑contextual asset relationship map that is logical and readable for both security operators and non‑technical stakeholders.

2.2.1 Asset Relationship Mapping

Two primary relationship chains are mapped: public IP/domain → internal host, and internal host → internal IP/domain & public IP/domain.

2.2.2 Global Asset View

Implementation plans for these modules can be organized on an annual timeline (see accompanying diagram).

2.3 Risk Assessment Module

2.3.1 Risk Discovery

Risk sources include:

Depth Defense System : Provides basic alarm data.

Active Scanning : Periodic vulnerability scans from a defensive perspective.

Manual Penetration Testing : External perspective testing by security personnel.

Baseline Compliance Scanning : Addresses internal compliance issues such as weak passwords and root access.

Automated vulnerability scanning platforms create tickets for confirmed vulnerabilities, synchronize them with vulnerability management systems, and track remediation progress.

Effective risk discovery systems must be scenario‑driven and address real‑world problems, as illustrated by three example use cases (see diagram).

2.3.2 Risk Evaluation

Risk evaluation uses scientific methods to analyze threats, vulnerabilities, and potential impact, producing scores or mathematical models that reflect overall security posture.

Standard risk evaluation consists of four steps:

Asset Identification & Valuation : Identify assets and estimate potential loss.

Threat Identification & Valuation : Assess frequency and impact of each threat.

Vulnerability Identification & Valuation : Evaluate technical and managerial weaknesses.

Risk Value Calculation : Compute risk scores, highlight high‑risk items, and suggest remediation.

Valuation granularity should balance detail with practicality, tailored to the organization’s resources and security goals.

2.4 Risk Closure

Risk closure corresponds to the vulnerability lifecycle: discovery → remediation → verification. Common reasons for incomplete closure include unrealistic planning, lack of root‑cause analysis, missing corrective actions, and insufficient follow‑up.

Closure strategies should be tailored to the source of the vulnerability (see example diagram).

3. Conclusion

Effective attack surface management requires continuous asset discovery, comprehensive visualization, systematic risk assessment, and closed‑loop remediation. Enterprises should strengthen governance, define responsibilities, conduct regular surface audits, and adopt standards. Leveraging big data analytics and artificial intelligence can further enhance detection, assessment, and response capabilities, ultimately building a resilient security posture from the foundation of asset management.