“You can’t protect what you don’t know you have.” Every cybersecurity professional has either heard or said this sentence. With increasingly diverse and ephemeral IT assets, this statement is often easier said than done. From traditional assets like servers to cloud-based assets like virtual machines, your expanded attack surface is often difficult to define, let alone catalog.
To protect your organization, you need a holistic approach to cybersecurity risk and asset management so that you can identify critical assets and mitigate the business impact a security incident poses.
What is asset management in cybersecurity?
In cybersecurity, asset management is the process of identifying, analyzing risk, and categorizing all devices and technologies that transmit, store, or process data. Every IT asset added to an organization's technology stack expands the attack surface, giving threat actors new opportunities and increasing cybersecurity risk.
The asset inventory is critical because it records the configuration data for all hardware and software, including operating systems and firmware. To protect systems and networks from vulnerabilities that malicious actors can exploit, organizations need to manage all cyber assets and track their configurations.
What are examples of cyber assets?
The National Institute of Technology Standards (NIST) provides eight different definitions of “asset,” making it difficult to understand what constitutes an asset. When comparing the definitions, cyber assets are:
Valuable to the organization
Physical items
Intangible resources
Critical to business or mission goals and objectives
Value and criticality typically focus on the impact a loss would have on business operations and revenue.
Hardware
Hardware includes:
Devices, like workstations, smartphones, tablet, and Internet of Things (IoT) devices
Network devices
Computing platforms
Operating systems and firmware
Intangible assets
The intangible assets include:
Information
Data
Intellectual property, like trademarks, copyrights, patents, and images
People
Reputation
Software
Ephemeral assets
Ephemeral assets are typically code-based or short-lived, including:
Instances
Containers
Virtual machines
What are critical assets in cybersecurity?
In cybersecurity, organizations define critical assets based on the impact a security incident would have on business operations and revenue streams. Typically, these assets transmit, store, or process sensitive information which is why malicious actors target them.
Critical asset identification is typically a time-consuming, expensive, manual process because organizations need to understand:
What assets people use the most
Who accesses assets
How people use assets
How easily threat actors can exploit assets
Examples of critical assets include:
code repositories
data stores
servers
cloud services
workloads
centralized logs.
Understanding cyber asset risk management
Whether protecting your business from insider threats or external malicious actors, understanding the intersection of asset and risk management is critical.
Quantify and automate your critical asset analysis
Most critical asset analyses start with a list of known assets then engage in manual review based on how management or line of business leadership views the asset’s value. Unfortunately, this analysis is a time-consuming and imprecise qualitative review riddled with human error risk. A manual review could be a six month process where different internal respondents have different views about an asset’s criticality.
With automation, you can leverage quantitative data focused on how people use your systems and assets. For example, you should consider the following data that can help you understand the what assets, who uses them, and how they use them questions:
Network traffic: insight into data flows and ephemeral or code-based assets
Endpoint Detection and Response: insight into devices, including servers and end-user devices
Based on this information, you gain visibility into how people use the assets. With this data, you can look at connections between assets’ and the protocols’ communications so that you gain visibility into usage over time.
For example, if you have a database connected to five applications that 100 people use during business hours, it’s likely more critical to business operations than a server that only connects to two workstations running jobs overnight. An attack that causes a service outage at the database will likely have a greater business operational impact than something happening to the server.
When you know that one resource has more connections than others, you have quantitative data that shows its importance to your business operations.
Understand threats and exploitability
Once you know the assets that drive your business, you need to gain visibility into the likelihood that a threat actor will exploit a vulnerability. For example, you may have an application that runs on an on-premises server with no connection to the public internet. On the other hand, you might have a user laptop with an unpatched operating system connecting to a server via the internet, making it easy for malicious actors to exploit the device’s vulnerability during an attack.
For example, an email server that isn’t filtering spam or an asset that isn’t being captured by your vulnerability scanner carries more risk.
Understanding attack impact and likelihood requires you to know the interconnections between assets, the potential threats facing them, and whether those threats are realistic based on your unique environment.
Measure business impact using financial data
Possibly the most challenging part of risk and asset management, you need to know the financial and business impact that a compromised critical asset would create.
For many organizations, this is the really tricky part. You need to align that metric to your:
Company’s size
Industry vertical
Peers
Type of loss
Business unit
Loss likelihood gives you insight into whether a malicious actor will attack or compromise an asset. Financial and business impact data tells you how much that breach will cost your organization.
For example, a developer losing a laptop and a ransomware attack incorporating data exfiltration would have different financial and business impacts.
Moreover, you need visibility into which business unit poses the biggest financial risk to your organization. Without these insights, you won’t know what assets create the greatest risk. For example, it’s easy to think that an email server is the highest impact asset because digital communications are critical to business outcomes and a key social engineering attack vector. However, assumptions can often be flawed because you bring your own biases with you.
By using financial and business impact data, you have a more robust, quantitative risk analysis so that you can define critical assets objectively and enhance your cyber asset management protections.
KeyCaliber: Cyber Asset Attack Surface Management with Financial Risk Data
KeyCaliber’s platform enables you to automate critical asset identification with quantitative data. We enable you to identify the assets that drive your business operations and then incorporate actuarial data breach information for a data-driven approach to financial and business impact analyses.
Our easy-to-integrate solution provides a rapid return on investment. By feeding KeyCaliber network traffic, vulnerability scanner, and EDR data, you can gain 80% of the platform’s value by gaining visibility into most used resources, potential threats, exploitability, and financial impact.
Further, we ensure that you have complete control over your risk-ratings by enabling you to customize settings based on internal stakeholder knowledge. We automate the initial risk rating eliminating the time-consuming and costly manual processes. However, if you need to adjust a rating, you can maintain control by making changes in the platform.
With our impact scores and risk scores, you have quantitative automation that enables you to focus your security and vulnerability management resources more precisely, enhancing security and mitigating data breach risks.