According to the most basic level of the Incident Response Hierarchy, security teams must be able to name all the assets they are defending and have visibility across all these assets. Modeled after Maslow's Hierarchy of Needs, this means asset visibility is a fundamental requirement for security programs to reach maximum effectiveness.
Maslow's Hierarchy of Needs is a psychological theory about the human needs that drive motivation to achieve full potential. It's often represented in a tiered model and usually looks something like this:
By satisfying the most basic needs at the bottom of the pyramid, people build a solid foundation and take steps toward self-actualization. Gaps in the lower tiers inevitably cause obstacles advancing upward, thus impeding the fulfillment of their potential.
Swann’s Incident Response Hierarchy – The incident response version of the pyramid
Similar to Maslow’s Hierarchy of Needs, Swann’s Incident Response Hierarchy builds from the bottom-up. Activities at the higher levels are dependent on completion of the lower levels first.
Here's a glimpse at Swann's Incident Response Hierarchy:
The basic tiers of inventory and telemetry focus on seeing your assets across the various environments that make up your information infrastructure. Clear sight of assets means we must go beyond the traditional methods of seeing them (lists and documentation in disparate systems) and actually understand the relationships between these assets - the metadata and ways these assets interoperate.
JupiterOne ingests this data through integrations and represents these relationships through our graph model.
From this data, we can build a baseline of activity. As we track our baseline, we gain rich context to understand and act in the next two tiers - detection and triage. The business impact of unauthorized activity can be shown through the context of the vulnerable assets. In JupiterOne terms, we call this the "blast radius." By clearly communicating business impact, you can drive prioritization of risk mitigation in more clear and imperative terms.
Looking at another framework: The NIST Cybersecurity Framework
Just like in Maslows' hierarchy, any gaps in the lower tiers, like asset visibility, make it increasingly difficult to tackle the tiers higher in the pyramid.
If we look at another framework - the NIST Cybersecurity Framework - the first function listed is Identify. In other words, at this stage, you are looking to develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
From the Identify function of the framework: "Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs."
A common outcome category for this function is Asset Management. However, traditional IT asset management (ITAM) and cloud asset inventory management tools have gaps in asset visibility and don't see the whole picture.
Traditional ITAM sticks w/ the legacy way of defining assets:
- On-premises software tools
- Cloud-based software apps
- Employee hardware
- IT hardware
- Virtual IT assets
- Bespoke IT assets
- Serverless platform assets (containers, functions, message queues, etc.)
- Valuable data or personal information (user information, etc.)
- Development resources (code repos, pull requests, commits)
Cloud adoption spurs continuous change
Cloud adoption, digital transformation, and API-based infrastructure and security tooling are fundamentally changing how we build, manage, govern, and secure the enterprise. Because of this shift, comprehensive cyber asset visibility has become even more essential to modern organizations. This has also forced their hand in reinventing how they track, monitor, and govern their corpus of cyber assets.
If "seeing" is at the basis of every security framework in existence and is the first fundamental step to building your security program, then we ought to get it right and be able to see it all, no matter how complex your digital infrastructure might be.
Read about the rise of the software-defined cyber asset and how to make your asset data work for you.