According to the most basic level of the Incident Response Hierarchy, security teams must be able to name all the assets they are defending and have visibility across all these assets. Modeled after Maslow's Hierarchy of Needs, this means asset visibility is a fundamental requirement for security programs to reach maximum effectiveness.
Maslow's Hierarchy of Needs is a psychology theory about the human needs that drive motivation to achieve full potential. It's often represented in a tiered model and usually looks something like this:
By satisfying the most basic needs at the bottom of the pyramid, human beings build on the fundamentals and take steps toward self-actualization. Gaps in the lower tiers inevitably cause obstacles advancing upward, thus impeding the fulfillment of their full potential.
Here's a glimpse at Swann's Incident Response Hierarchy:
The basic tiers of inventory and telemetry focus on seeing your assets across the various environments they reside. Clear sight of assets means we must go beyond the traditional methods of seeing them (lists and documentation in disparate systems) and actually understand the relationships between these assets - the metadata and ways these assets interoperate. Note: JupiterOne ingests this data through integrations and represents these relationships through our graph model, aka the Galaxy View.
From this data, we can build a baseline of activity. As we track our baseline, we gain rich context to understand and act in the next two tiers - detection and triage. The business impact of unauthorized activity can be shown through the context of the vulnerable assets. In JupiterOne terms, we call this the "blast radius." Clearly communicating business impact can drive prioritization of risk mitigation.
Just like in Maslows' hierarchy, any gaps in the lower tiers, like asset visibility, make it increasingly difficult to tackle the tiers higher in the pyramid.
If we look at another framework - the NIST Cybersecurity Framework - the first function listed is Identify – develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
"Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs."
A common outcome category for this function is Asset Management. However, traditional IT asset management (ITAM) and cloud asset inventory management tools have gaps in asset visibility and don't see the whole picture.
Traditional ITAM sticks w/ the legacy way of defining assets:
- On-Premise Software Tools
- Cloud-Based Software Apps
- Employee Hardware
- IT Hardware
- Virtual IT Assets
- Bespoke IT Assets
- Serverless Platform Assets (containers, functions, message queues, etc.)
- Valuable Data or Personal Information (user information, etc)
- Development Resources (code repos, pull requests, commits)
It's not uncommon for organizations to implement multi-cloud and hybrid cloud environments to run their digital operations. Cloud adoption, digital transformation, and API-based infrastructure and security tooling are fundamentally changing how we build, manage, govern, and secure the enterprise. These three shifts in technology necessitate a transition to a modernized definition of an asset. In the new world, these are called cyber assets.
Where it used to be simple, businesses must now reinvent how to track, monitor, and govern a new "cyber asset" collection in order to step up their game to survive in the modern digital world.
If "seeing" is at the basis of every security framework in existence and is the first fundamental step to building your security program, then we ought to get it right and be able to see it all, no matter how complex your digital infrastructure might be.
To learn more about the rise of the software-defined cyber asset, download our whitepaper, "Modern 'Visibility' for Cybersecurity and IT Asset Management."