Empowering Security with Critical Assets & Connecting Business Context

By

You’ve identified and collected all your cyber assets into one place. Now what? There are thousands, or even hundreds of thousands assets and potentially countless number of vulnerability findings across them. How do you prioritize? What’s more important?

Before leading several security programs as a CISO and founding a security product company, I was, and still am, first and foremost, a security practitioner. Several years ago, during my time at IBM Security, I led a global practice for data security services and emergency response. I was in the trenches of security operations covering  everything from pentesting, cyber forensics, incident response, DLP, and more.

In building and scaling any security strategy and program, my initiatives always boiled down to the following: secure and protect my company’s most important business critical assets.

The challenge here is that “critical assets” are extremely difficult to define. Everyone’s definition of a critical asset differs. For example, how JupiterOne defines and labels critical assets will be completely different from an enterprise in the banking sector or a large healthcare organization.

Why Defining Critical Assets Is Difficult Today

In order to define critical assets, you have to apply the business specific context and use organization specific terminologies and attributes.

Most companies end up building their own internal tools, systems, and processes to define and monitor their own business critical assets. Ask any CISO or security leader and you’ll find they’ve likely built out similar tools to capture this type of information. Specifically, they need to know what the critical assets are across their environment and what the most critical risks and assets their team should prioritize.

Today, most security teams will tag an asset as “critical” based on a set of human-derived or human-determined criteria (e.g. features or functions).

For example:

  • is it touching sensitive data?
  • is it in production?
  • is it internet-facing?
  • does it have a certain classification label?
  • or is it actually flagged as critical by a person?

This set of human-defined criteria often factor into some sort of prioritization activity which is usually tied to vulnerabilities. When security analysts respond to an incident or a finding and work through a vulnerability, if it’s tied to a critical asset, it gets higher priority.

Here’s the issue with this process:

  • Traditional processes and tools don’t scale. You and your teams will spend more time building out these tools and systems to capture and configure the right data to understand and monitor your critical assets. The problem is human beings don’t scale and they can’t do the work continuously. This is lost time and resources that your team could allocate to more important security initiatives for the business.
  • Visibility into critical assets doesn’t tell the whole story. Most of the time, security teams won’t even know that their critical assets have been impacted unless something severe happens like an active attack to that specific critical asset. Most tools won’t give you the full context. For example, was there a cloud configuration change, new permissions added, a new cloud workload was defined, and much more. These secondary and tertiary events, changes, or relationships can have an outsized impact on your business operations.

The New Way: Define Critical Assets with Data-Driven Context & Transparency

Here’s where JupiterOne is trying to upend traditional security with our new Critical Assets capability.

JupiterOne at its core is a data platform that collects all of your cyber asset data and tracks changes across your environment. We have the capability and extensibility in our tool to help businesses ask complex questions as well as tag and continuously monitor the most critical assets across your environment at scale.

The most exciting thing that Critical Assets brings to the table is that we empower customers to self define their critical assets so that we can tie in their unique business context. From there, we continuously monitor those assets and seamlessly connect any vulnerabilities that we find. Security teams today have to deal with hundreds or thousands of vulnerabilities all at once. JupiterOne’s new Critical Assets feature helps teams prioritize actions better among the noise of so many vulnerabilities and findings.

It’s easy to take advantage of this new, powerful capability, with these 3 simple steps:

  1. Review (and tweak) the attributes used to define critical assets.
    (This is the basic/simple definition)
  2. Optionally, add rules using more advanced queries to tag assets as critical. For example, you may consider long-lived workloads running more than 30 days as critical.
    (One more more queries/rules can be used to customize the definition of critical assets to match specific business context)
  3. Get prioritized alerts on problems associated with critical assets.
    (These will show up front and center on the main J1 application)

My experience as a practitioner is what led me to build JupiterOne and to solve for better security at scale. That’s why I’m so excited to share the new Critical Assets feature with our customers and free tier users.

We’ve built Critical Assets with the idea that we want you to know WHAT exists, but you should only worry about it when it’s important or critical for your business to do so.

To learn more about our newest feature, check out the full details here on our latest blog, “Introducing Critical Assets - Building Blocks to Secure Your Cyber Asset 'Crown Jewels'” or check out the demo video below.

Erkang Zheng
Erkang Zheng

I envision a world where decisions are made on facts, not fear; teams are fulfilled, not frustrated; breaches are improbable, not inevitable. Security is a basic right.

I am a cybersecurity practitioner and founder with 20+ years across IAM, pen testing, IR, data, app, and cloud security. An engineer by trade, entrepreneur at heart, I am passionate about technology and solving real-world challenges. Former CISO, security leader at IBM and Fidelity Investments, I hold five patents and multiple industry certifications.

I am building a cloud-native software platform at JupiterOne to deliver knowledge, transparency and confidence to every digital operation in every organization, large or small.

To hear more from Erkang, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.