(Re)Defining Cyber Asset Management

The key to any successful cybersecurity initiative is first understanding what it is you are responsible for. Yet, before you can begin conducting a cyber asset inventory, all responsible parties must first align on what that process consists of.

We can all agree the definition of a compute asset as it was decades ago is no longer relevant. What was once the most basic concept in IT asset management is now the most ambiguous due to the complexity of modern infrastructures. How does your organization define its cybersecurity assets?

What is a cyber asset?

Today, NIST defines an asset(s) as “the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes.” The UK’s National Cyber Security Centre defines an asset as “anything that can be used to produce value for your organization.”

A traditional asset management program consisted of the hardware, software and firmware that belonged directly to an organization. However, as our world continues its digital transformation, the way in which we visualize our environments must follow suit.

While assets are categorized under people, information, technology, and facilities, examples of individual assets include:

  • On-premises devices
  • Cloud storage
  • Software and applications
  • Security controls
  • VPNs
  • Employees and User Identification Applications
  • Networks
  • Datasets
  • Processes and policies

However, this is not a comprehensive list. Anything from an IP address to an IoT device should be included in your security hygiene and posture management best practices.

Why is cyber asset management so complex?

The inability to identify all assets is one of the top challenges cybersecurity and IT teams continue to struggle with. It’s evident that entrusting “anything that produces value” to define your cybersecurity strategy isn’t enough direction when teams are already experiencing extreme burnout.

For example, say there are two companies—Company A and Company B—that detect the same number of remote code execution vulnerabilities. Of those devices with RCEs present, none of those detected by Company B belonged to privileged users. Company A, on the other hand, identified several vulnerabilities among administrative accounts.

Looking at just the number of vulnerabilities themselves, the organizations appear to be at equal risk for a cyberattack. However, the potential blast radius of Company A would put it much higher on a cybercriminal’s list of potential targets.

This isn’t a new concept to security hygiene and posture management. In fact, more than one in every 5 IT and decision makers agree the inability to understand asset exploitability, exposure, and impact on critical systems in their environment is one of the biggest challenges they face when managing vulnerabilities.

How to identify critical cybersecurity assets

Not all assets are created equal—and critical assets are unique to every organization. Therefore, intra-relationship maps and contextual collation must be considered as integral to your cybersecurity function as is asset discovery.

To begin on your asset inventory journey, the Cybersecurity & Infrastructure Security Agency (CISA) recommends first completing the following checklist:

Prioritized list of servicesA prioritized list that clearly identifies the highest valued services
Asset definitionsAssets are clearly defined for the organization so that the stakeholders responsible for identifying assets can consistently document them
An understanding and acknowledgement of an acceptable approach to asset managementAcknowledgement from management for the intended approach to asset management, including stakeholder expectations about acceptable risk tolerance for the identified critical assets and services
Externally imposed requirements for asset managementRegulatory requirements defining mandatory requirements for asset definition; also includes other needs such as service level agreement requirements
RisksThe list of categorized and prioritized risks
Assignment of responsibility for asset managementJob descriptions for roles that have responsibilities for asset management, for example, executive ownership, decisions, communication, testing and disruption risk management

Source: CISA, 2016

It isn’t a mere coincidence that of the items listed above, ranking services in order of business criticality comes first. To help determine criticality, consider the following questions documented in CISA’s insider threat mitigation campaign for asset protection:

  • If compromised, will it impact workforce or public safety?
  • Was it identified as critical in a Business Impact Analysis?
  • Is it vital to the organization’s primary mission?
  • What is the risk tolerance?
  • Will a compromise have a negative impact on the organizational brand or reputation?
  • Will damage, compromise, or disruption result in an unacceptable financial loss?

This may seem impossible to properly execute at scale—especially as environments continue to change and new assets are constantly introduced. Adding to the complexity, organizations continue to rely on spreadsheets to piece together the data from their siloed systems.

According to Gartner: “New ways of visualizing and prioritizing management of an organization’s attack surface are required as enterprise IT becomes more dispersed, owing to the expansion of public-facing digital assets and increased use of cloud infrastructure and applications.”

Discover the technological innovations organizations are leveraging to help visualize their entire attack surface in the Innovation Insight for Attack Surface Management report by Gartner.