Back to basics: Why better asset visibility matters in your security program

by

According to the most basic level of the Incident Response Hierarchy, security teams must be able to name all the assets they are defending and have visibility across all these assets. Modeled after Maslow's Hierarchy of Needs, this means asset visibility is a fundamental requirement for security programs to reach maximum effectiveness.

Maslow's Hierarchy of Needs is a psychological theory about the human needs that drive motivation to achieve full potential. It's often represented in a tiered model and usually looks something like this:

maslow-needs2


https://www.simplypsychology.org/maslow.html

By satisfying the most basic needs at the bottom of the pyramid, people build a solid foundation and take steps toward self-actualization. Gaps in the lower tiers inevitably cause obstacles advancing upward, thus impeding the fulfillment of their potential.

Swann’s Incident Response Hierarchy – The incident response version of the pyramid

Similar to Maslow’s Hierarchy of Needs, Swann’s Incident Response Hierarchy builds from the bottom-up. Activities at the higher levels are dependent on completion of the lower levels first.

Here's a glimpse at Swann's Incident Response Hierarchy:

hierarchy

 

The basic tiers of inventory and telemetry focus on seeing your assets across the various environments that make up your information infrastructure. Clear sight of assets means we must go beyond the traditional methods of seeing them (lists and documentation in disparate systems) and actually understand the relationships between these assets - the metadata and ways these assets interoperate.

JupiterOne ingests this data through integrations and represents these relationships through our graph model.

From this data, we can build a baseline of activity. As we track our baseline, we gain rich context to understand and act in the next two tiers - detection and triage. The business impact of unauthorized activity can be shown through the context of the vulnerable assets. In JupiterOne terms, we call this the "blast radius." By clearly communicating business impact, you can drive prioritization of risk mitigation in more clear and imperative terms.

 

plateaus

 

Looking at another framework: The NIST Cybersecurity Framework

Just like in Maslows' hierarchy, any gaps in the lower tiers, like asset visibility, make it increasingly difficult to tackle the tiers higher in the pyramid.

If we look at another framework - the NIST Cybersecurity Framework - the first function listed is Identify. In other words, at this stage, you are looking to develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

Screen Shot 2021-05-12 at 5.22.35 PM

From the Identify function of the framework: "Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs."

A common outcome category for this function is Asset Management. However, traditional IT asset management (ITAM) and cloud asset inventory management tools have gaps in asset visibility and don't see the whole picture.

Traditional ITAM sticks w/ the legacy way of defining assets:

  • On-premises software tools
  • Cloud-based software apps
  • Employee hardware
  • IT hardware
  • Virtual IT assets
  • Bespoke IT assets
  • Serverless platform assets (containers, functions, message queues, etc.)
  • Valuable data or personal information (user information, etc.)
  • Development resources (code repos, pull requests, commits)

Cloud adoption spurs continuous change

Cloud adoption, digital transformation, and API-based infrastructure and security tooling are fundamentally changing how we build, manage, govern, and secure the enterprise. Because of this shift, comprehensive cyber asset visibility has become even more essential to modern organizations. This has also forced their hand in reinventing how they track, monitor, and govern their corpus of cyber assets.

If "seeing" is at the basis of every security framework in existence and is the first fundamental step to building your security program, then we ought to get it right and be able to see it all, no matter how complex your digital infrastructure might be.

Read about the rise of the software-defined cyber asset and how to make your asset data work for you.

 

Ashleigh Lee
Ashleigh Lee

As Senior Product Marketing Manager at JupiterOne, I love getting to the heart of what problems our customers are solving and how that ties in with the cybersecurity mission at their organizations. With over a decade of experience in B2B tech marketing, and the last 7 years in cybersecurity, I have honed my digital swiss army knife background into sharing customer stories that resonate and drive action.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.