Orphaned assets are a familiar story for every cybersecurity professional. Like something out of a horror movie, these legacy devices lurk neglected, forgotten, and undersecured in the attic (or data center), seemingly harmless. Vendors try to raise the alarm about the risks they pose, but their words go unheeded amid more pressing security priorities. Until one day the unthinkable happens ...
As it happens, the reality of orphaned assets is even scarier. Picture a server in a dusty corner that nobody has thought about in years. Its only user accounts are for people who left the organization long ago, and they were the last ones to touch its data and applications. Why should the security team lose any sleep over it? Consider this chilling thought: It's still connected to the network. Even worse, it's only three hops away from protected health information, personally identifiable information, or other highly sensitive, regulated data. Is your pulse racing yet?
Like shadow IT assets, security teams often overlook orphaned assets. But no cyber asset is truly isolated—and the lack of a direct connection to a critical asset is no indication of harmlessness. In fact, the indirect relationships between users, devices, networks, and critical data are a huge source of security risk in today's organizations. These unexplored connections amount to a vast blind spot that can expose the entire environment to attack.
In our last blog on the findings of the JupiterOne 2022 State of Cyber Assets Report, we looked at the risks and challenges posed by virtually unmanageable software supply chain security. Now, in our final blog on the report, we'll shed some light on the dangers hiding in the cyber-shadows—and offer a few overall takeaways from this year's cyber asset research.
The overlooked dangers of nth-degree relationships
JupiterOne's analysis of over 370 million assets at almost 1,300 organizations thoroughly debunks the "isolated" orphaned asset myth. According to our research, data, including critical data and sensitive personal records, is among the most related types of assets, with 105 million first-degree relationships to users, apps, and devices. We also found nearly 45 million relationships between security findings, indicating that many security backlogs contain findings identified as critical vulnerabilities or policy exceptions.
And these relationships are only the tip of the risk iceberg, as revealed by our analysis of 3.8 million queries used by security practitioners. In spite of the highly related nature of data in today's environments, security practitioners use queries to understand the security of devices, users, and apps much more often than networks or data, and can easily overlook sensitive cloud data.
Even worse, just eight percent of security queries consider second-degree or third-degree relationships between assets. As a result, security teams are unable to fully understand the blast radius of potential compromises. After all, how many security exploits stop at their first asset rather than burrowing further to seek out high-value targets?
The cybersecurity talent crunch likely plays a role in this blind spot. Under-resourced teams just don't have the time or tools to dig deeper into the relationships among assets, including orphaned and shadow IT assets. Additional hires are likely a necessary measure, though not an easy one. Security teams should also consider tools that allow them to learn from false and true positives, and adjust their alerts to avoid fatigue.
Googling our way to better cybersecurity
Ultimately, the solution to blind spots is to think of security as a big data search problem. Querying individual assets is already a data-intensive process, and it's only part of the picture. Teams also need a way to understand the relationships among assets, since this is where so much of the risk exists. Just as search engines adapted to the exponential growth of the Internet by using semantic models based on knowledge graphs, a similar approach can help security teams keep pace with the scale and complexity of the modern enterprise environment.
Over the past decade, Google's knowledge graph has made it easy for people to get clear answers, fast, from the unimaginably large volume of data on the web. In the decade to come, knowledge graphs will drive a similar transformation for cybersecurity professionals.
What have we learned?
As we conclude our five-part series on the JupiterOne, we'll leave you with these five top takeaways to consider:
- Automated asset creation calls for automated asset inventory. It's the only way to manage a vast, fast-changing attack surface.
- Cybersecurity needs a reset. As cloud services, resilient architectures, and agile development push traditional IT infrastructure to the margins, we must rethink our industry skills pipeline, policy, and collective best practices.
- You can't manage risk without understanding relationships. It's the relationships between assets, findings, users, and policies that drive security context to help security programs improve.
- Findings need more attention. They account for over two-fifths of enterprise assets and attributes—and without added resources to help triage, investigate, remediate, and tune them, security teams risk missing something serious.
- A query is not an inventory. Security practitioner queries and alerts focus mainly on USERS and DEVICES, not DATA and FINDINGS—and on understanding what they have, not which assets are most business-critical or vulnerable.
We hope you've found this blog series useful, and that you'll continue your exploration of the full 2022 State of Cyber Assets Report for further insight on the risks that exist in today's enterprise environments, the challenges cybersecurity professionals face in addressing them, and the possible approaches to achieve better protection for our organizations.