You’ve identified and collected all your cyber assets into one place. Now what? There are thousands, or even hundreds of thousands assets and potentially countless number of vulnerability findings across them. How do you prioritize? What’s more important?
Before leading several security programs as a CISO and founding a security product company, I was, and still am, first and foremost, a security practitioner. Several years ago, during my time at IBM Security, I led a global practice for data security services and emergency response. I was in the trenches of security operations covering everything from pentesting, cyber forensics, incident response, DLP, and more.
In building and scaling any security strategy and program, my initiatives always boiled down to the following: secure and protect my company’s most important business critical assets.
The challenge here is that “critical assets” are extremely difficult to define. Everyone’s definition of a critical asset differs. For example, how JupiterOne defines and labels critical assets will be completely different from an enterprise in the banking sector or a large healthcare organization.
Why Defining Critical Assets Is Difficult Today
In order to define critical assets, you have to apply the business specific context and use organization specific terminologies and attributes.
Most companies end up building their own internal tools, systems, and processes to define and monitor their own business critical assets. Ask any CISO or security leader and you’ll find they’ve likely built out similar tools to capture this type of information. Specifically, they need to know what the critical assets are across their environment and what the most critical risks and assets their team should prioritize.
Today, most security teams will tag an asset as “critical” based on a set of human-derived or human-determined criteria (e.g. features or functions).
For example:
- is it touching sensitive data?
- is it in production?
- is it internet-facing?
- does it have a certain classification label?
- or is it actually flagged as critical by a person?
This set of human-defined criteria often factor into some sort of prioritization activity which is usually tied to vulnerabilities. When security analysts respond to an incident or a finding and work through a vulnerability, if it’s tied to a critical asset, it gets higher priority.
Here’s the issue with this process:
- Traditional processes and tools don’t scale. You and your teams will spend more time building out these tools and systems to capture and configure the right data to understand and monitor your critical assets. The problem is human beings don’t scale and they can’t do the work continuously. This is lost time and resources that your team could allocate to more important security initiatives for the business.
- Visibility into critical assets doesn’t tell the whole story. Most of the time, security teams won’t even know that their critical assets have been impacted unless something severe happens like an active attack to that specific critical asset. Most tools won’t give you the full context. For example, was there a cloud configuration change, new permissions added, a new cloud workload was defined, and much more. These secondary and tertiary events, changes, or relationships can have an outsized impact on your business operations.
The New Way: Define Critical Assets with Data-Driven Context & Transparency
Here’s where JupiterOne is trying to upend traditional security with our new Critical Assets capability.
JupiterOne at its core is a data platform that collects all of your cyber asset data and tracks changes across your environment. We have the capability and extensibility in our tool to help businesses ask complex questions as well as tag and continuously monitor the most critical assets across your environment at scale.
The most exciting thing that Critical Assets brings to the table is that we empower customers to self define their critical assets so that we can tie in their unique business context. From there, we continuously monitor those assets and seamlessly connect any vulnerabilities that we find. Security teams today have to deal with hundreds or thousands of vulnerabilities all at once. JupiterOne’s new Critical Assets feature helps teams prioritize actions better among the noise of so many vulnerabilities and findings.
It’s easy to take advantage of this new, powerful capability, with these 3 simple steps:
- Review (and tweak) the attributes used to define critical assets.
(This is the basic/simple definition) - Optionally, add rules using more advanced queries to tag assets as critical. For example, you may consider long-lived workloads running more than 30 days as critical.
(One more more queries/rules can be used to customize the definition of critical assets to match specific business context) - Get prioritized alerts on problems associated with critical assets.
(These will show up front and center on the main J1 application)
My experience as a practitioner is what led me to build JupiterOne and to solve for better security at scale. That’s why I’m so excited to share the new Critical Assets feature with our customers and free tier users.
We’ve built Critical Assets with the idea that we want you to know WHAT exists, but you should only worry about it when it’s important or critical for your business to do so.
To learn more about our newest feature, check out the full details here on our latest blog, “Introducing Critical Assets - Building Blocks to Secure Your Cyber Asset 'Crown Jewels'” or check out the demo video below.
