Empowering Security with Critical Assets & Connecting Business Context

by

You’ve identified and collected all your cyber assets into one place. Now what? There are thousands, or even hundreds of thousands assets and potentially countless number of vulnerability findings across them. How do you prioritize? What’s more important?

Before leading several security programs as a CISO and founding a security product company, I was, and still am, first and foremost, a security practitioner. Several years ago, during my time at IBM Security, I led a global practice for data security services and emergency response. I was in the trenches of security operations covering  everything from pentesting, cyber forensics, incident response, DLP, and more.

In building and scaling any security strategy and program, my initiatives always boiled down to the following: secure and protect my company’s most important business critical assets.

The challenge here is that “critical assets” are extremely difficult to define. Everyone’s definition of a critical asset differs. For example, how JupiterOne defines and labels critical assets will be completely different from an enterprise in the banking sector or a large healthcare organization.

Why Defining Critical Assets Is Difficult Today

In order to define critical assets, you have to apply the business specific context and use organization specific terminologies and attributes.

Most companies end up building their own internal tools, systems, and processes to define and monitor their own business critical assets. Ask any CISO or security leader and you’ll find they’ve likely built out similar tools to capture this type of information. Specifically, they need to know what the critical assets are across their environment and what the most critical risks and assets their team should prioritize.

Today, most security teams will tag an asset as “critical” based on a set of human-derived or human-determined criteria (e.g. features or functions).

For example:

  • is it touching sensitive data?
  • is it in production?
  • is it internet-facing?
  • does it have a certain classification label?
  • or is it actually flagged as critical by a person?

This set of human-defined criteria often factor into some sort of prioritization activity which is usually tied to vulnerabilities. When security analysts respond to an incident or a finding and work through a vulnerability, if it’s tied to a critical asset, it gets higher priority.

Here’s the issue with this process:

  • Traditional processes and tools don’t scale. You and your teams will spend more time building out these tools and systems to capture and configure the right data to understand and monitor your critical assets. The problem is human beings don’t scale and they can’t do the work continuously. This is lost time and resources that your team could allocate to more important security initiatives for the business.
  • Visibility into critical assets doesn’t tell the whole story. Most of the time, security teams won’t even know that their critical assets have been impacted unless something severe happens like an active attack to that specific critical asset. Most tools won’t give you the full context. For example, was there a cloud configuration change, new permissions added, a new cloud workload was defined, and much more. These secondary and tertiary events, changes, or relationships can have an outsized impact on your business operations.

The New Way: Define Critical Assets with Data-Driven Context & Transparency

Here’s where JupiterOne is trying to upend traditional security with our new Critical Assets capability.

JupiterOne at its core is a data platform that collects all of your cyber asset data and tracks changes across your environment. We have the capability and extensibility in our tool to help businesses ask complex questions as well as tag and continuously monitor the most critical assets across your environment at scale.

The most exciting thing that Critical Assets brings to the table is that we empower customers to self define their critical assets so that we can tie in their unique business context. From there, we continuously monitor those assets and seamlessly connect any vulnerabilities that we find. Security teams today have to deal with hundreds or thousands of vulnerabilities all at once. JupiterOne’s new Critical Assets feature helps teams prioritize actions better among the noise of so many vulnerabilities and findings.

It’s easy to take advantage of this new, powerful capability, with these 3 simple steps:

  1. Review (and tweak) the attributes used to define critical assets.
    (This is the basic/simple definition)
  2. Optionally, add rules using more advanced queries to tag assets as critical. For example, you may consider long-lived workloads running more than 30 days as critical.
    (One more more queries/rules can be used to customize the definition of critical assets to match specific business context)
  3. Get prioritized alerts on problems associated with critical assets.
    (These will show up front and center on the main J1 application)

My experience as a practitioner is what led me to build JupiterOne and to solve for better security at scale. That’s why I’m so excited to share the new Critical Assets feature with our customers and free tier users.

We’ve built Critical Assets with the idea that we want you to know WHAT exists, but you should only worry about it when it’s important or critical for your business to do so.

To learn more about our newest feature, check out the full details here on our latest blog, “Introducing Critical Assets - Building Blocks to Secure Your Cyber Asset 'Crown Jewels'” or check out the demo video below.

Erkang Zheng
Erkang Zheng

I founded JupiterOne because I envision a world where decisions are made on facts, not fear; teams are fulfilled, not frustrated; breaches are improbable, not inevitable. Security is a basic right.

We are building a cloud-native software platform at JupiterOne to deliver knowledge, transparency and confidence to every digital operation in every organization, large or small.

I am the Founder and CEO of JupiterOne, and also a cybersecurity practitioner  with 20+ years experience across IAM, pen testing, IR, data, app, and cloud security. An engineer by trade, entrepreneur at heart, I am passionate about technology and solving real-world challenges. Former CISO, security leader at IBM and Fidelity Investments, I hold five patents and multiple industry certifications.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.