Relationships matter. They matter in life, they matter in business, they matter in nearly everything we do. This is especially true when it comes to your cyber assets.
Here's the problem: most companies have no visibility into the cyber assets within their system environments, and more importantly, how those assets connect and interact with each other. Anyone can collect data, define and track their assets, but most can't put the relationships and impact of those connections, in context, as part of a broader IT strategy.
It's not enough to know what your cyber assets are, it's equally important to understand the relationships between those assets and entities. When a data breach or security incident happens, it is not enough to know how many Git repos or AWS instances your company has. You want to know why there was a breach, what accounts/assets were compromised and how it could impact other users, applications, and infrastructure in your company.
Relationship visibility is critical to understanding the connections between the cyber assets within your systems.
How do we define a cyber "relationship"?
A relationship is the connection between two or more cyber assets. Assets in isolation don't tell us anything, it's how they interoperate and work together that helps provide value. The ability to ask questions of your environment such as "who OWNS this application" and "what SSO accounts can ACCESS these workloads" are the real questions that security professionals need to answer. They all revolve around the relationship verbs. Example verbs might be "uses", "is", "accesses", "knows", "owns", "assigned", etc.
Example Relationship – Employee A IS an Okta User, Github User, and AWS IAM User.
Simplified examples of relationships in context of cyber asset management:
- Employee A IS an Okta User, Gitub User, and AWS IAM User
- An AWS account HAS AWS instances
- Employee A USES ephemeral devices X, Y, and Z (e.g. VM)
- User A is ASSIGNED Admin Permissions for production environment
Complexity in Relationship Management
What makes relationships difficult to understand is that they become too complex as companies move more of their assets and activities to the digital environment. As a result, when a security incident happens, the data you need often lives in unrelated systems.
For example, endpoint data is stored within your endpoint management security solution, while AWS is managed by a separate cloud management service. Asking complex questions of your environment takes significant time, access to numerous tools and infrastructure systems, and the ability to understand and tie the results together. In a world of digital transformation and software defined everything, this is just too complex.
There needs to be a unified solution to bridge this gap.
Relationships Go Beyond Visibility
Understanding your cyber asset collection in a complex world is nearly impossible.
A typical company has tens of thousands (if not hundreds of thousands) of cyber assets in their digital environment. For each of these assets, there can be multiple correlating relationships. This results in exponential growth of the complexity of your world. When this data is siloed across your infrastructure and security tooling, it is difficult to find the blindspots in your environment.
Attackers Think in a Connected Model
Attackers understand that one entity or asset in a system leads to other assets and systems. Once access is gained to one target, an attacker thinks about how they can elevate their privilege to other nodes in the environment, and creates a map to visualize those connections. This explains why visibility of your cyber assets is not enough. Attackers understand, and map, the paths between targets. Your security systems must surface, display and monitor those paths as well.
If you limit yourself to simple visibility of your system's cyber assets, without in-depth understanding of the relationships between those assets, there is a possibility of losing two-thirds of the insights your security and infrastructure tooling can provide.
Based upon our research of more than 25 million entities and over 50 million relationships (December 2020), we have seen that for each entity within a complex system, there are on average two to three relationships associated to that entity. Key entities could easily have 10+ relationships.
Create Asset Visibility through Dynamic Relationship Mapping
In Part Two of this series, we show how your teams can have complete and continuous visibility and in-depth understanding of every relationship between your critical cyber assets. We'll demonstrate how relationship mapping empowers your security and infrastructure teams to quickly identify important relationships, immediately showing if a cyber asset is compromised or misconfigured.
Part Two includes a demonstration of scripts and tools you can use to create an expandable/contractible graph of your cyber assets, and how to discover relationships you might not have known existed. You'll see how to illuminate the gaps in your isolated security data, display in-depth understanding of your cyber asset relationships, and save your team the frustration of manual tracking of context.