Cyber Asset Relationships Matter - Part One

by

Relationships matter. They matter in life, they matter in business, they matter in nearly everything we do. This is especially true when it comes to your cyber assets.

2020-12-10 Relationship Diagram - 04

Here's the problem: most companies have no visibility into the cyber assets within their system environments, and more importantly, how those assets connect and interact with each other. Anyone can collect data, define and track their assets, but most can't put the relationships and impact of those connections, in context, as part of a broader IT strategy.

It's not enough to know what your cyber assets are, it's equally important to understand the relationships between those assets and entities. When a data breach or security incident happens, it is not enough to know how many Git repos or AWS instances your company has. You want to know why there was a breach, what accounts/assets were compromised and how it could impact other users, applications, and infrastructure in your company.

Relationship visibility is critical to understanding the connections between the cyber assets within your systems.

How do we define a cyber "relationship"?

relationship is the connection between two or more cyber assets.  Assets in isolation don't tell us anything, it's how they interoperate and work together that helps provide value. The ability to ask questions of your environment such as "who OWNS this application" and "what SSO accounts can ACCESS these workloads" are the real questions that security professionals need to answer. They all revolve around the relationship verbs. Example verbs might be "uses", "is", "accesses", "knows", "owns", "assigned", etc.

2020-12-10 Relationship Diagram - 02


Example Relationship  – Employee A IS an Okta User, Github User, and AWS IAM User.

Simplified examples of relationships in context of cyber asset management:

  • Employee A IS an Okta User, Gitub User, and AWS IAM User
  • An AWS account HAS AWS instances
  • Employee A USES ephemeral devices X, Y, and Z (e.g. VM)
  • User A is ASSIGNED Admin Permissions for production environment

Complexity in Relationship Management

What makes relationships difficult to understand is that they become too complex as companies move more of their assets and activities to the digital environment. As a result,  when a security incident happens, the data you need often lives in unrelated systems. 

For example, endpoint data is stored within your endpoint management security solution, while AWS is managed by a separate cloud management service. Asking complex questions of your environment takes significant time, access to numerous tools and infrastructure systems, and the ability to understand and tie the results together. In a world of digital transformation and software defined everything, this is just too complex.

There needs to be a unified solution to bridge this gap.

Relationships Go Beyond Visibility

Understanding your cyber asset collection in a complex world is nearly impossible.

A typical company has tens of thousands (if not hundreds of thousands) of cyber assets in their digital environment. For each of these assets, there can be multiple correlating relationships. This results in exponential growth of the complexity of your world. When this data is siloed across your infrastructure and security tooling, it is difficult to find the blindspots in your environment.

Attackers Think in a Connected Model

Attackers understand that one entity or asset in a system leads to other assets and systems. Once access is gained to one target, an attacker thinks about how they can elevate their privilege to other nodes in the environment, and creates a map to visualize those connections. This explains why visibility of your cyber assets is not enough. Attackers understand, and map, the paths between targets. Your security systems must surface, display and monitor those paths as well.

2020-12-10 Relationship Diagram - 05

If you limit yourself to simple visibility of your system's cyber assets, without in-depth understanding of the relationships between those assets, there is a possibility of losing two-thirds of the insights your security and infrastructure tooling can provide. 

Based upon our research of more than 25 million entities and over 50 million relationships (December 2020), we have seen that for each entity within a complex system, there are on average two to three relationships associated to that entity. Key entities could easily have 10+ relationships.

Create Asset Visibility through Dynamic Relationship Mapping

In Part Two of this series, we show how your teams can have complete and continuous visibility and in-depth understanding of every relationship between your critical cyber assets. We'll demonstrate how relationship mapping empowers your security and infrastructure teams to quickly identify important relationships, immediately showing if a cyber asset is compromised or misconfigured.

Part Two includes a demonstration of scripts and tools you can use to create an expandable/contractible graph of your cyber assets, and how to discover relationships you might not have known existed. You'll see how to illuminate the gaps in your isolated security data, display in-depth understanding of your cyber asset relationships, and save your team the frustration of manual tracking of context.

Additional Resources

JupiterOne Team
JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

Keep Reading

‘Type and go’ - New JupiterOne search bar enhancements
October 30, 2023
Blog
‘Type and go’ - New JupiterOne search bar enhancements

JupiterOne aggregates and normalizes data from hundreds of different sources so you can identify and triage security risks easily.

Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix
October 6, 2023
Blog
Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix

It seems like a simple question. “Are any of our deployed user endpoint devices missing an endpoint detection and response agent?”

Why Better Asset Visibility Matters in Cybersecurity | JupiterOne
August 30, 2023
Blog
Back to basics: Why better asset visibility matters in your security program

At the most basic level of the Incident Response Hierarchy, security teams must know the assets they are defending.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.