How To Understand Impact Through Asset Management and Threat Intelligence, Part 3

Originally published by Axonius.

Written by Katie Teitler, Axonius.

In part one and part two of this series, we defined what cyber asset intelligence is, how — combined with threat intelligence — it informs cyber asset management as a way to decrease risk, and how organizations can start to build an effective intelligence program.

In this third and final part of the series, we look at the threat intelligence lifecycle and how to implement an asset management program to feed risk mitigation.

The Asset Management Lifecycle

The process of building a cyber asset management program consists of seven main steps — which should be continuously iterated if a company plans to maintain an asset management program. Not by coincidence, these same steps can be used to build asset intelligence and threat intelligence programs. The process ensures that reliable data is collected, analyzed in a way that’s useful for strategic and tactical decision-making, and is acted upon in risk scenarios.

1. Data collection

As the saying goes, “garbage in, garbage out.” The inverse is also true. And that’s where and why enterprises need to look at the inputs to their intelligence programs. Collecting limited, unverified, or unreliable asset and threat data will only result in unusable data or data that results in security teams wasting time and resources.

Data should be collected from as many relevant, reliable, and verified sources as possible. Doing so will provide different perspectives during the analysis phase.

2. Aggregation

Once the relevant data is collected, security and intelligence teams should have the means to combine data and create clusters or buckets of associated data that start to form a bigger asset management picture.

3. Correlation

The aggregated data should then be analyzed for connections, helping teams identify patterns in assets, usage, threat/vulnerability trends, security gaps, and more. The more automation that can be built into this step, the better, so it will be both more accurate and timely.

4. Normalization and deduplication

One of the biggest problems with security and operational data today is the myriad and disparate data outputs from disparate tools. Without normalization and deduplication schema, organizations are left with too much data, and data that can’t be properly analyzed or requires further analysis. Normalizing and deduplicating data will save teams tremendous amounts of time and effort, and will help reduce the frustration and analyst burnout common with security practitioners today.

5. Enrichment

The next step is to take the aggregated, correlated, normalized, and deduplicated data and further enrich it with third-party sources that help provide context around both assets and the intelligence that surfaces threats and coverage gaps. Sources like the Common Vulnerability Scoring System (CVSS), National Vulnerability Database (NVD),Cybersecurity and Infrastructure Agency (CISA) bulletin, open source intelligence (OSINT), and scan data will be useful during this step.

6. Analysis

The data then should be analyzed for patterns, trends, and vulnerabilities. The results of this first analysis can be used to assess risk based on individual company risk tolerance, operating practices, and business strategies.

7. Action/Enforcement

When risks are identified that are either (relatively) easy to remediate or are deemed unacceptable, security teams must have the ability to act and enforce mitigation and/or remediation. This includes patching, reconfiguration, updating access controls, tuning rules, isolating a device, disabling a user, or another action that minimizes a threat.

Use Cases

The top use cases for asset and data intelligence in a cyber asset management program include:

• Security
• IT/Operations
• DevOps
• Risk management

The unifying factor here is business risk: A good cyber asset management program should always serve the business risk function. Threat intelligence and asset intelligence are inputs to asset management and thus risk. But it’s not just cyber risk that organizations should be concerned with. Cyber risk is an input to business risk — and reliable, effective cybersecurity and operations programs supply the data and information that allow businesses to run faster, more smoothly, and without major disruption.

The key, in fact, is to manage cyber risk using cyber asset management (enriched with cyber threat intelligence and cyber asset intelligence) to achieve business benefits:

• Decreased operational and strategic risk: Identifying cyber vulnerabilities and threats is the first step in managing them, which leads to improved risk management.
• Increased operational efficiency: Decreasing systemic vulnerabilities (including asset-based threats, process-based threats, and external threats) removes many obstacles that threaten business as usual.
• Cost savings: Identifying problems early, or preventing security issues altogether, mitigates the need for added staff time and effort, the inclusion of external resources (forensics firms, law enforcement, new technology procurement, etc.), and business disruptions — all of which pile on financial costs. Additional financial (and operational) burdens include:
  • Short-term impacts:
    • Production stoppages or slowdowns
    • Employee inability to access tools/resources
  • Longer term impacts:
    • Loss of market share
    • Reputational damage
    • Compliance violations and fines

The impact of business risk can be managed starting at a more fundamental level: Assets. By building the framework to understand one’s environment — the networks, devices, users, processes, and systems in use — security teams can apply intelligence to more easily identify vulnerabilities, manage those vulnerabilities and associated assets, and start to systematically eliminate obstacles that will negatively impact the business.