Cloud adoption, digital transformation, and API-first architecture are fundamentally changing how we build, manage and secure the enterprise. Enterprises use specialized infrastructure and security tools each of which has its own definition of asset. Understanding your entire cyber asset landscape is nearly impossible due to the breadth of technologies in play and the multiple definitions of assets introduced by each tool.
As the industry continues to move towards a model of cloud-native architecture, our definition of what is defined as a “cyber asset” needs to be part of that transformation. IT assets are proliferating beyond devices and increasing in both scale and complexity. Companies are discovering they have unknowingly created “shadow asset classes” within their organizations. Along with these shadow assets comes the added complexity of understanding and managing the shadow relationships and dependencies among those assets.
Disconnected, inaccurate cyber asset inventory systems inadvertently hide the context of how assets interoperate, giving attackers the advantage to exploit the attack vectors that lurk in the shadows. It is no longer enough to know what your assets are, your system must automatically identify how they relate to each other. Where it used to be simple, businesses must now reinvent how they track, monitor, and govern a new cyber asset collection and the shadow relationships unintentionally created by those assets.
Towards a modern definition of cyber assets
A modern definition of cyber assets begins with any asset that can be software defined. Everything from identities to cloud configurations and repositories fall under this category. Limiting assets to those things that are only addressable by IP severely limits the depth of understanding that can be built with interconnected relationship models.
An interesting part of the transformation to a modern definition of cyber assets recognizes that assets are software defined and ephemeral. Cyber assets in a modern definition do not persist, nor do the relationships created between them. If designed properly the assets and relationships are created and torn down automatically as scale dictates.
In a modern definition of cyber assets, highly complex relationships connect people, process, and technology, and are integral to the definition. It isn’t the assets themselves that are solely defined. The definition of modern cyber assets includes the relationship to every other asset in the collection. This is a critical distinction between existing definitions and a modern definition which views the entire system as an interconnected whole.
How to utilize the modern definition of cyber assets
How are we to build a modern, secure system with this new understanding of cyber assets? There are four categories that will help companies take advantage of our modern definition of cyber assets.
Discover all of your software-defined assets.
Gain and maintain complete visibility to all of your cyber assets, not just those IP related ones. As you choose tools to give you that visibility, work with a consistent definition of cyber assets to build a unified asset inventory and management solution.
Understand your assets through contextual relationships.
Understanding the relationships between your cyber assets is as important as knowing what and where those assets are. Choose solutions that put the relationships and impact of those connections into context, as part of a broader security and IT strategy. Gain deep context via visual graphs and mapping the relationships across your entire infrastructure.
Monitor your asset compliance through automated security enforcement.
In order to create a highly functioning security program, modern organizations automate the discovery and management of cyber assets while aligning the data with their security policies. This reduces complexity by automating security policy enforcement and avoiding compliance drift.
Proactively act through continuous governance and security programs.
Be proactive. Automate the collection of cyber asset data, analyze and alert on issues, and integrate these results with optimized workflows. Realize that with the ephemeral nature of modern cyber assets, your system must be automated and malleable in order to track and monitor your assets.
Defining cyber assets means better security
We as an industry need to agree there is a better way to build security into our systems through an updated understanding of the complexity of the relationships between our cyber assets and how to better manage them. We can start with agreeing to a modern definition of cyber assets, including the relationships that produce hidden consequences, shadow relationships, that create unintended trust within our systems.
Is you enjoyed this article, please join us on July 29, 2021 at 1:00 PM for a live podcast/webinar with Chris Roberts and Mark Miller, CYA - Cover Your Assets for Simplified Security.
Posted By Mark Miller
Mark Miller speaks and writes extensively on DevSecOps and Cybersecurity. He has published 9 books, including "Modern Cybersecurity: Tales from the Near-Distant Future", and the popular "Epic Failures in DevSecOps" series.
Mark actively participates in the DevSecOps and cybersecurity communities by producing DevSecOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. He is the former Senior Director of Editorial Strategy and Content at JupiterOne.
As well, Mark is Executive Producer of the OWASP Podcast Series (500K+ listens), and the Executive Editor of the LinkedIn DevOps Group (125K+ members).
Subscribe to our newsletter!
Get updates from JupiterOne Mission Control
Fresh content and cool cybersecurity news alerts delivered to your inbox at least 2x a month! Just let us know where to send it.