Asset Management, The Weakest Link in Cybersecurity Risk
By Gyan Prakash, Head of Cyber Security / Security Engineering, Altimetrik Corp
Summary
This paper shares the details on the limitations of existing asset management solutions for Cybersecurity needs and how to enhance the capability of existing asset management solutions that would meet enterprise cybersecurity risk needs. Uncover high-risk and vulnerable assets to CISOs and senior management with data-driven automation on a near real-time basis.
Highlights the gap in the current asset management solutions and the critical role of Asset management solutions provides in secure enterprises from advanced threats and cybersecurity risk management. Importance of asset management in identifying asset criticality rating or static risk, inherent risk, and residual risk.
Cybersecurity risk not only help uncover the critical risky assets but also helps drive the enterprise priorities and future enhancements & investment on security technologies
Introduction
IT Asset Management solutions help discovers and provide visibility into the assets with regards to every IP-connected device in an enterprise environment. Accurate asset discovery and visibility is one of the critical needs to secure the asset. What you see is what you protect.
Leading research shows that on average companies are blind to 40% of the devices in their environment. As a result, businesses do not have a real-time, comprehensive view of all the assets in their environment—or know the risks associated with them.
Assets can be broadly divided into the following categories:
- Endpoint User Devices (Managed Assets & Unmanaged Assets)
- Production and Non-Production Network Infrastructure devices
- Enterprise IoT devices (Camera, Printers, Smart TVs, HVAC Systems, Industrial Robots, Medical Devices, Physical Security Access, etc.)
ISO 27001 – Information Security Management System (ISMS) certifications require the enterprise to identify information assets in scope for the management system and define appropriate protection responsibilities. NIST and CIS Critical Security Controls also include asset inventory management as part of critical infrastructure security.
IT Asset inventory management is the basic need of an enterprise and the urgency of discovery and visibility is not critical, whereas enterprise security primarily rely on accurate and detailed assets visibility on a near-real-time basis.
Majority of the enterprise assets are distributed across many different genes, networks such as private networks, public clouds. With remote work universally acceptable, the near-real-time asset visibility and management becomes even more critical.
Traditional Asset Management
Usually, their Asset management solutions in the market. Agent-based on Network scan-based and both of them play a critical role in providing Assets visibility.
Network Scan based Asset Discovery: Network Scan based solutions help identity/discover devices on the network, the limitations are that network scan must be reachable to all networks, VLANs, subnets in the entire enterprise.
Network-based scans are limited to the details discovered over the network.
Agent-based Asset discovery: Agent-based solution provides info about the OS and core OS services, versions, Middleware services, patches, etc.
Traditional asset management solutions also referred as CMDB (Configuration Management Database) are required to meet the IT inventory & asset management need such as asset ownership, cost center, supporting patch management needs. These solutions were not designed to keep cybersecurity threats and cybersecurity risk management in focus.
Cybersecurity Dependency on Asset Management
Before we get into the details on Cybersecurity dependency, it is important to understand the definition of an asset. Generally, the asset is defined as an IP-connected device, this usually works fine but has challenged in managing serverless assets. An application consists of groups and assets.
The exponential increase in the number of assets be it a mobile device or microservices-based lightweight servers, self-mutating server, and serverless assets has made near real-time asset management even more critical. The assets distributed over many networks and geos and private and public networks. The next-generation asset management will be supporting the following capabilities:
- Provides asset context with regards to network placement & external visibility
- Binding between assets and applications or micro-services running on the assets
- Provides asset criticality risk rating
- Status of security agents on the assets
- Status of SIEM integration for OS level and application-level logs
- Correlating each asset with all the known security vulnerabilities either related to OS or application or identity & access management or firewall
- Mapping sensitive data assets (such as PII, PAI or PHR) with each of the servers
- Continuously track assets against enterprise security compliance
Since 2019, OWASP has been also reporting Improper Assets Management as one of the top ten API Security vulnerabilities across the industry.
Automate Asset Criticality Risk Rating
Asset Criticality is the most important factor in understanding the risk of an asset being compromised. The asset criticality rating provides a view of the asset risk without any known security vulnerability. Any asset in production and non-production environment introduces risk and the risk is related to the type of data asset that assets process or handles, exposure of an asset to the outside world, and how the unavailability of assets impacts the business and enterprise services. We can also call this static risk that means the minimum risk that this asset introduces to the enterprise.
None of the traditional asset management solutions offers Asset Criticality Risk Rating, hence many enterprises rely on generating this asset criticality rating using non-standard and adhoc techniques.
Asset Criticality Risk Rating What would impact on the enterprise if an asset is unavailable, tampered or breached.
Critical assets are those that are essential for supporting the critical enterprise business needs. These assets will have a high consequence of failure, and it must be ensured that such assets of failure are avoided. These assets should be identified on an urgent basis and more focus should be paid to these assets.
Every organization has a way to identify which applications are critical, which is fairly easy but the challenges are mapping each and every asset to these critical applications and doing it consistently on a real-time basis.
Building an Asset Criticality Rating
Asset Criticality Risk Rating (ACRR) is the foundation of determining Asset Risk. Some of the important aspects of building ACRR is following:
- It must be fully automated and not dependent on user input
- Provides consistent ACRR and in near real-time
- Provides options for a Risk analyst to update the weightage of ACRR
ACRR Calculation Approach
In the proposed section, we share details on how CVSS (Common Vulnerability Scoring System) can be used to build ACRR. CVSS is an open framework providing characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental.
Our interest is in the Base CVSS. The Base CVSS represents the intrinsic qualities of a vulnerability that are constant over time and across user environments and composed of two sets of metrics: Exploitability metrics and Impact metrics.
For ACRR, we only need Impact Metrics, and we will then find an average Impact for Confidentiality, Integrity, and Availability across all the key attributes required for generating ACRR.
ACRR Formula
The ACRR is based on the CVSS standard used for security vulnerability rating. We extend the same model to measure the criticality of an application. We will be using the following formula
ACRR= f(Confidentiality, Integrity, Availability)
Ci = Average weight of all the Confidentiality Impact for the asset
Ii = Average weight of all the Integrity Impact for the asset
Ai = Average weight of all the Availability Impact for the asset
ISS = Impact Sub-Score
ISS = (1 -((1-Ci)*(1-Ii)*(1-Ai)))
ACRR = roundup (min (ISS * 8, 10))
The min() function returns the item with the lowest value of the items
The roundup roundup to zero decimal
We derived the constant 8 based on iterating with the number of assets that provide the acceptable risk rating score and following Delphi method. Mathematical Ranges
Ci = [0,1] ,
Ii = [0,1] ,
Ai = [0,1]
ACRR = [0 , 10.0]
ACRR Rating Scale
All the ACRR scores will be mapped to a qualitative rating and we will be in line with the industry-standard CVSS rating scale;
Rating | ACRR Score |
None | 0.0 |
Low | 0.1 to 3.9 |
Medium | 4.0 to 6.9 |
High | 7.0 to 8.9 |
Critical | 9.0 to 10.0 |
ACRR Worksheet
We are going to use the following key indicators for our worksheet to demonstrate generate ACRR for a given asset.
Key Indicator | Descriptions | Possible options |
Sensitive Data Handling | The type of data asset applications or server is processing. | This could Personally Identifiable Information (PII), PCI Card Data (PCD), Personal Health Information (PHI) etc |
Application Exposure | This represents application exposure to type of users and network. | Public Internet, Partner Network, Internet Network |
Service Tier | A service tier is indicating how critical a service is to the operation of your business from availability point of view.
|
It could be Tier-0, Tier-1, Tier-2 and Tier-3. Whereas T0 – which is critical service to T3- Which is non-essential |
Sensitive Data Volume | Volume of data processed by the application or the servers involved in that applications. | It could be block of 100K or 10K based on business risk. |
Number of External users | Number of active external users of the applications and will also apply to all the servers involved. | 1million – 10million |
Development Model | This indicated if the Application was developed by internal development team or developed using out souring model or mixed | Internally Developed, Externally Developed, Hybrid, 3rd Party Product |
Hosting Environment | This indicates the asset hosting environment. | Public IaaS, PaaS or Kubernetes, SaaS, Private Data Center |
Additional key indicators could be used based on risks and threats related to Hosting Environment, Number of Admin users etc.
In the next section, we will generate ACRR for a given asset, we are going to use the following key indicators that help identify the impact. For each of these key indicators, we are going to assign weightage for Confidentiality, Integrity and Availability. The weightage is assigned based on the risk/impact that will cause if the asset involved gets compromised. The weightage must be assigned between 0 and 1. The lower weight is for low impact and the higher weight is for high impact.
Key Indicator | Indicator Value | Confidentiality Impact | Integrity Impact | Availability Impact |
Sensitive Data Handling | PCD & PII | 0.7 | 0.7 | Not applicable |
Application Exposure | Public Internet | Not applicable | Not applicable | 0.9 |
Service Tier | Tier-0 | Not applicable | Not applicable | 0.9 |
Sensitive Data Volume | 1million – 5million | 0.8 | 0.8 | Not applicable |
Number of external users | 100k-1m | Not applicable | Not applicable | 0.7 |
Development Model | Internally Developed | 0.2 | 0.2 | Not applicable |
Hosting Model | Public IaaS | 0.6 | 0.6 | Not applicable |
In essence, ACRR determines the impact the business is going to suffer if the asset in question were to be compromised.
Ci = (0.7+0.8+0.2+0.6)/4 = 2.3/4 = 0.6
Ii = (0.7+0.8+0.2+0.6)/4 = 2.3/4 = 0.6
Ai = (0.9+0.9+0.7)/3 = 2.3/3 = 0.8
Ci, Li, Ai are rounded off to 1 decimal.
ISS = 1 -((1-0.6)*(1-0.6)*(1-0.8))
ACRR = roundup(min(ISS * 8 , 10))
The Asset Criticality Risk Rating is High.
Enhance CyberSecurity Risk
The goal of the asset management solution is to provide the asset attributes or key indicators collected using an agent and or network-based scans and on a consistent basis. The ACRR data does not change often but is critical for providing cybersecurity risk.
Inherent Risk: As we know there are no perfect assets or applications. Any applications or servers on average will have 40-75 known issues that include vulnerabilities from Network & Infrastructure, an open-source library, application security vulnerabilities from SAST, DAST, etc.
The inherent risk hugely depends on static risk i.e., ACRR, so it is very important to get the ACRR right on a consistent basis and through automation.
Inherent risk can be derived using CVSS methodologies as well and the challenge will be to average out the exploit and impact across all the known vulnerabilities. Inherent must be done on daily basis and only a good automation mechanism with asset management and vulnerability correlation can provide this data.
Residual Risk: Residual risk is what the CISOs are looking for to get an idea on how effective Cybersecurity investment has been and how are they protecting the known issues that cannot be fixed due to a number of limitations. Residual Risk is the risk score after taking consideration of all the security countermeasure and exploit prevention solutions in place. Residual risks are the real threat and risk to the enterprise.
About the Author
Gyan Prakash is a Head of Information Security at Altimetrik. Before joining Altimetrik, Gyan was Global Head of Application Security & Security Engineering at Visa from 2016-2020. He managed Product Security Architecture and Engineering, Application Security & vulnerability management. Gyan also led Future of Payment and Blockchain / CryptoCurrency research at Visa from 2014-2016.
Gyan has 20+ years of experience in security technologies. He has implemented mature DevSecOps at Visa and has been consulting with Fortune 500 organizations working to implement DevSecOps at scale. Gyan is a technologist and innovator at heart, with 250 global patents including 152 granted in the areas of system security, mobile security, tokenization, and blockchain.
LinkedIn: https://www.linkedin.com/in/gyan-prakash-747a8a2/
Altimetrik Corp: https://www.altimetrik.com/