Have you ever looked at a live citywide traffic map during rush hour and thought, “That’s a lot of data”? These maps contain so many small car icons that it’s hard to differentiate one car from another. Following a single car’s path along its route, well, that’s nearly impossible. Tie in the “danger zones,” the roadways marked in red or yellow/orange to denote slowdowns and stopped traffic, or the construction zones and closed roads, and it’s a jumble of information.
That said, if you’re planning a road trip, it might be helpful to make sense out of the mess. That could mean watching to see how cars traveling from one general location to another are progressing. It might mean studying traffic patterns to see if they’re the same every day or if they change over time. You may want to investigate whether slightly changing the route helps ease traffic congestion or if it results in backups elsewhere, and identify locations where accidents or other traffic anomalies are likely to occur.
If this is sounding a lot like a network topology map, it’s no coincidence. Network mapping and other network traffic analysis and monitoring techniques are phenomenal IT and security tools to use to account for what’s going on on your network. However, just analyzing the traffic and patterns isn’t enough. Looking at static asset data from a historical perspective is useful, but it can’t tell the same story as a timeline of aggregated changes to an asset or grouping of assets. Furthermore, looking at a timeline of grouped asset changes allows for identifying vulnerabilities, new and old, misconfigurations, policy gaps, and other interesting asset-related events that may be noteworthy.
Returning to our auto traffic analogy, we’re talking about things like: What is the state of individual cars on the road? How many cars are in bad shape and likely to break down in traffic? What are the states of the drivers: Is someone driving while impaired? What other attributes have been introduced on the roadways that make it hard to navigate a route safely, like items fallen off a flatbed truck or a tree that’s fallen into the road?
With networks, the analogy includes things like device hygiene, out-of-date security patches, CVEs, “invisible” assets like short-term cloud instances and container images that weren’t operational during a network/vulnerability scan, overly permissioned accounts, missing security agents, and more. This is all information security and operations teams need to know to properly manage their security risk, and it’s all predicated on understanding the asset landscape and related vulnerabilities.
This is why cyber asset attack surface management (CAASM) is so important — it goes beyond understanding what is currently on your networks and communicating. CAASM looks at individual assets, their security state, and allows users to adjust assets, controls, policies, and enforcement actions based on current state, historical trends, and patterns.
For these reasons, Axonius is announcing a new feature: Enhanced asset investigation. The current cybersecurity asset management product has always included the ability for our customers to track specific assets and their attributes. But just like a traffic map, looking at one device, user, cloud instance, or other system information in isolation only paints a part of the picture.
Asset investigation allows Axonius customers to understand not only what’s happening on their networks at any given time, but also look back at assets and the state of those assets over time. It provides the ability to see groups of assets — for example, all mobile iOS devices, all users tied to a specific Active Directory group, and all servers with a certain build — and identify trends and patterns to:
- Investigate security incidents
- Track changes over time
- Incorporate threat hunting techniques to evaluate artifacts that appear unusual or unexpected
Watching these changes over time and across fleets or grouping of assets provides the basis for threat investigation and contextualization, the latter of which is absolutely necessary if the organization wants to prioritize and triage the most likely or impactful cybersecurity events.
How Can I Use Asset Investigation?
The new asset investigation feature allows Axonius users to:
- Compare groupings of assets, more easily, from one central console
- Accelerate incident response and alert triage
- Track changes amongst assets
- Identify unusual or risky patterns
Why is this important?
Because looking at assets in silos doesn’t provide the entire perspective. It also allows operators to passively search for and research asset-related events quickly and easily, without having to toggle between asset records and screens — there’s now a good place to see bigger trends. The ability to dig deep into individual assets is still available — that’s an extremely valuable operation, especially when an asset is posing a threat to the organization. Now, however, asset investigation gives users the organizational perspective that’s necessary to formulate strategies that reduce asset-based risk over time.
The technical point of view
From a technical perspective, users will be able to run queries on assets they want to investigate and see details about each asset, values added, values removed, and connect the dots for better investigation experiences across different assets.
Common use cases for the new asset investigation functionality include:
Enhance asset management capabilities
- Learn the state of all deployed assets beyond a point-in-time assessment
- Build baselines and identify trends
- View and manage missing security controls
Triage security events
- Identify technology assets that have changed (e.g., IP address changes, new/altered cloud workloads, new vulnerability/CVE identification, new software installation or modification), track changes, and investigate suspicious or unexpected behavior
- Find assets that have been suddenly disabled or enabled and evaluate their risk state (e.g., learn why a formerly heavily-used asset is no longer in use, or vice versa)
- Learn which devices might have been exposed to compromised hosts or IP addresses during a specified period of time, investigate risky open ports, and learn which aspects of devices have changed over time
Align with audit and compliance needs
- Track changes, including the addition or deletion of deployed assets, patch status, and vulnerabilities to continuously quantify your attack surface
- Create an audit trail and investigation reports of all change events
- Ensure compliance with regulatory requirements and track remediation actions when devices and users fall out of alignment
The goal of asset investigation is to provide Axonius customers with the ability to examine assets, using queries, to:
- Monitor asset change events
- Note interesting or unexpected events and triage, when appropriate
- Take action on any coverage gaps, policy violations, or vulnerabilities