In an age where devices multiply like wildfire, understanding the vast cyber-attack landscape is no longer optional— it's imperative for enterprise organizations. Even before the early 2020 mass exodus out of corporate offices, the proliferation of devices and device types touching corporate networks and corporate-used infrastructure (a.k.a. cloud infrastructure), SaaS applications, and cloud-based services was exponential.
Once remote work took hold, the introduction of new, often unmanaged devices presented an even greater challenge to IT and security teams rushing to gain governance over these assets.
Now, in yet another new era, hybrid work is bringing additional cyber risk. Much of this risk is predicated on the assets organizations must monitor and manage.
In addition, the threatscape is also growing — cyber adversaries are more active than ever, taking advantage of political, environmental, and societal circumstances to launch attacks against people and the organizations for which they work.
To manage cyber risk, security leaders must invest in threat intelligence and asset management. These tools and processes are foundational to understanding true risk. From an external perspective, organizations need to understand threat actors’ go-to attack tactics and vectors, active exploits, and vulnerabilities, and any potential threat signals that may directly impact their organization. From an internal perspective, security teams must understand their weaknesses in systems and processes and have a way to prioritize remediation.
All of this is easier said than done, but relies significantly on knowledge of what tools, technologies, and processes comprise the equation — something we’re calling “asset intelligence,” a process and technique that can significantly impact an organization’s risk posture.
In this blog, we’ll explain how to use asset management and threat intelligence effectively, and share why asset intelligence, a term not yet well known, is critical to managing assets and, ultimately, risk.
What is Asset Intelligence?
If “asset intelligence” sounds like a mashup, hybrid term, or an attempt at bringing together two unassociated-but-related topics, that’s because it is. Merging “asset management” and “threat intelligence” gives us “asset intelligence.” (N.B., threat management is already its own category, and it’s also an outcome of good asset intelligence, among other inputs, predicated on security assessment and asset hygiene.) But what does “asset intelligence” mean?
A cyber “asset'' is anything in the networking realm:
- hardware
- devices
- Components
- Peripherals
- Software
- firmware
- networks (cloud, on-prem, virtual)
- networking equipment
- data
- data stores
- containers
and the users or processes using all of the aforementioned. Importantly, all of these assets must be capable of communicating via digital protocols (which therefore makes them subject to cyber attack). This fact also means that the definition of “asset” could reasonably include the channels/protocols over and from which hardware/software/services/etc. communicate — IP and Mac addresses, TCP/IP, DNS, and other network protocols.
The Axonius dashboard presents immediate insights on all assets..
The definition of “threat intelligence” is equally murky, depending on which source is doing the defining. Nonetheless, most experts agree that “threat intelligence” starts with the data gleaned from an organization's internal networks, and is combined with external data about threat actors, their motivations, and tactics; known vulnerabilities; active exploits; communication channels; and more. But data, alone, is not threat intelligence.
To turn “data” into “intelligence,” it must include context about what is happening and relevancy to the organization analyzing the data. For instance, a vulnerability may receive a critical Common Vulnerabilities and Exposures (CVE) rating based on the fact that the hardware or software it affects is widely deployed and could lead to serious business disruption. Yet, if an organization does not use or own the impacted asset type in its environment, the real-world criticality to that particular organization is low. Further, if a targeted asset for this threat is properly segmented, the data stored in the asset is properly encrypted, or access controls are sufficiently hardened, the damage potential decreases — all based on the context of the environment.
Threat intelligence, therefore, can be summarized as contextualized and enriched data about internal systems and external factors, combined with an understanding of the attack surface, which is an amalgamation of an organization’s network environment (i.e., assets and architecture).
Cyber asset intelligence is a subcategory of threat intelligence that focuses on the vulnerabilities, security gaps, and implemented or missing policies for all assets present in the network environment (which forms the attack surface). Asset intelligence depends on:
- Complete and up-to-date visibility of all assets in the network environment
- Understanding of any vulnerabilities in and threats to those assets
- Knowledge of the interconnections, dependencies, and relationships between assets
While some security practitioners may posit that cyber asset intelligence and asset management are one and the same, effective cyber asset management relies on an organization having the intelligence for its assets to be able to manage them, to prevent threats from disrupting a business, and to rapidly mitigate the threat if it penetrates the network environment by pinpointing the issue.
In other words, cyber asset intelligence is critical to asset management. And without reliable, actionable threat intelligence, organization’s cannot properly assess asset-based threats. Asset intelligence is always actionable — it’s timely, provides context, and can be understood by business decision-makers so they can effectively manage cyber and business risk.
Navigating the Data Deluge: Ensuring Effective Asset Management and Threat Intelligence
The digital age has ushered in a massive influx of data. In a recent study from Mandiant, “a large majority (84%) of respondents said that they are concerned they may be missing out on threats or incidents because of the number of alerts and data they are faced with.” For IT and security teams, information overload not only increases an organization’s risk, it can also impact decision making and lead to burnout.
Source: Mandiant’s 2023 “Global Perspectives on Threat Intelligence" report
The Challenge of Data Overload
So, amidst this deluge, how do teams identify the crucial pieces of data? Errors can emerge from data overload, leading to missed follow-ups on pivotal findings and even staff burnout. Hence, the emphasis on true intelligence — data with context, relevance, and actionable insights. Such intelligence aids analysts in highlighting assets or issues for prioritization, ensuring swift problem resolution. Vulnerabilities lie at the heart of every threat, making asset intelligence vital.
Shortcomings of Current Tools
Many organizations face roadblocks with current threat intelligence tools due to:
- An overwhelming attempt at being “comprehensive”
- Insufficient prioritization
- The necessity of extensive manual intervention, causing action delays.
While there are commendable threat intelligence sources available, it requires discernment to identify ones offering actionable, timely, and contextual intelligence.
Similarly, vendors often boast about their comprehensive visibility into network communications. Yet, challenges persist:
- Agent-based tools sometimes create blind spots
- Cloud-specific tools miss out on on-premises assets
- Certain tools only detect assets during their operational phase
- Many tools struggle with data correlation, normalization, or de-duplication.
Key Considerations in Selecting the Right Tools
When aiming for robust intelligence, organizations must answer:
- What are our essential data sources? How are they integrated?
- How can we transform raw data into actionable intelligence?
Effective intelligence solutions should comprise varied data sources. These should include internal and external telemetry and intelligence types such as OSINT (Open Source Intelligence), SIGINT (Signal Intelligence), and HUMINT (Human Intelligence).
Data must also be useful at various levels across the organization. It should be strategic, tactical, technical, and operational. This is where an advanced correlation and normalization engine comes into play, which can provide a consolidated and trustworthy point of view while also offering the ability to dive into intelligence details.
Establishing Effective Baselines
Identifying the right data sets the foundation for asset risk management. Baselines, which establish operational norms, are paramount. They encompass aspects like network assets, traffic patterns, and access requests. Thus, deviations can be promptly spotted and addressed.
To construct a baseline, organizations need historical data, spanning from network security tools to vulnerability scanners and cloud security. However, the data from these tools must be viewed in a consolidated manner.
Additionally, solely relying on internal historical data is inadequate. Insights from OSINT, like dark web forums, public compromised account information, and DNS data, are crucial. The integration of various data sources and establishing their relevance and timeliness based on context is pivotal for an effective intelligence process.
In the vast sea of data, steering the ship requires the right tools, strategies, and understanding. As businesses continue to evolve in the digital sphere, ensuring they have the suitable intelligence systems in place will be the linchpin for robust asset management and threat mitigation.