Track critical assets. Respond strategically.
One of the biggest challenges business leaders and security experts face today is implementing a risk-management program that can effectively identify and track critical business assets based on key strategic metrics, and prioritize risk management and mitigation efforts as they impact these assets.
Too often, business leaders and security experts are not in sync when it comes to organizational goals and the possible risks to critical assets, business operations, and customer data. Adding to this problem are the fundamental technologies used to manage assets and identify risks – the people, processes, information, and technologies simply do not work together to identify and prioritize vulnerability exposures as they relate to business functions, assets, and sensitive content.
Actionable Intelligence: Protect At-Risk Assets Quickly
For those familiar with the NIST Cybersecurity Framework, one of the tenants of the implementation is to take a “holistic approach to cybersecurity, viewing it as an enterprise-wide, strategic risk-management matter, rather than as a narrow information technology (IT) or network management domain.” 1 (NOTE: The footnote content is missing from the original page on the SAINT Corp. site.) Within the framework, the “identity” core function goes further to define asset management in this context:
Asset Management (ID, AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.2 (NOTE: The footnote content is missing from the original page on the SAINT Corp. site.)
In theory, this may seem simple. But it’s impossible without first developing a consensus across all effected stakeholders on the definition of what matters and how things will be measured.
SAINT Asset Management capabilities solve this problem by allowing stakeholders to identify and track technology assets based on metrics of vital importance to the organization and then assess and analyze vulnerability exposures based on these key metrics.
Example: Vulnerability Assessment Result
IP Address: 10.8.0.38; Operating System: Windows 7
Vulnerability: CVE-2016-3373; CVSS: 4.3 The kernel API in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 does not properly implement registry access control, which allows local users to obtain sensitive account information via a crafted application, aka “Windows Kernel Elevation of Privilege Vulnerability.”
Remediation: Microsoft KB Article KB3175024; Security Bulletin: MS16-11 – A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft.
As a security expert, this information is valuable for the specific case of resolving a vulnerability. However, there is no business content to understand what is impacted if exploited or the possible return on investment you might realize if you focused resources on this vulnerability rather than the hundreds of others that may be listed in the scan report. The missing piece is the relative importance to business objectives and the organization’s risk strategy.
Example: Applying SAINT Asset Management
With SAINT Asset Management, the business context guides the prioritization and the application of resources to assets based on metrics of importance to the organization, such as the business unit, function, criticality, and business cost if impacted. In this example, the account management asset in Miami has a higher relative importance to the business than does the laptop in Boston. Therefore, rather than focusing on 13 lower-priority vulnerabilities, immediate actions are directed at the two vulnerabilities on the most important asset to the business.
While this is just a simple example for three assets, the risk-management challenges are inherently more complex at true scale. They that often exceed $100,000 ore more than $1 million in assets across both on-premise and hosted (cloud) resources. You must employ solutions that can meet this demand as you manage and protect assets across business units, multiple locations, and varying metrics across stakeholders.
Whether your role is CRO, CIO, CISO, security consultant or as the managed security service provider (MSSP), it is critical that people, processes, information, and technology resources effectively align from the board room to the server room. SAINT’s Asset Management capabilities assist in meeting this challenge and align your risk management program with a business context.
For more information on our asset management capabilities, contact us today.