Investing in information security is only rational to the extent it reduces risk, calculated as the impact times likelihood of an incident. Security spending is waste if it doesn’t reduce 1) the chance something bad happens, 2) the negative consequences when it does, or both.
Security teams happily spend time and money on the likelihood component: trying to understand threats and vulnerabilities powers a $4.5B+ dollar threat intelligence market and a $6B+ vulnerability management market. And that’s before the investments into reducing that likelihood.
But what if all this is done to protect assets that don’t really matter? The impact of an incident can be re-framed as the value of the assets affected, and that’s where many teams struggle.
What systems matter most when they go down? What data hurts most when taken or corrupted?
Adversaries often understand asset value better than blue teams: they have the incentive, it’s how they meet their goals. Your team is already on the inside! Use this access and insight to determine the value of systems, data, and users - find your “crown jewels” and aggressively prioritize your infosec investments to protect, detect, and respond in those areas, and you’ll have built a truly risk-informed, rational security program.
Critical Assets, Information, and Users
Let’s start with a quick quiz. Ask yourself:
- What are our most important systems?
- What and where is our most critical data?
- Which users routinely access those assets?
If these didn’t come immediately to mind, if the selections seemed arbitrary or vague, or if your team or leadership disagree, your program isn’t rooted in risk … it’ll be hard to rationally prioritize investments. You’re left saying “secure everything.”
If they’re solid, ask:
- Is the share of our infosec investment protecting those assets commensurate with their value?
- Does our detection apparatus prioritize threats to those assets?
- Does our incident response plan have playbooks for scenarios affecting those assets?
If any of these are “no,” there’s opportunity to focus (and perhaps reduce) your security investments and produce greater impact.
Most security frameworks advocate for this type of assessment, but those sections are frequently relegated to a lower priority, or to non-security personnel. This article is a love letter to the “Identify” function of the NIST Cybersecurity Framework, a bit of advocacy for the neglected and un-sexy benefits of asset management and understanding the business environment.
In practice it’s surprisingly difficult to get consensus on which systems, data, and users matter most. The following tricks and heuristics can help you build a pragmatic picture:
Look at revenue: if it makes you money, it’s important. This might seem obvious, but we’ve seen many times revenue-generating activities completely off the security team’s radar, and sometimes explicitly out of scope. Are there banks with vault doors and cameras only for the bathroom? Seems wasteful.
Look at budgets (including personnel): if your organization spends a lot on something, it’s important. If your organization has 50 ERP developers and spends millions in licenses, that’s a decent heuristic for its value. If it were to go down, people would notice. Executives, like most people, vote with their wallets.
Track usage (who and how many): If important people—or a lot of people—use an asset, it’s important. That importance carries over to any systems, data, or users upon which that asset relies (think Google’s PageRank).
Use “scream tests:" if important people—or a lot of people—get angry when an asset is taken down, it’s important. This is safely done in a table-top exercise environment, but sometimes it pays to actually pull things offline. The ranks and departments of the angry people are decent heuristics for importance, and sometimes you find no one cares at all. See also, Chaos Monkey.
Use an adversary mindset (and red tools): if a hacker wants it, it’s important. Attackers have built many tools to identify high-priority targets (systems, data, and users); think like them, use the tools for good! There are thousands of examples … tools like Shodan, Maltego, Bloodhound, and so many more (see https://osintframework.com/). You should be at least as informed as a casual attacker.
Make it easy to find information on your own stuff: if you don’t know what something is, it’s hard to say if it’s important. Think “facebook for assets” … it’s not enough to have just an IP or hostname, target convenient access to:
- Purpose and description
- Owner contact information
- Applicable regulations and compliance
- Patch state and known vulnerabilities
- Log location(s)
- and more …
Most organizations are not unique - one special case of a helpful heuristic is to copy what other smart people care about. The following are some examples of high-priority assets that might resemble your setup and start you on the right foot:
- Customer-facing Applications: Custom or off-the-shelf portals and applications, whether revenue-generating or not.
- Enterprise Resource Planning (ERP): General purpose (e.g., NetSuite, SAP) or industry-specific like student information systems (SIS, e.g., Banner, Jenzabar), electronic health records (EHR, e.g., Epic, eClinicalWorks).
- Authentication and Authorization: Active Directory, LDAP, Single Sign On (SSO, e.g., Okta)
- SaaS Applications: Salesforce, Workday, etc.
- File Shares and Data Stores: SMB file shares, FTP servers, databases, cloud storage, etc.
- Intranets: Confluence, SharePoint, etc.
Security teams spend vast amounts assessing and addressing the likelihood of incidents through threat intelligence, vulnerability management, and more. But if this is done to protect assets that don’t really matter, those investments become waste. Maximize information security impact by learning which systems would matter most if they were to go down, and what data would be most damaging if it were taken or corrupted. If you’d like assistance building a truly risk-informed, rational security program please contact us.