Identify Critical Assets, Vulnerabilities, and Threats to Security Operations

Learning Objectives

After completing this unit, you’ll be able to:

Describe how to identify and prioritize assets that need to be protected and their associated vulnerabilities.
Explain how to identify and prioritize threats against assets.

Introduction

Sometimes trying to secure your organization's assets can feel like you are being asked to play the role of neighborhood security guard. Let’s say that a robber wants to break into your home. You need some sort of security apparatus to protect your valuables, such as a camera or a guard dog. In protecting yourself, you secure your most valuable assets more carefully, keeping jewels, money, and sensitive documents in a safe or lockbox.

An image of a house containing a safe filled with money, which is protected by a security camera and a dog.

Like the steps you take to protect your critical assets at home, your task as a security operations engineer is to keep track of the organization’s most critical assets, and protect them from theft and destruction. You keep tabs on the security state of the assets and the movements of those who may wish to harm them. As a security operations engineer, your goal is to identify critical information assets and their vulnerabilities, and then rank them according to the need for protection. Doing so then sets you up to model threats against these assets. However, you don’t need to do this alone.

It’s key to consider the criticality of assets within a business context. As a security operations engineer you work with the business and systems owners to identify the organization’s critical information assets and associated threats. Depending on the size and complexity of your organization, this process may be performed by the risk or inventory team. The security operations team also has a pivotal role to play in applying threat intelligence to the asset list to assess the security posture of systems, working closely with threat intelligence analysts to do so.

Identifying Your Assets

We’ve discussed assets, but what exactly is an asset? It’s any resource, process, product, or system that has some value to an organization, and must therefore be protected. In your home, the most valuable asset may be your wedding ring or your stereo system. In a business, it may be your company’s shared document drive, a database containing sensitive employee details, or a financial system containing tax information. All types of digital files, storage devices, laptops and hard drives containing information such as intellectual property, financial data, customer information, and so on, need to be identified and documented in an asset inventory. This then enables the team to identify the most critical assets to put the proper security controls in place to thwart would-be adversaries.

As a security operations engineer, you use an asset inventory of where sensitive information is stored and processed in the company. This can be compiled manually in small companies, or using automated tools in larger organizations, and is usually supplemented by interviewing asset owners to provide more context about their systems. You seek to understand what critical mission activities take place within the system, what information is stored and processed by the system, who accesses the system, and so on. This helps you prioritize the most critical assets to protect.

You also review network traffic patterns and logs and endpoint data to better understand access trends and data flow and pinpoint the most frequently used network and system components and their dependencies. All of this information combines to form a map of the territory that must be defended against potential adversaries and points to the most critical assets that should be prioritized for protection from potential threats.

Identifying the Vulnerabilities

Once you have identified the organization’s most critical assets, you next examine existing vulnerabilities so that effective security measures and controls can be implemented to prevent adversaries from exploiting them. The National Institute of Standards and Technology (NIST) defines a vulnerability as a weakness in an information system, system security procedures, internal controls, or implementation that can be exploited or triggered by a threat source. For example, a known vulnerability in a publicly facing database that remains unpatched can allow an adversary to illicitly access the database and steal customer data.

A few years ago, the heartbleed vulnerability posed a huge problem for many organizations. The vulnerability existed in a popular open source library that was widely used to protect communication protocols on the web. It let attackers access information handled by web servers, potentially exposing passwords, credit card numbers, medical records, private emails, social media messages, and more, depending on the content of the server that was vulnerable. Even today, after the disclosure of the vulnerability, it still exists on many servers and systems that weren’t properly upgraded and patched.

This is part of the reason that staying on top of vulnerabilities in your IT environment is so crucial. Combining an analysis of existing vulnerabilities and their criticality with an understanding of assets and their value lets you prioritize the implementation of security controls and ensure systems and data remain secure.

Assess and Prioritize Threats

Let’s review how to stay ahead of cyber threats. A threat is any natural or artificial circumstance that can have an adverse impact on an organizational asset. For example, a cybercriminal can deliver malware (software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system) to your user with a phishing email that provides the cybercriminal with unauthorized access to a database containing customer information.

Importantly, threats try to exploit vulnerabilities on your most critical assets, so it’s key to consider all three of these aspects (threats, vulnerabilities, and assets) in your daily work. In this example, once the user opens the phishing email and clicks a malicious link, malware downloads. The malware then finds a vulnerability to exploit. You can protect the organization against the ability of a threat to take advantage of this vulnerability. Some methods for doing so include training users on how to spot phishing emails, and implementing technical controls that filter and block suspicious emails and strip out malicious links. Timely implementation of patches of known vulnerabilities is also critical.

Before we can protect the organization against this and other threats, we first need to assess the threat to understand who it is, whether the action is deliberate or the result of human error or failure, and what the motivation is. This process of examining the sources of cyber threats is called threat analysis. Let’s dig deeper into why this is important.

Assessing the threat helps you get inside the brain of the adversary and think like them, in order to help you better understand what they may find valuable and how they may compromise a given asset. For example, a hacktivist who is part of an organized group motivated by ideology might be interested in defacing your company website with a political message. A cyberterrorist working for a rival government may be interested in stealing state secrets, such as accessing a government database containing data on the country’s nuclear systems. A malicious insider may be an individual employee who is worried about layoffs, and illicitly downloads proprietary company information onto a personal USB drive to take with them to another job.

Meet Gregory, a Security Operations Engineer

Let’s meet Gregory, who works as a security operations engineer at a computer and network security company that develops cloud services and analytics products. Gregory has identified that one of the most valuable assets the company has is its customer database, which includes the names and email addresses of government employees who buy its products. Gregory knows that adversaries who are motivated by commercial espionage may want to illicitly access this data and sell it to his company’s competitors. How worried should he be?

Gregory has identified the possible consequence if the threat is realized: the sale of his company’s customer data to competitors. Next he considers how frequently the company may face this threat. Is there a particular actor Gregory knows of that has a history of successful incidents against companies like his? He can glean this information from both internal data on past incidents, and external threat intelligence shared by other companies in his industry. He also thinks about the probability that the threat will actually materialize. Does a potential threat actor have knowledge of the asset? For example, is there any information about the database containing this confidential information available publicly or on the internet or the dark web? Finally, how capable is the potential adversary? Do they possess the resources to pose a threat to an asset? Do they have the technology and tools to do harm?

Taken together, this information allows Gregory to assess and prioritize threats so that he can then put in place proper preventative controls to improve the organization’s security.

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, select the appropriate word from the options provided in the drop-down within the paragraph. When you finish selecting all the words, click Submit to check your work. If you’d like to start over, click Restart.

Sum It Up

Now that you’ve identified your organization's most critical assets, associated vulnerabilities, and probable threats, it’s time to protect those systems and data from compromise. We dive further into how to use a framework to organize the work of your security operations center (SOC), how to harden systems, and other security services that SOCs provide, in the next unit.