Step 1: Identify Critical Assets
Creating an Inventory of Critical Assets
The first step in enhancing the security posture of your organization involves creating an inventory of critical assets.
This step sets the stage for all subsequent security measures by identifying and prioritizing the software assets that are most valuable and vulnerable to threats. It also fosters a common understanding within the organization about which systems are in scope. This shared clarity ensures that efforts are concentrated on protecting the assets that, if compromised, would have the most significant impact on the organization's integrity and operational continuity.
Understanding Critical Assets
Critical assets, sometimes referred to as "Crown Jewels," are components of your IT ecosystem that are essential to your organization's operational continuity, data integrity, and competitive advantage. These assets can range from proprietary software applications to third-party libraries integral to your products' functionality and security.
In many organizations, existing security frameworks like ISO 27001 and the NIST Cybersecurity Framework (CSF) play a pivotal role in identifying and protecting these critical assets. Both frameworks entail comprehensive processes for risk assessment and management, effectively guiding organizations in pinpointing their most valuable and vulnerable assets. If your organization has already implemented either of these frameworks, good for you! - it's likely that you've not only identified your Crown Jewels but also initiated steps towards their protection.
Critical assets can include, not-so-obvious peripheral systems such as billing infrastructure and other support functions. The now well-known attack against Colonial Pipeline on May 7, 2021 targeted just that, its billing system and causing the company to halt its operations for an extended period.
Tools and Techniques for Effective Inventory Management
Inventory Management Tools
Several tools can assist in the inventory management process, from simple spreadsheets for small organizations to advanced software asset management (SAM) solutions that offer real-time tracking, version control, and compliance monitoring.
The role of an SBOM
Software Bill of Materials (SBOMs) play a crucial role in inventory management by providing detailed listings of all components within a software product. By integrating SBOMs into your asset inventory, you gain deeper insights into the software composition, including third-party dependencies, which are often overlooked yet critical to security. This integration enables a more granular risk assessment and aids in the swift identification of vulnerabilities as they are disclosed.
Prioritization Strategies
Once an inventory is established, prioritization is essential. Factors to consider include the criticality of the asset to business operations, the sensitivity of the data it handles, its exposure to potential threats, and its compliance requirements. Techniques such as the Criticality Analysis, as suggested by NIST, can be employed to evaluate and rank assets, guiding security efforts towards those that, if compromised, would have the most significant impact.
Next Step
Continue to step 2 - Internal SBOMs to explore how to create an SBOM by using freely available tools for the assets you identify as critical.