Can you really accurately and effectively prioritize cybersecurity risk without integrated asset intelligence?
It’s almost stating the obvious: to convert a plethora of alerts into actionable, prioritized findings based on the organization’s business and technical environment, security teams need to be able to incorporate information about the technical, business and financial value attributes of the asset where a finding was identified.
But how can security teams reliably integrate asset intelligence with consolidated security tool findings, when so many enterprises already struggle with the basics of asset visibility, inventorying and enrichment - not to mention alert backlogs?
From security risk assessment to actionable business risk understanding
Just as consolidating, aggregating, de-duplicating and normalizing alerts from fragmented detection tools and scanners is a data problem, so too is aggregating, consolidating, and profiling assets from a broad spectrum of asset data sources. Without a baseline inventory of de-duplicated assets in place, security teams can’t begin to assign attributes relevant to the organization’s specific concerns to the asset profiles.
Utilizing the security data fabric that underlies Silk’s asset intelligence, we perform asset inventorying by ingesting, normalizing and de-duplicating data from enterprise asset, scanner tools, endpoint agent and infrastructure sources - in tandem with a set of similar operations for security findings.
The outcome is a high-fidelity prioritization of individual findings, based on holistic risk. Security teams can assign remediation tasks with higher confidence, because they have the asset context to justify the remediation request. By aggregating the individual asset profiles into a consolidated view, Silk provides comprehensive visibility into a broader set of asset categories. We then extend the risk prioritization with an additional layer of application context, based on the relationships and links between assets in the context of an application.
To allow security teams to structure asset profiles based on their specific requirements, they can populate metadata fields for each asset, and extend metadata ingested from other data sources. In addition to metadata for security, compliance and business application attributes, security teams can also represent what financial value the organization assigns to the asset. Through bidirectional integrations, security teams can enrich existing asset inventory systems, such as CMBDs, with this metadata in the form of labels and tags.
Tying asset intelligence to security findings in a consolidated platform, using an extensible security data fabric allows security teams to:
- Improve operational efficiency and remove manual steps through security data fabric automation
- Deliver credible guidance consistently on remediation priorities based on business impact
- Understand the relationship and links between assets to pinpoint high-impact remediation actions
- Materially impact enterprise risk posture, and tie remediation priorities to cyber risk quantification
.png)
Asset Intelligence and security data fabrics
Security teams are increasingly focused on aggregating data from fragmented security tools to build a realistic picture of what vulnerabilities to focus on across their attack surface.
However, automating risk-based prioritization is not only an alert data volume and format problem. The challenge is to integrate multiple, de-duplicated attributes from a complex data set, correlate tool findings with normalized asset profiles - and then contextualize the output based on environment and business considerations.
Maintaining a reliable and up-to-date asset inventory is not a new challenge.
In fact, the mismatch between IT asset management and security needs has led to the creation of the external attack surface management and cyber asset attack surface management categories: tools for security teams to aggregate data from multiple sources to extend their visibility to scope the attack surface and identify either points of weakness, or gaps in defense where detection agents are not installed.
These newer tools can serve as valuable data sources for compiling inventories for asset profiling because of their broader visibility, as well as coverage of asset categories outside of the scope of traditional IT asset management systems.
It is a logical progression for these tools to add vulnerability management ingestion - but they haven’t been designed to solve these two data problems with a consolidated, holistic approach.
By contrast, a flexible and extensible security data fabric that is purpose-built for cybersecurity risk prioritization consolidates a set of related operations for security tool findings and asset profiles to guide and operationalize remediation. For Silk, the objective is not just to give better visibility - it’s to orientate the entire process on the fix, and facilitate a comprehensive remediation lifecycle.
Digging into Silk’s approach
The Silk security data fabric ingests asset information from practically any source - including security detection tools, ITSMs, CMDBs, code repositories and cloud asset inventories - so that the findings are associated with a specific asset, and the asset labeled with technical, environment and business context. Using what other systems of record and tools can tell us about the assets, the Silk platform allows customers to represent what they know about the assets through attribute labels - augmenting the automated generation of asset profiles.
Silk integrates, ingests and normalizes data from:
- Existing IT asset management systems (typically, but not always, CMDBs)
- Asset information from endpoint agents and scanning tools (vulnerability, cloud, AppSec)
- Tags and labels from cloud infrastructure and native asset management systems (like virtual machine tags)
- Cybersecurity attack surface management (CAASM) tools (which may encompass enriched IT asset information)
- ‘Non-traditional’ assets such as code repositories, Docker images, cloud services, DNS, IoT devices
- Environmental, risk, compliance and labels applied and propagated by the security team
This approach allows teams to de-duplicate and link findings across tools, associate the finding with an asset, and then enhance prioritization through a risk assessment that is specific to the environment and the asset profile. Supplemented with threat intelligence, as well as exploit likelihood scores from the CISA KEV catalog and Exploit Prediction Scoring System (EPSS), security teams can both radically reduce time spent on assessing priorities and maintain a high-fidelity mechanism for determining the highest risk exposure findings.
The future of risk resolution?
Security teams do face a deluge of data, and the solution to the challenge of necessity should focus on dealing with the data. But, understanding the technical, security and business risk of security tool findings relies on asset intelligence: a combination of what we are told from multiple sources, and what we know about the asset.
Asset intelligence as the outcome of asset inventorying and enrichment is a core function of our security data fabric to convert visibility into risk-centric action for security teams and remediation owners alike.
Silk automates and refines prioritization based on the dynamics of the customer’s unique environment. By connecting findings to assets, and understanding the infrastructure used to deploy and provision these assets, Silk is also able to pinpoint the root cause for related run-time or production security findings - and advise on which fix will resolve multiple findings.
