Future-proofing asset and vulnerability intelligence in response to CISA’s BOD 23-01
Modern environments have become more dynamic and the need for equally progressive asset discovery techniques has intensified. The new Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 23-01 recognizes this fact.
What is BOD 23-01?
While it is only binding for US federal civilian agencies, the directive emphasizes the foundational asset discovery and intelligence capabilities all organizations must possess to be prepared for modern threats. Without the critical insight these capabilities provide, the effectiveness of all other cybersecurity initiatives is hampered.
In this new directive, CISA recognizes that any cybersecurity initiative begins with a complete and accurate understanding of all the cyber assets you have, and the resulting attack surface they expose. In short, you must know what you’re trying to defend to defend it effectively.
BOD 23-01 calls on government agencies to execute comprehensive asset discovery scans at least every 7 days. They must also perform vulnerability enumeration across all discovered assets at least every 14 days. The scope of these scans is expansive, to include any IP connected device: a traditional desktop or server, network gear, video cameras, roaming devices, etc.
Assessing current capabilities against CISA’s BOD 23-01
Although any security professional would agree that this is a basic and fundamental cybersecurity hygiene requirement, it can be a daunting task for organizations with asset inventory programs that have yet to catch up with the evolving cyber landscape.
Modern IT infrastructure approaches are increasingly complex, with software defined networks, hyper-segmentation, widespread adoption of multi-public cloud infrastructures, containerization, and the democratization of responsibility – and discovering new IP assets can seem futile. That’s why organizations should leverage multiple complementary techniques to discover those elusive IP assets.
Network scanning
One common technique to address visibility challenges is to leverage network scanning tools, which do an increasingly good job of finding assets, in a particular IP range or known network segments. However, the most difficult aspect of complying with this directive is not scanning the networks you know about for vulnerabilities. Rather, the biggest challenge is identifying the networks and devices you don’t know about.
ESG’S 2022 Security Hygiene and Posture Management survey indicates 35% of professionals believe their organizations’ current asset inventory is incomplete, and 25% of cybersecurity professionals admit to having too many rogue assets and no means of discovery.
This approach can fall short when dealing with complex segmented networks with many dark corners, or in modern cloud architectures where deployment and teardown of infrastructure is dynamic and automated.
Dynamic asset intelligence tools
Another popular approach to augment or replace network scanning is to use API aggregation to leverage the broad range of tools and technologies that are already deployed in the environment to manage the creation and configuration of the asset infrastructure.
By accessing, aggregating, and correlating asset intelligence from across these existing sources, organizations can synthesize a comprehensive view of their cyber estate – a view that includes a great deal more context and which can be invaluable in a wide range of cybersecurity scenarios.
However, this approach is also not without challenges. Organizations use an average of 10 systems to gather an inventory of IT assets alone, and 40% of IT and cybersecurity professionals say conflicting data from different tools makes it hard to create an accurate picture of their environment. But despite these challenges, the result can be well worth the effort.
Even as you overcome these challenges, it’s important to remember that meeting the requirements for weekly discovery scans and bi-weekly vulnerability scans is still only the beginning. Discovery alone is not the end goal, but rather a means to an end.
The long-term goal is to maximize the organizations’ cyber resilience and reduce cyber risk. As you work to establish or enhance these foundational capabilities, it’s critical to keep that in mind.
It is of little use to uncover an entirely new set of assets, vulnerabilities, and risks when you don’t have sufficient resources to address the pile you already have. Therefore, these new findings must be accompanied by sufficient context to help your teams to prioritize based on the greatest risk to the organization.
Five steps to designing a futureproof asset intelligence program
This is also an opportunity to consider the future needs of your evolving and maturing cybersecurity program. Organizations can use this requirement as an opportunity to deliver beyond CISA’s expectations and build a comprehensive asset intelligence capability.
While many factors play into the longevity and success of any cybersecurity initiative, there are five standout elements for building a cyber asset intelligence program to scale with an organization’s size and evolving maturity.
1. Agree on a common, inclusive definition of asset
The legacy definition of a compute asset is no longer relevant, as the adversary’s line of sight extends far beyond IT devices. Since most breaches still involve the human element, your asset inventory shouldn’t be constrained by considering only traditional compute assets.
Remembering that the goal is to improve cyber resilience and reduce risk, we encourage organizations to take a much broader definition of “asset.” It should encompass anything, be it physical, virtual, or conceptual, which can generate cyber risk to the business.
That will include physical and virtual compute assets. It also should include humans, datasets, applications/services, etc. To understand and prioritize action based on risk we encourage organizations to catalog all these asset types and understand how they relate to each other.
2. Adopt a universal process across all environments, regardless of complexity
It’s common for organizations to leverage multiple cloud infrastructures while still maintaining legacy on-premises infrastructure and IT/OT devices. Typically, there are different tools, technologies, and processes in place for measuring and managing policy and risk for each. This hinders an organization’s ability to have a common view, define common metrics and policies, and prioritize cybersecurity activities across the organization.
Wherever possible, it’s beneficial to establish a common, unified model and repository across these siloed environments to enable a level of consistency and common understanding.
3. Gather a continuous, multidimensional view of each asset
While siloed data sources can cause confusion during the asset management lifecycle, they can be extremely powerful when combined. If you can harvest that information and correlate it in your asset view you can begin to calculate risk and prioritize team effort in a more precise and effective way.
The trick, then, is in aggregating and correlating the data from these various sources into a cohesive asset view, and continuously updating it to keep it current.
These different tools will normally have public APIs, which can be leveraged to extract the asset data and context needed to construct an accurate and current view of the asset landscape, as well as to monitor the environment as it changes over time. This creates a “single source of truth” and a comprehensive perspective which can be used to drive countless cybersecurity use cases.
4. Assess and prioritize risks according to criticality
According to the National Vulnerability Database, over 8,000 vulnerabilities were published in Q1 2022 alone—averaging more than 88 vulnerabilities each day.
No organization has the luxury (or means) to address every vulnerability or risk they identify. More than ever, cybersecurity has become an exercise in prioritization. The team who prioritizes best, based on risk, has a significant advantage. The biggest impediment to effective prioritization is context.
With limited resources at your disposal, effective prioritization becomes a critical team skill. Take, for example, a critical vulnerability is detected on an asset—but how critical is it that this system be patched immediately? That, of course, depends on context: Is the asset on a public facing network? Does it have access to, or is it processing sensitive data? Is it supporting a critical business service? Is it on the same network segment as another asset which is? Is there a known exploit for the vulnerability involved?
When building out your asset intelligence strategy and program, consider the decisions you want to be able to support and the context necessary to make them effectively. Then, make sure you’re collecting that context along with the other asset information.
5. Leverage automation
Another complementary technique for dealing with the imbalance between threats and resources is to leverage automation. In fact, cybersecurity and risk professionals agree that automating tasks and processes associated with security asset management is the No. 1 action most likely to improve programs (ESG, 2022).
However, the problem with automation is that it requires a high level of confidence in the incoming signals to ensure you are automating the right actions in the appropriate situations.
For this to work, context is critical. By focusing on collecting the right high-fidelity context, together with your asset intelligence, you can be confident in enabling the appropriate use of automation to act as a force multiplier for your team. As a key part of your program, you need to think about which steps can be fully automated, and define the context required to enable it.
What’s next?
Although many may say, “Well I’m not a federal agency, so I don’t need to worry,” don’t be caught off guard. These types of mandates quickly set the precedent for what’s considered the appropriate “standard of care.” If you don’t meet that standard, things can get complicated if your organization suffers a significant incident.
BOD 23-01 is an important mandate which will set precedent and help to drive better cybersecurity hygiene in the areas of asset discovery and vulnerability assessment. More importantly, it is an opportunity for all organizations to look to the future and assess the dynamic cyber asset intelligence capabilities needed to support their cyber posture and resilience aspirations.
Before making any further significant investments or kickstarting anymore initiatives, look to the information and context you have locked away in the tooling and technology investments you’ve already made.