Security risk professionals need to assess asset values to add business context to vulnerability management prioritization. NopSec understands that it might be difficult to perform this for various reasons (e.g., dynamic assets, security’s lack of business knowledge). Assigning asset values is important as it enables security and IT teams to align on the business priorities. That is why NopSec offers asset value recommendations.
Why Asset Prioritization?
When it comes to Vulnerability management, InfoSec and IT teams are definitely aware of threat risk which translates as where organizations are most likely to get attack. There is always criticality of Vulnerability itself. But there is a third component which is Asset. Not all assets are valued equally. Some are more important than others either based on data they’re holding or who owns it. That is why asset prioritization is so impactful when it comes to vulnerability management.
Challenge of Assigning Asset Values
We have heard from our customers over and over again how it is difficult to assign asset values.
The most common challenge is that IT team lacks direct knowledge of business value of individual assets.
NopSec’s Unified VRM centralizes vulnerability, threat and asset data which help organizations to have one pane of glass on their true risk health. This enables organizations to align IT and security teams to minimize organizational risk.
How do we do it?
We gather the data from scanners, endpoints and/or CMDB. Firstly, we look at them from a threat perspective.
Secondly, we look at their service criticality. In our research, we have discovered the security team has access to clues in their data. Those clues breakdown into the vulnerability itself, the asset it lives on, and your team’s past remediation behavior. By looking at these technical characteristics, we can in many cases indirectly identify the value of the asset, or have a very good guess.
Lastly, We look at value proxies, other words we look at the data itself such as # of services, # of Users or Uptime etc.