WHITE PAPER

Big Bang: Asset CharacterizationAutomatically Identify Your Critical Assets so Your Security and Operational Teams Can Focus on What Matters Most

| 2Big Bang: Asset Characterization

A Cybersecurity Team’s Work is Never DoneCybersecurity team members know better than anyone that protecting an organization from external and insider threats is an endlessly challenging job, and one that’s only getting more demanding due to rapid enterprise cloud transformation, the massive shift to employees working from home, and widespread enterprise adoption of IoT. With such workloads, it’s no wonder 65% of organizations suffer from a shortage of cybersecurity staff, especially experienced personnel, and 51% of cybersecurity professionals say the talent shortage puts their organization at moderate or extreme risk[1]. Given this scarcity of resources, analysts defending organizations, who often lack a complete understanding of the enterprise attack surface, are forced to prioritize their focus and efforts, and thus, risk missing the threats that matter most.

Security tools have come a long way in helping to address the demands analysts and threat hunters face, but even with all the right tools and enough people to do the work, many security teams continue to operate without one very important data point: an understanding of what systems must be defended to protect the business. The ability to focus on these most critical assets represents a big efficiency opportunity for security teams, but for many organizations, it is not part of the security toolkit today.

Quantifying What’s Important

To defend the enterprise, analysts must comb through billions of network sessions and millions of IP addresses in search of threats and anomalies. Big Bang helps organizations determine what assets matter most, thereby providing security teams with the knowledge and context they need to defend the enterprise. Big Bang continuously pulls network metadata from RSA NetWitness Platform and passively discovers, profiles, categorizes, characterizes, prioritizes and tracks all assets. All of these functions are performed in an automated fashion and the information is readily available so that the cybersecurity team has a better understanding of what is really in the enterprise and where to focus their limited resources.

Asset Discovery and CharacterizationBig Bang uses custom machine learning techniques based on a sophisticated set of variables to produce layers of insight about the learned digital assets. Figure 1 shows an example summary of the passively discovered assets in an enterprise. Each asset is described by a set of custom categorical labels and aggregate statistics that reflect its observed network behavior during a given measurement window.

Defenders lack complete knowledge of their enterprise assets

Big Bang identifies what assets matter most and why

| 3Big Bang: Asset Characterization

FIGURE 1: Big Bang asset summaries with aggregate statistics and ranks

The network category and type are classification labels assigned to each asset using unsupervised learning techniques as functions of the distribution of observed traffic associated with it. Number of services, clients and external clients are aggregate discrete values summarizing the totality of traffic reaching the asset. Big Bang also computes custom importance ranks reflecting network risk and asset popularity that security teams can use to prioritize and triage incidents.

Asset Profiles and CategorizationTo characterize assets, a network profile is constructed for each asset by analyzing all the protocols, clients, directionality, and type of traffic associated with it. This characterization of the asset provides a multitude of criteria for a security analyst to use as contextual data points to understand how to triage an asset in relation to the threats that might gravitate toward it.

Building on that profile, Big Bang creates a functional network categorization for each asset it discovers in the enterprise. Asset categorization reflects the observed network behavior of the asset and is based on the shape of the distribution of traffic reaching the asset. Typical asset categories for a single-purpose server are HTTP server, DNS server, FTP server, SMTP server, etc.

Asset categories and types reflect observed network behavior

| 4Big Bang: Asset Characterization

Other network categories reflect distributions of traffic that are typical of multi-functional servers such as domain controllers or combination of services (e.g., HTTP-FTP, SMTP-SSH, etc.).

FIGURE 2: Example network profile for a single-purpose HTTP server

FIGURE 3: Example network profile of a multi-functional NTP_SNMP server.

Asset Prioritization and TrackingBig Bang records the behavior of assets over time and uses this data for baselining. Any significant variation in the behavior can induce a change in the network category and can trigger an alert.

Behavior tracking leads to finding deviations and detecting anomalies

| 5Big Bang: Asset Characterization

FIGURE 4: Aggregate historical data of exported services, total number of distinct clients and distribution of clients per service helps to visualize variances in the behavior of an asset.

By tracking the behavior of an asset over time, Big Bang provides analysts with context spanning multiple days, which helps them make quick and accurate decisions about the significance of a threat to a given asset. Asset categorization provides analysts with a point of reference describing how an asset behaves over time, yielding a rapid way to determine if an asset category has remained constant or not. If the category assigned to an asset has changed, then someone or something could have altered its functionality. This change could have been accidental or intentional; made by an internal threat actor, an automated command and control server, or an authorized administrator.

FIGURE 5: Complete network profiles are stored for extended periods of time to improve behavior baselining of an asset.

©2021 RSA Security LLC or its affiliates. All rights reserved. RSA and the RSA logo are registered trademarks or trademarks of RSA Security LLC or its affiliates in the United States and other countries. All other trademarks are the property of their respective owners. RSA believes the information in this document is accurate. The information is subject to change without notice. 3/21 White Paper, W451705.

1. (ISC)2 Cybersecurity Workforce Study, 2019 https://www.isc2.org/News-and-Events/Press-Room/Posts/2019/11/06/ISC2-Finds-the-Cybersecurity-Workforce-Needs-to-Grow--145

About RSARSA, a leader in cybersecurity and risk management solutions, provides organizations with technology to address challenges across security, risk management and fraud prevention in the digital era. RSA solutions are designed to effectively detect and respond to advanced attacks; manage user access control; and reduce operational risk, fraud and cybercrime. RSA protects millions of users around the world and helps more than 90 percent of the Fortune 500 companies thrive and continuously adapt to transformational change.

Each profile provides a succinct description of the behavior of an asset during different time windows; this allows analysts to quickly pinpoint the nature, magnitude and relevance of the change. For instance, since assets are continuously monitored, any asset that lacks a previous baseline must be new to the enterprise. This newly found asset could be one that was added as part of a scheduled deployment or an instance of Shadow IT. Big Bang generates an alert for what could be an abnormal event. In addition to pinpointing new assets, Big Bang also performs a variety of ranking functions to identify important assets on the basis of different criteria.

Asset RankingOnce assets are categorized, peer groups of similar behavior and function are identified, so further calculations and baselining can be performed. Big Bang computes two custom ranking functions: an activity rank and an exposure rank (see Figure 1). The activity rank measures which asset is most popular in the peer group. The exposure rank of an asset reflects the network risk calculated by examining the number of services and clients (internal/external) connecting to the asset. Big Bang guides cybersecurity practitioners’ prioritization efforts by proactively calculating these rankings and the deviations from asset baselines.

In SummaryThe ongoing cybersecurity talent shortage forces organizations to prioritize which assets will be their focus. But with a continually evolving digital footprint, identifying which systems are most important becomes a moving target. This is where Big Bang Asset Characterization shines by automatically determining what is on the network, what is abnormal, and what assets analysts should focus on.

To get the biggest bang for your buck, try RSA Labs Project Big Bang. For more information, and to request a consultation, visit rsa.com/bigbang.

Calculated rankings are available to guide prioritization efforts