A Single Source of Truth?

The internet of late has been buzzing with imagery from the Webb telescope. The images truly conjure a sense awe and act as a reminder of how much we still don’t know about the universe we live in.

We of course, take the images on face value, not pausing to contemplate the methods behind the image – an image that in reality, is not a conventional photograph at all, but a digital representation, rendered by a computer based on data compiled data from infrared and other sensors.

So, what does all of this have to do with cybersecurity?

A Matter of Perspective

The idea of truth seems an increasingly complex one in today’s world of conflicting reporting and outright disinformation. Truth when it comes to asset visibility is a fundamentally important one – and should underpin any effective security and technology programs. Without an accurate map of your domain of responsibility, you can not possibly effectively identify and address risks. Phil Venables, CISO Google Cloud put this incredibly eloquently in his 2021 blog post: Archeologist, Historian or Explorer?

The trouble is often perspective. For many, the idea of truth, has really evolved into a subset of the whole truth that best fits a narrative that the individual, or group is looking to tell. In the domains of IT, Risk Management and Security, what “good” looks like, or the information that conveys a satisfactory “truth” differs significantly depending who you ask.
ciso-tweet
The above tweet, or messaging like is often used in the [cyber] industry to highlight the conflicting nature of individual sources of asset data. Pretty straightforward, but let’s go deeper and examine why have been going so long, using data that is so obviously flawed. Put yourself into the thought process of the respective owners of the source data and the technologies that generate it.

It goes a little something like this.

“We understand where the data came from.”

“We own and understand the technology that collected the data.”

“We own data and don’t need to ask permission to use it.”

“The data looks ‘good enough’.”

These statements are all very subjective and the groups mentioned in the tweet above are functional organizations, often with strong opinions and pride of ownership. If you’ve spent any time in large enterprise environments, you can empathize with how this all came to be.

New tech in this area has already seen billions of investments in the United States alone — but has it moved the needle enough?

A single truth for cyber security or more commonly referred to as Cyber Asset Attack Surface Management (CAASM) has become the primary ringleader, with existing categories, to include ASM (Attack Surface Management) coming to play too, often repurposing existing and flawed data sets, with a new presentation layer.

Over the years – security teams have become understandably frustrated over IT’s inability to provide a straight answer as to what’s on the network, so the advent of CAASM has been a welcome addition to the market. This has shifted the point of ownership and security teams have become increasingly comfortable with CAASM, with common feedback including:

“We understand where the data came from.”

“We own and understand the technology that collected the data.”

“We own data and don’t need to ask permission to use it.”

Sound familiar?

We’ve shifted the point of ownership and given some fancy names to the tech, but many of the issues remain the same. You might be wondering, is this really a bad thing – or perhaps we’ve moved the needle enough and this is “good enough”.

For some use-cases, the answer might be yes – but therein lies the rub. If a technology is largely focused on internal attack surface, or cloud security posture management – the idea of “truth” has been decided for you. Ask yourself this, would you buy a camera that can only take pictures of peoples faces, but not at all of landscapes, or the night sky – when an affordable camera was available that can address all of your current and future needs?

So now we’re presented with a challenge if you’ve gone down this path:

  • We’re led into a false sense of security that we’ve solved the problem. This is particularly an issue where adjacent technologies such as vulnerability management platforms have created “asset dashboards”, which are simply creating new user experiences on top of existing flawed data.

  • The data itself is going to remain biased towards the use-cases the vendor is focused the most on.

  • Even if the data is there, the user interfaces, workflow automation etc., the product will lack flexibility needed to address future, evolving needs.

Fragmented Truths

Our industry is notoriously fragmented. Highly technical founders, often with backgrounds in security ops, vulnerability management or regulatory compliance build software solutions that scratch the itch that is nearest and dearest to them. This background forms their version of truth and as admirable as it might be – often results in the creation of a point solution.

In the world of asset visibility, this has added to our Cyber alphabet soup: CAASM, ASM, EASM, CSPM and more! These solutions are absolutely not without merit – and have unquestionably provided a source of “a” truth, in the eyes of the stakeholder that purchased it. But cyber security is a business level issue, and it always has been. The enterprise need asset visibility solutions that both function out of the box, yet provide a flexible platform that allows the representation of data to fit their unique needs.

The Path Forward

Edwin Hubble, famously said: “The whole thing is so much bigger than I am, and I can’t understand it, so I just trust myself to it; and forget about it.” Hubble, was the first to admit that much was unknown about the universe, but dedicated his life to create methods for us to explore the universe more effectively.

At Hubble, we make no claim of fully understanding your entire technology universe – but we are passionate about providing you a flexible platform that gives you the foundation on which true, enterprise-wide business resiliency can be achieved.