This specification relates to prioritizing assets in a system of assets.
An asset is a computer or other electronic device that communicates with other assets over a network, such as a local area network and/or a wide area network. A system of assets can be connected over such networks. For example, a home might have five assets, each of which are networked to each other and connected to the outside world through the Internet. As another example, a business might have three physically separate offices, each of which has many assets. The assets within each office and the assets across the offices can be connected over a network.
Each asset in a system of assets can be at risk from multiple threats at any given time. Each threat corresponds to a potential attack on the asset by a particular virus, malware, and other unauthorized entity. An attack occurs when the unauthorized entity exploits a known vulnerability of the asset in an attempt to access or control the asset. Risks not only come from attacks but also from other actions, such as data leakage (e.g., transmitting sensitive or confiscation information outside a protected network, either intentionally or unintentionally). Most threats have known remediations that, if put in place for an asset, eliminate or reduce the risk that the threat will affect the asset.
Additionally, some assets in a system are subject to compliance requirements. Compliance requirements are requirements for complying with one or more of governmental regulations of regulatory bodies, company regulations of a company, or customer regulators of a customer. Compliance factors are not necessarily security requirements, but may include security measures. For example, servers that store health records may be required to be placed on a private IP network and have access restricted to only certain users. Likewise, secured sessions with the server may be required to comply with certain encryption requirements.
As an enterprise may have many thousands of assets, information technology administrators need to prioritize compliance, vulnerability and remediation processes among the assets. A naïve prioritization scheme can simply list the assets according to asset identifiers, e.g., unique addresses or identifiers of each asset, and each asset can be processed according to its order in the list. However, some assets may be much more critical that others. For example, a mail server is more critical than a guest client computer that has only restricted access to an enterprise network; likewise, a client computer of a user that has access to medical and financial records of patients is more critical than a client computer of a receptionist and which has access to only an e-mail application, a company LDAP server, and a web browser.
Thus, to minimize security and compliance risks, some assets need to be processed before other assets, and some assets need to be processed more often than other assets. However, when faced with thousands of assets, each of which has many different asset factors to account for, information technology administrators cannot feasibly determine a priority scheme without an automated framework.