Attackers aim to steal, take over, or disrupt the most critical or lucrative assets in an organization in order to have the greatest impact. Taking down critical services with a Denial of Service attack, defacing the homepage of the organization’s website, or conducting a phishing campaign that attempts to steal financial information are all examples of attacks that aim to exploit high value assets.
In order to properly protect your enterprise, you need to first identify which systems and entities are of critical importance to your business. These could be specific applications, infrastructure, or other critical information that would seriously disrupt your ability to do business if compromised or accessed in an unauthorized manner.
This article is part of Splunk's Use Case Explorer for Security, which is designed to help you identify and implement prescriptive use cases that drive incremental business value. In the Security maturity journey described in the Use Case Explorer, this article is part of Data availability and retention.
What is a high value asset (HVA)?
The Cybersecurity and Infrastructure Security Agency (CISA) defines an HVA as:
Information or an information system that is so critical to an organization that the loss or corruption of this information or loss of access to the system would have serious impact to the organization’s ability to perform its mission or conduct business.
The Federal OMB Memorandum M-19-03 defines HVAs as information or information systems that fall into one of the following three categories:
- Informational value. The information or information system that processes, stores or transmits the information is of high value to the government or its adversaries.
- Mission essential. The organization owning the information or information system cannot accomplish its mission essential functions (MEF) within expected timelines without the information or information system.
- Protective assets. The assets serve critical functions for maintaining security or resilience. Security and resilience are not the same.
- Security assets are needed to protect the organization from attacks and breaches.
- Resilience focuses on continuing business operations even after an attack has occurred.
Why is identifying high value assets important?
High value assets are the main target of a cyberattack, so identifying these in advance can help you plan your response to scenarios where these specific assets could be compromised.
As well as the impacts to business continuity and reputational risks that occur as a result of attacks on high value assets, some companies may have regulatory requirements or internal controls that designate which systems must be identified as high value. For example, PCI-DSS tells us that any system that stores or transmits payment card information must be identified as an HVA.
Additionally, if you are in the public sector and must adhere to federal requirements, these specify that you must categorize information and information systems (FIPS 199 and NIST SP 800-60). Additionally, the Department of Homeland Security BOD 18-02 lists several actions that must be performed in order to comply to the directive, including participating in assessments of your HVAs and following processes for the remediation of vulnerabilities.
How can I identify my organization's high value assets?
It can be helpful to consider a number of hypothetical scenarios to help you catalog your most sensitive and critical systems. Questions you might want to ask include:
- Does your company have an IT disaster recovery plan, and if not, what could be the impact of that lack?
- What systems, applications, and data are most critical to running your business?
- If your company had a major outage, what would be the impact to your customers and ultimately your bottom line?
- Which systems contain sensitive information?
- If you knew that there was a cyberattacker in your network, what do you fear they would do, access, or steal?
You'll need to identify and categorize all of your organization’s high value assets not only as a one-time exercise but also as a continuously updated process to ensure that proper protections and restrictions are in place.
After you have identified your HVAs, it is essential to monitor events that involve them in order to quickly and effectively respond to attacks or threats that specifically target these HVAs.
How can Splunk software help me monitor high value assets?
Security solutions such as Splunk Enterprise Security can assign different risk scores and values for higher risk assets and identities. Doing this leads to higher fidelity alerting because you put more weight on your most important systems and users.
It is important to have stricter controls on higher-value assets so that you see the alerts from your most critical assets first. By increasing the risk score for the alerts on your HVAs, your Risk Based Alerting uses these high scores to create higher fidelity risk notables in your Splunk Enterprise Security SIEM.
These resources might help you understand and implement this guidance: