Asset Importance estimates the significance of a given asset (IP, domain, hostname) to an organization. This importance is recalculated daily and may fluctuate as new data is processed. Importance levels range from Low to Critical, with specific assets categorized based on several key criteria.
Related data:
- Asset Risk Matrix
- Assets
- Attack Surface Analytics
- Finding Details
- Issue Tracking (SPM)
- Remediation (Continuous Monitoring)
Data Sources Used
Bitsight calculates asset importance using multiple data types, including:
- Passive DNS Data: Tracks DNS lookups to assess asset activity and usage.
- Web Crawling Data: Extracts information about web applications and services.
- Internet-Wide Scanning: Captures details on services and protocols exposed by assets.
- Device Activity Data: Identifies usage patterns of workstations and internet-connected devices.
- Threat Intelligence Data: Provides insights into compromised systems and botnet infections
These datasets provide insights into asset usage and interaction patterns, feeding into the algorithm that determines importance.
Importance Criteria
A number of factors are used in the algorithm to determine how assets are ranked by relative importance to the organization. The system regularly incorporates new data and recalculates it into asset importance daily. As a result, the calculated importance could change from day to day because of changes in the underlying inputs.
- We advise creating a user-assigned asset importance if you require a static asset importance.
- An asset of the highest importance within a subsidiary may not necessarily have a high importance relative to the other assets within a larger parent.
Importance Criteria | Description |
---|---|
System Usage | The most notable contribution is the measurement of a system’s usage. The more distinct machines that are accessing a particular asset on the Internet are, the higher the importance of the asset. This is agnostic of the service or protocol used to access that system. |
Egress IP | The IP address where the traffic on an organization’s endpoint devices exits their network onto the Internet are of higher importance. |
Information Submission | Underutilized systems that contain sensitive data may pose a security risk, such as B2B applications or latent test or development systems. This factors in the website’s support for the user’s ability to submit information. It could take the form of mailing list enrollments, registration, login credentials, or any situation where the user is providing information to the server. |
Service Classification |
The type of service made available is evaluated, and the importance of its function is considered in its importance. Example Service Categories: “Authentication protocols,” “Databases,” “System remote access,” “Network remote access,” “Communication services,” “Network infrastructure,” “ICS protocols,” “File exchange,” and “Mail systems,” among others. |
Special Certificates | Systems that are provisioned with special certificates, known as “Extended Validation (EV) certificates,” are of high importance. |
These metrics are processed through a weighted algorithm that assigns a rank to each asset, categorizing it into Low, Medium, High, or Critical importance.
Service Classification Importance
The table below lists various services, their group classification, and their corresponding weight on a scale from 0 to 1, with 1 being the highest value. Each service is assigned a value based on its criticality, influencing the overall importance score of an asset. Only the service with the highest weight will be considered if multiple services are identified on an asset.
The services listed in each category are examples. Each classification may include other services based on their function and criticality. This list is not exhaustive, and the service classifications may be updated as new services are identified.
Service Group | Examples | Service Weight (0 to 1) |
---|---|---|
Databases |
|
0.7 |
Communication Services |
|
0.6 |
Network Remote Access |
|
0.5 |
ICS (Industrial Control Systems) |
|
0.4 |
System Remote Access |
|
0.3 |
Authentication Protocols | LDAP | 0.2 |
Network Infrastructure |
|
0.1 |
File Exchange | FTP | 0.05 |
Network Time Protocol | NTP | 0.02 |
Web Content |
|
0.0 |
The importance value of each service contributes to the overall asset ranking, with higher values assigned to more critical functions such as databases and communication services.
Asset Importance Algorithm
The algorithm calculates an importance score between 0 and 1 for each asset based on the service's importance. It uses weighted inputs that are defined separately for domain-based and IP-based assets. This score estimates the asset’s criticality, with higher values representing greater importance.
Why do assets appear and disappear?
Assets may temporarily disappear from the Assets tab if asset importance (which is recalculated daily based on system usage, sensitivity, and other factors) is of lower-importance.
Domain-Based Asset Criteria
The following criteria are used for domain-based assets:
-
System Usage
- Measures how frequently distinct machines access a domain. This is calculated as the relative frequency of DNS lookups, with more frequently accessed domains given higher importance.
-
Information Submission
- Indicates whether the domain supports user-submitted data, such as forms for registrations or logins. Domains with user-submitted data are assigned a higher importance.
-
Special Certificates
- Recognizes the presence of Extended Validation (EV) certificates, which provide added security assurance and increase the importance score.
The final importance score for domain-based assets prioritizes System Usage as the main factor. If the domain is frequently accessed, it’s assigned a higher weight, with additional weight added from Information Submission and Special Certificates where applicable.
IP-Based Asset Criteria
The following criteria are used for IP-based assets:
-
System Usage
- Measures how frequently an IP is accessed and assigns higher importance to more frequently accessed IPs.
-
Egress IP
- Identifies IPs that are primary exit points for traffic from an organization’s network, especially those associated with endpoint devices. Egress IPs are given additional weight if they show high activity or signs of infection.
-
Host Extension
- Integrates the importance scores from related host assets, allowing an IP to inherit the associated host's highest importance score.
-
Service Score
- Assesses the importance of services running on the IP, such as databases or authentication protocols. It uses the weights described above.
The final importance of each IP-based asset is determined by using the highest value of these four criteria.
Based on the calculated results, each asset is then mapped to a specific importance category:
Importance Category | Importance Calculated Value |
---|---|
Critical | 0.1 and above |
High | 0.01 to 0.099 |
Medium | 0.001 to 0.0099 |
Low | Below 0.001 |
The algorithm assigns an importance score by combining weighted values for specific criteria tailored for domain-based and IP-based assets. This separation ensures that each asset type is evaluated using relevant factors, with scores helping prioritize critical assets. The threshold filters out low-importance assets, focusing the results on those of higher importance.
Sampling and Thresholds in the Asset Importance Algorithm
The asset importance algorithm includes a sampling mechanism to ensure that the most relevant assets are highlighted. This approach helps users focus on high-impact assets by filtering out low-importance items and maintaining efficient processing.
- Importance Threshold for Hosts: Host assets that fall below a minimum threshold (currently set to 0.00001) are excluded from the final list. This threshold ensures that only hosts with a meaningful level of activity or importance are retained.
- Limit on Assets per Entity: To maintain performance and clarity, there is a limit of 500,000 assets per entity. This cap helps prevent the system from being overwhelmed by an excessive number of assets while still providing a comprehensive view of high-priority infrastructure. For large organizations with extensive digital footprints, this limit balances detail with usability, ensuring that the list remains manageable and actionable.
User-Assigned Asset Importance
Users may assign an importance level to assets in their SPM companies (My Company, My Subsidiary, and subscribed companies in the same Ratings Tree as the My Company).
- The importance of user-assigned assets replaces the Bitsight-calculated asset importances any time importances are referenced (e.g., Assets, Asset Risk Matrix on the remediation tab, Attack Surface Analytics charts).
- User-assigned asset importance are contained within the entity in which they were assigned; They do not translate across the tree.
- User-assigned importances are visible to all users in your organization who can see the company where the asset importance was customized. They are not visible to any third parties monitoring your organization.
- User Importance: The user-assigned asset importance.
- Calculated Importance: The Bitsight-calculated asset importance.
- Importance Updated: The date when the importance was assigned.
- Updated By: The name of the editing user.
- December 12, 2024: Added Data Sources Used, Importance Criteria, Service Classification Importance, Asset Importance Algorithm, and Sampling and Thresholds in the Asset Importance Algorithm sections; Described why assets appear and disappear.
- September 26, 2023: Data review and calculation frequency and how they affect importance criteria; Separated user-assigned asset importance instructions.
- November 30, 2021: Linked to the Assets page overview.
Feedback
0 comments
Please sign in to leave a comment.