Automation of Asset Inventory for Cyber Security: Investigation of Event Correlation-Based Technique

Abstract

Asset inventory is one of the essential steps in cyber security analysis and management. It is required for security risk identification. Current information systems are large-scale, heterogeneous, and dynamic. This complicates manual inventory of the assets as it requires a lot of time and human resources. At the same time, an asset inventory should be continuously repeated because continuous modifications of system objects and topology lead to changes in the cyber security situation. Thus, a technique for automated identification of system assets and connections between them is required. The paper proposes a technique for automated inventory of assets and connections between them in different organizations. The developed technique is constructed based on event correlation methods, namely linking the system events to each other. The essence of the technique consists of the investigation of event characteristics and identifying the characteristics that arise solely together. This allows determining system assets via assigning event characteristics to specific asset types. The security risks depend on the criticality of the assets; thus, a discussion of automated calculation of the outlined assets’ criticality is provided. Outlined system objects and topology can be further used for restoring possible attack paths and security assessment. The applicability of the developed technique to reveal object properties and types is demonstrated in the experiments.