How to build network maps for asset management and cybersecurity products
Use cases, tools, and tips.
“In the world of cybersecurity, you can’t secure something if you don’t know it’s there. In order to effectively address security issues, enterprises need a comprehensive and reliable inventory of their internet-facing assets: that is why asset management is the backbone of any effective cybersecurity strategy.”
Why are cybersecurity asset management startups are so hot right now? (TechCrunch, Febuary 12, 2022)
Network structures are an integral part of almost any business’s technical resources. The increasing number of monitored devices and the expansion of company branches across multiple locations create a need for businesses to own and understand their own network structure. Asset management tools can help you create an inventory of business assets, but if your job is to secure the business, you also need to see and understand what’s going on with your network and devices, and how they communicate with each other.
Sophisticated network scanners can assist in this understanding by mapping and visualizing the network. These tools and their outputs help users to understand relationships between devices, and make network discovery and diagnosis faster and easier than ever.
Mapping tools can be used to collect, analyze, and display real-time data, providing complete visibility of the IT/OT infrastructure, by classifying devices in the network and mapping their connections.
With this kind of visualization, users can easily:
- Spot any network problems at a glimpse
- Understand the relationship between the parent and the dependent devices
- Understand the hierarchy and the location of physical elements
- Quickly drill down to the problematic device (asset)
- Prioritize network faults and start remediation actions
Visualizations of this kind perform much better than other solutions when working with a huge amount of information. These maps can contain an endless* amount of assets, stand-alone or clustered into groups. (I’m kidding about the ‘endless amount of assets’ — but I have made maps that contained up to 100k assets!!).
The term ‘Topology mapping’ refers to the visual structure of a network, and may represent different contexts. Following are several of the topology types that can be implemented and adjusted to suit the specific needs of your network and resources.
Physical topology refers to the physical location and interconnections between assets, and their hierarchy within the IT network.
Network topology refers to the connections between the assets, and how they communicate with each other.
Logical topology (which is a little more abstract and strategic) refers to the ‘how and why’ of the way the network is arranged, and the rules dictating the design.
Assets (any endpoint or device)
An asset is any endpoint on the map that is usually represented by an icon, a logo, or a visual element. Assets can be physical devices, fractures of big environments, or events that happened in the system. Usually, the assets will be clustered into groups (such as subnets, types, security zones) in order to provide context, or to define the system hierarchy.
There are various indications about each asset that help to distinguish assets from each other (name, IP, type, size, location). Presenting those indications mainly depends on the importance of the indications, and the canvas real estate available.
Other indications such as severity or connectivity may be more important, and should always appear, as they help users to prioritize their actions.
Groups (also known as clusters or zones)
Most systems contain numerous assets and are large-scale. In such systems, the person who built the system hierarchy clustered the assets into groups. Whether they are physical groups or contextual groups, the purpose of these clusters is to provide context to the asset map. With this context, users can:
- Understand the relationship between the parent and the dependent devices
- Understand the hierarchy and the location of physical assets
- Quickly drill down to the problematic asset and view its connections
- Identify the size of the group and the amount of assets in it
Usually, a group has one identifier according to which assets are gathered together — such as type, severity, location and environment. In other cases, a group may have a mechanism that forces all assets in it to behave in the same way, using policies or automation.
One screen can present several grouping options that can be used by different personas and user types. Each user has a grouping mechanism according to their own point of interest — whether it be severity level, types, subnets, security zones, operating systems, locations, or vendors.
Connections (also known as links, traffic…)
The links between assets are highly abstract. They can represent data such as traffic or protocols, the definition of security rules like policies or attack vectors, or … they can just represent a certain connection between two assets (like two small production lines within a big factory). The link can indicate the health of the connection, whether it was attacked, and can indicate that there was a violation of some kind.
Common flows and use cases
Users need to monitor and explore the system on a regular basis. They need to track their environment, identify and locate suspicious events. There are several ways users work with those maps. Here, I’ll present the most common ones, and some helpful features.
1. Discover (from macro to micro)
While monitoring the business, users are often in a process of exploration, or discovery, as they don’t always know what types of behavior and events they should be looking for in the network. In such a flow, users dive in and out of the network hierarchy, and search for suspicious events or anomalies.
When a certain asset is selected as a point of focus, users want to understand as much as possible about the asset and its connections without leaving the map. To this end, users require supporting tools such as: informative tooltips, asset glance, isolate mode, collapse/expand, and show/hide connections. All of these tools are explained later in this article.
2. Prioritize (show me what’s important)
A user who is familiar with an environment is able to monitor the network at a much higher level, and executes actions and operations based on the alerts and indications from the system. If issues occur, the map instantly shows the user which devices have problems, so the user can easily see where the problem lies.
Each asset may have several indications reflecting the asset status:
Severity: Indicates that something is wrong with the asset, and that the issue may impact the entire network. The indication will usually be red, orange, or yellow.
Status: Indicates whether or not the asset is connected/active. The indication will usually be green or gray.
Special indications: Some events require special indications for the user to understand the context. These indications usually have dedicated icons that are attached to the respective assets. For example, on cybersecurity platforms, the indication can explain whether the asset is under attack, and from what kind of threat: hacker, vulnerability, malware.
3. Filter (hide the irrelevant)
In some flows, the user is looking for a certain type of asset, or a specific connection or protocol, or is interested in alerted assets, and wants to hide any other interface elements. This is an example of why, on large-scale networks, it’s almost impossible to work without a deep filtering mechanism.
The filtering options need to contain all asset attributes. Options include type, protocols, security level, status severity, status connectivity, and any other relevant parameters.
This feature filters out the irrelevant assets, and cuts the map from numerous assets to just a few, in two or three clicks.
4. Search
In some cases, a user knows exactly what asset he’s looking for, and wants to find it ASAP.
With a search feature the user can find any asset using multiple attributes (asset name, IP address, logical name), and continue with the flow of investigating the asset, its connections, and what went wrong.
5. Edit (admin mode)
Most maps come with editing capabilities, enabling the admin to build, define, and configure the network, and how it is presented. In other cases, users themselves can change and define the network according to their needs.
In editing mode, the user can define the hierarchy, add or delete assets, define new groups and move assets between groups.
This editing flow needs to be distinguished and highlighted, so the user will understand that all changes are temporary, and are saved only on the user’s local station, until the final save and approval.
Even after the ‘Save and Approve’, it is common to present the changes that were made, their impact on the system, and then approve again. This is a common flow in cyber security products were moving assets between security zones might create entry points that didn’t exist before, and enables users to be aware of the impact.
Features and tools
Asset Glance
Users are exposed to massive amounts of assets, and need a way to identify assets from each other. When clicking on an asset, a small modal should opens, showing the asset name, the asset’s main attributes, and — most important — a button or a link that refers to the asset page. This modal is commonly called asset glance.
The asset glance should include the minimum identifiers required to provide the asset’s vital statistics, without leaving the map. This glance is intended to give users information like the asset’s name, type, IP, and location. If a user chooses to investigate further, the next step is to visit the asset page for more information. For this reason, a direct link to the asset page should appear in the glance.
The asset glance is a great place to add some commonly used actions, like: move to another group, add to favorites, assign to user, tag, add note, rename, and change policy.
Focus back
Users need to be able to dive in and scroll around a map in order to find more information or to focus on a specific area. After extensive scrolling, users might start losing their orientation — and scrolling back doesn’t always get good results.
Adding a focus icon that zooms out to the initial preview will help lost users.
Collapse/Expand
The grouping mechanism is useful for understanding the hierarchy and identifying which asset can be found where, but sometimes users will prefer to explore the system on a flat view.
In such a flow, most users would appreciate a feature that collapses or expands all groups with one click.
Isolate mode
Another scenario is to isolate an event or area. A user wishing to investigate an alert, or who suspects that an attack has occurred, can isolate the affected assets, and investigate their connection.
Isolate mode allows the user to focus on the relevant events and assets, and to filter out all the unnecessary noise.
Hide the connections
Large-scale networks host an enormous amount of assets — up to hundreds of thousands. Connections between assets can create a lot of background noise, which hinders asset exploration and accessibility.
Flows can be implemented that make it easier for users to hide unnecessary connections and focus on the required assets.
Crown Jewels (keep an eye on critical business services)
Most cyber companies refer to their critical assets as crown jewels, and make special efforts to protect them. In such environments, it is advisable to create a dedicated place in the network into which to collate all critical assets.
It makes sense to consolidate the devices that need special attention into one group, even when they are spread across different subnets, zones, or locations.
Do topology maps always present physical assets or networks?
Sometimes this visualization might fit to represent other mediums and environments. In the example below, we represented an entire cyber attack, with all events leading up to the attack, and the actions that follow.
The description of chronological events using the map meant that we could add another dimension: time.
The timeline tool helps the analyst to understand and mitigate the incident, identify the attack vectors, and discover the identity of the attacker and of the victims.
The map doesn’t always need to tell the true story
Illusive Networks uses deception technology to stop cyberattacks by detecting and destroying their decision-making processes, and depriving them of the means to move laterally toward attack targets.
In the example below we needed to represent on the map two views:
- How the CISO sees and understands the system.
- How the attacker sees the system, with all the decoys and traps that the CISO prepared for the attacker.
Dev/Product tips
Define the events on the map (clicks, hover…)
When users discover a network for the first time, they tend to bounce quickly from asset to asset, trying to understand the lay of the land. To help users navigate the network, hovering over an asset or a group should present a small tooltip which contains the asset name, and can include another attribute such as IP, or type.
A user can understand more about a certain asset by clicking on the asset, which opens a small modal (asset glance) displaying more of the asset’s details and attributes. From the asset glance, a link takes the user to the asset page.
Other asset options may be available in certain maps, including options like: edit, delete, merge, move, and rename. All of the available options can be opened by right-clicking on the asset.
Define the canvas
Asset map areas that are sharply cut down the middle of the screen aren’t pretty. Show a better side of your assets by setting the canvas size and maps border in advance, you can even choose to have no borders at all.
Most maps have many configurations that can be adjusted for better performance and appearance. One of these configurations enables an algorithm that by default adjusts the map to its optimal size on the canvas. Asset visuals are more appealing and accessible when stretched and shaped to fit the entire canvas.
Defining breaking points on a map provides a better visual experience. Zooming out should cause asset names and icons to disappear — otherwise, your network diagram turns into an undefined mesh, and your whole interface loses its appeal. A better presentation method is to make a set of icons for each asset type, and border them in a shape. When zooming out, the icons disappear, and the shape defines the asset.
Demo/POCs
These topologies can be very impressive pages to show in demos and POCs When the client (usually the CISO ) sees the real picture of their network for the first time, those topologies can have a powerful effect.
- Make sure you cluster and map all assets using names that the user can understand and relate to.
The creation and maintenance of proper mapping enable administrators and resource users to ensure a logical and user-friendly interface that provides much more insights and different perspectives than any other solution. Make sure that the mapping tools are meeting the needs of the users they serve, and the companies that support them. Keep in mind that any definitive guide to network topology won’t stay definitive for long, because the technologies that support products and services are constantly updated.
