rvlsoft - Fotolia
The modern map -- in fact, any map since the Age of Sail -- serves an important purpose in navigation. Exploration feats, such as Magellan's circumnavigation of the globe, Lewis and Clark's American expedition, or more recent excursions to the Earth's polar regions, would not have been possible without mapping knowledge and ability.
A cursory look at ancient or medieval history shows that early maps, prior to their use for navigation, served a different purpose entirely. The map in the 15th century manuscript La Fleur des Histoires was by no means intended to be geographically accurate. Instead, it was designed to convey a concept or idea -- in this case, the separation of ruling powers by region. However, the real power of mapmaking -- that is, for navigation -- would not be realized for generations.
Believe it or not, this underdeveloped potential is reflected in the way security professionals track organizational assets today. Most organizations have an inventory of assets but seldom are they accurate or complete. Sometimes, inventories extend to VMs and physical hosts; more rarely do they extend to containers. As in the case of prenavigational paper maps, the true power and value are latent. Why is the value yet unrealized? There are a number of reasons, including inaccuracies, lack of interdependency information, lack of context, rapid spoliation of data or incompleteness, to name a few.
Understanding open source asset visualization
Fortunately, there are individuals in the industry who see the value of maps for cybersecurity. Sacha Faust, proactive security lead at Lyft, is one of those people. He chartered the Lyft security team to release the core element of its asset inventory platform -- Cartography -- as open source. The platform is designed to help organizations visually understand, explore and track relationships between entities in their ecosystem. I recently interviewed Sacha about the open source asset tracking tool's value and how cloud cartography can be used to bolster an organization's information security posture.
Faust explained that, for Lyft, Cartography is not only the primary asset repository, but it also plays a key role in its security program. "Cartography is a central repository of all our assets and the relationships between them," he said.
"Cartography attempts to represent the environment in which we operate and enables transitive exploration of how assets relate to each other. Cartography fits into our automated decision loop platform and is where we can automate observation and orientation to drive decisions and actions," Faust said. "In short, it's the observe and orient part of our OODA [Observe, Orient, Decide, Act] loop for security."
Sacha FaustProactive security lead, Lyft
The project originated when Lyft wanted to answer some fundamental questions but was limited in doing so by the asset tracking methodology currently in use. "The motivation came while trying to scale red team tactics across extensive cloud infrastructure. We were unable to keep track of all relationships across our assets -- to explore them in a transitive way," Faust said. "Furthermore, we couldn't see and measure the true 'blast radius' of blended threats."
The decision to make this work available to others was motivated by Faust's passion about the methodology. Security professionals can find the open source asset tracking tool and its fundamental concepts presented in numerous venues, including BSidesSF 2018 and 2019, as well as Infiltrate 2015 and 2017.
Engineering the Cartography platform was no simple task. There were numerous technical and procedural hurdles to overcome along the way, Faust said, citing challenges associated with relational databases. "Traditional relational databases were not well suited for the transitive analysis use cases we were looking to solve at scale," he said. "Additionally, these environments were typically very slow with overly complicated setups, which drastically impeded our implementation. The broader adoption of graph databases around 2010 was a game-changer and helped achieve the desired scenarios."
How to adapt this asset mapping approach
Lyft's approach and its open source asset tracking tool have been under active development for a long time. It is one of the core elements of the security program for the large and complex technology company. The ability to accurately visualize and traverse relationships between entities has presented usage scenarios for Lyft that would be impossible to accomplish otherwise.
With that in mind, security practitioners may wonder how to make use of this type of approach in their environment. The first and easiest way to do this is to try the Cartography tool out in their own environment. After all, the product is free and open source. In fact, Faust encouraged anyone to get involved. Whether to contribute a simple bug fix or to suggest new improvements to assist with usage, participation is valuable. The Python code will be easily understandable to most developers and can enable security practitioners to look under the hood and potentially audit or make changes to the code.
Even if security leaders decide that this software does not meet their program's needs, there is value in examining assets in this way and in adopting an approach that contextualizes interaction of assets.
Understanding the relationships between various assets has value. There are benefits to simply approaching asset inventories in this way. For example, if you are able to note -- even if done manually using the existing asset tracking or asset management systems you have in place today -- relationships between entities, you can start to mine that information for use in solving security problems.