Enterprise-level asset management today internalizes just about every major security environment change that has hit Fortune 1000 companies over the past several years: cloud, internet of things (IoT), shadow IT, BYOD, mobile, virtualization, third- and fourth-party data access, and so much more. It transforms asset management into something that was difficult to track into something that is often almost impossible to track.
Concurrently, new compliance rules focusing on data control, often in the form of privacy requirements, make it even more critical to track those devices and, crucially, the data they contain. It can seem like a no-win scenario for the CISO.
“You can’t manage every device. There is extreme value in endpoint technology, but it can’t see everything,” says David Pearson, Head of Threat Research at Santa Clara, Calif.-based Awake Security. With endpoint protection, though, “you can at least see passively what devices are on the network.”
There is a distinction between an unmanaged device and an unknown device, but from an asset management security perspective, both potentially are just as dangerous.
“There is so much effort put into managed user devices that enterprises own, despite the fact that roughly half of all devices are unmanaged today. Would you let a stranger hang out in your enterprise and record anything visual or audio, test out their connectivity to different parts of the network, etc.?” Pearson asked. “If not, you might want to take a look at how your enterprise security posture factors in modern-day risks.”
Clyde Hewitt, an Executive Advisor at the CynergisTek, an Austin, Texas-based consulting firm, says he has particularly seen major asset management security issues in the healthcare vertical. Beyond especially demanding HIPAA data compliance challenges, healthcare facilities tend to use far more third-party hardware (testing equipment, medical devices, etc.) than other verticals, and that can be an issue.
About “70 percent [of medical devices] have end-of-life operating systems that cannot be patched or upgraded,” Hewitt says. “IT did not have visibility into what was there. We have, until recently, not focused on that. We weren’t even asking ‘What version is your stuff running on?’ because we never got in the habit of asking.”
Another problem that Hewitt says he has run into is jurisdictional with an enterprise, also delightfully known as corporate politics. It’s not going to go well “if the CISO sees a problem with facilities security and they push up against the facilities director saying: ‘I want to fix your stuff.’ There is no escalation path.”
And yet CISOs have little choice if other departments, such as facilities and maintenance buying operational technology (OT)-network based door locks and lighting systems or installing consumer-grade or other cameras or other networking devices, start installing devices that do not offer the ability to install and upgrade security software, thereby endangering security and data privacy, without getting permission or assistance from the security or IT teams.
Often such devices are installed at the department level or perhaps in remote offices and might not be visible to the security team as anything other than an IP or MAC address appearing on a network map. Identifying the devices’ owners or purpose can be problematic for the IT teams, further complicating the ability of the IT team to determine they type and function of the asset. Without knowing exactly what a device is has repercussions for both the security and finance teams, including determining the asset’s place in its lifecycle.
“CISOs [and] CSOs traditionally limit the scope of their asset management program to components within their area of responsibilities, rather than identify everything from cradle to grave,” Hewitt says. Areas typically ignored “include non-IT [department-owned] components including Internet of Things, leased, and directly connected vendor-owned devices and supporting businesses that access the data. It also includes the vertical scope that would start with the procurement process, specifically identifying controls needed to help manage components such as barcodes and terminate with the disposal process, including the linkage of Certificates of Destruction with the asset inventory.”
Hewitt also says that he frequently runs into third-party issues, where contractors and suppliers, outside sales, distributors, customers with data access, and others connect data and devices to networks without permission. Granting access to cloud environments is an especially tricky area.
This forces CISOs into dealing with devices from a legal rather than just a security perspective. Contractually, third parties with network access need to comply with your enterprise’s security procedures and rules. But, Hewitt argues, how those reminders are phrased can ultimately dictate who is responsible for the potential issues if there are security vulnerabilities and breaches.
“If you have a vendor or subcontractor and are attempting to transfer risk to that third party, you have to say what you want and not how to do it,” Hewitt says. “Otherwise, you are going to get pushback from [the] legal [department]. Be very careful not to tell them how to do things,” he urges. “You need to comply with our security policy, but I am not going to tell you how to comply.”
The rationale is that if the third party figures out to fix the problem on their own and it later goes wrong, they are on the hook for damages. If you specify precisely what they need to do and it then goes wrong — assuming they followed your instructions to the letter — your enterprise might have to swallow the cost of damages, he says.
Hewitt also pointed to the time-honored could-not-locate (CNL) list as a major asset management security headache. Such lists contain items that should be somewhere but are not — a laptop that is supposed to be in a specific location or a printer that is supposed to be on a specific table but is missing. Hewitt again points to the healthcare facilities as being particularly susceptible to CNL problems.
In healthcare, “medical devices are not assigned to a person, but to a hospital” or other medical facility, Hewitt says. “If something goes missing, it may take a year to find. How many devices are on the CNL list and how many have patient data that is regulated by law? Of those that are missing and potentially have patient data, how many have you reported as a breach to the office of civil rights?”
More specifically, all enterprises — not just those in the healthcare industry — need to set a policy for CNL (commonly used for “cannot locate”) aging. How long can a device and its data be on the CNL list before the enterprise declares it truly lost for compliance purposes? When does the clock start? Does it start when the device was last located or whenever the audit was that placed the device on the CNL list?
As a practical matter, this is limited to devices that the enterprise knows exist. But that is not necessarily a distinction that regulators will understand or accept. From a regulatory standpoint, the enterprise has an obligation to track all regulated data and alert officials as soon as it goes missing.
Forrester analyst Josh Zelonis says he sees the enterprise’s “biggest vulnerability” today being asset management controls. Enterprise security officials “don’t have the records that they can rely on to identify what systems are doing,” Zelonis says.
A typical approach that enterprises use today is scanning the network and “sending packets out to actively interrogate your infrastructure” and “hoping to learn about the machines out there,” Zelonis says, adding that he is not necessarily a big fan of that method. “It’s really not the most mature process. There is a whole lot more context needed to truly understand what you are looking at.”
One key issue is deciding who owns, controls or installed that device “especially as you move to more containerization. You no longer have something that you can stick as asset label on,” Zelonis says.
Another major issue with asset management is that, through a variety of factors including mergers and acquisitions, the asset environment never calms down, which is what makes tracking all enterprise assets a seemingly impossible never-ending task.
“As soon as you figure out everything that is in your environment, it’s changed,” Zelonis says, pointing to security cameras as a classic example. “This is a huge project. Once you get behind, it’s easy to get behind enough that you feel terminally behind.”
A big-picture problem here involves return on investment (ROI). Given that asset management cannot, for the near term at least, be solved and there are three dozen items on a CISO’s to-do list that theoretically can be solved — such as requests from various business managers, dealing with active attacks, getting more actionable threat analytics, and the like — it can be hard to justify the ROI of deploying a lot of resources on asset management. And yet, asset management still needs to be addressed.
“You can’t say, ‘I am not going to be able to solve this so I’m not going to do it.’ That’s not doing your job,” Zelonis says.
Zelonis suggests tracking drift numbers to give CISOs something to point to in order to justify the resource to the CFO, CEO or the board.
“Every Fortune 1000 has a vulnerability management program, scanning what they think is 100 percent of their network on a weekly basis. Look at how your infrastructure changes over time, try to measure the drift of your infrastructure,” Zelonis says. “If every week we scan the environment and find 3 percent of the infrastructure is new or different,” reducing that number can deliver the needed ROI stat.
“The complexity of the problem needs to be simplified” by “measuring what you can measure and trying to use drift as a mechanism to measure what you don’t know,” Zelonis says.
As for the discovered devices that exist but whose ownership is unknown, Zelonis encourages security executives do what their predecessors have done since the dawn of time: “If you don’t know who owns this device, you would well be within your rights to unplug it. That’s certainly a good way to get someone to find you and take ownership of it.”