In this installment of the Axonius Q&A series, CISO Lenny Zeltser discusses how IT asset management impacts risk management.
SC Media: Obviously knowing what your assets are, where they reside, and their lifecycle status are a key part in resource planning. Let’s look at how this impacts risk management. How does asset management play in the overall risk and compliance discussions and what are the most important lessons a security team needs to learn about assets management and risk?
Lenny Zeltser: One way to understand the role of asset management is to consider where it resides in the highly regarded NIST Cybersecurity Framework. It discusses asset management as part of the Identify function, which provides cybersecurity program managers with situational awareness. NIST explains that understanding the business context and related security risks allows the company to “prioritize its efforts, consistent with its risk management strategy and business needs.”
In other words, having visibility into the existence, location, and state of its assets, the enterprise lacks the context for making informed risk decisions. This is one of the reasons why security teams that I’ve encountered crave accurate and timely asset data, and are pushing their IT colleagues to adopt modern approaches to capturing and sharing such information.
The importance of asset management for cybersecurity, IT risk management, and compliance often leads these teams to invest in modernizing asset management practices to supplement the date they might be getting from the existing sources such as configuration management database (CMDB), network scanners, user directory, etc. Such investments allow these teams to quickly assess and remediate risks related to missing endpoint agents, unscanned cloud virtual machines (VMs), deviations from security benchmarks, unmanaged devices, and more.
SC: Why is knowing details about your assets essential for meeting compliance requirements and what should the CISO do about it?
LZ: Though the details differ across industries and geographies, cybersecurity requirements generally describe the desired state of the IT or security program. They penalize deviations to encourage compliance. Therefore, CISOs need to not only create a security program that complies with the requirements, but also to identify gaps between the current and expected state. This journey often begins with asset management: Identifying which assets fall in scope of the requirements, identifying security gaps, and working to address them.
SC: We are seeing a proliferation of privacy laws take effect. Why is asset management important when it comes to complying with laws such as the California Consumer Privacy Act or the General Data Protection Regulation?
LZ: Privacy laws such as CCPA and GDPR mandate security controls that safeguard personal information. They also impose costly notification requirements in the case of a breach and fines in the case of non-compliance. Such measures help organizations justify building a formal cybersecurity program, such as one based on the NIST Cybersecurity Framework or ISO 27001. And asset management is a must-have foundation for such a program.
Moreover, privacy laws require organizations to understand and document the flows of personal information. Understanding where the data resides and who has access to it often hinges on the situational awareness that comes from effective asset management.
SC: Protecting assets and risk management are two sides of the same coin. How can an effective asset management plan protect a company from shadow IT, risky IoT devices and other hardware- and software-based risks?
LZ: Effective management allows organizations to detect and track the use of shadow IT, the presence of risky IoT devices, and other security gaps. Without such visibility, the organization cannot understand its risk exposure and cannot make informed decisions regarding mitigating these risks. In contrast, a modern asset management program can detect unmanaged systems, vulnerable devices, undesirable software, misconfigured hardware, and so on. Once identified, such gaps can be addressed by notifying the appropriate individuals or through automatic remediation steps.
SC: Not all assets are local. What are some of the risks associated with assets in the cloud?
LZ: Cloud resources are incredibly powerful because they can grow, shrink, or otherwise change rapidly to meet the organization’s business needs. This superpower can create super-risk: When the environment changes so quickly, it’s very hard for cybersecurity and GRC (Governance, Risk and Compliance) teams to enforce, validate, and remediate security and compliance requirements.
For example, how can the CISO account for every virtual machine if DevOps teams or automated scripts can deploy and deprovision them without having to ask for prior approval? How can the security team confirm that each VM meets the appropriate configuration benchmarks? How can they confirm that each cloud instance is regularly scanned for vulnerabilities? Tackling these challenges without effective asset management is simply impractical.
Companies need a modern approach to asset management to discover cloud assets as soon as they appear. They also need automation to enforce security policy or report non-compliance. Without such abilities his, the cloud will continue to be a source of significant IT, security, and compliance risk that organizations will struggle to address.
Lenny Zeltser is Chief Information Security Officer and was previously VP of Product at Axonius. Prior to Axonius, Zeltser led security product management at Minerva Labs and NCR. Before that, he spearheaded the U.S. security consulting practice at a leading cloud services provider acquired by CenturyLink. Zeltser also helps shape global cybersecurity practices by teaching at SANS Institute and by sharing knowledge through writing, public speaking, and community projects. He has earned the prestigious GIAC Security Expert designation and developed the Linux malware analysis toolkit REMnux. Lenny is also on the Board of Directors of SANS Technology Institute.