In this installment of our Question and Answer series with Axonius subject matter experts on data and cybersecurity in an IT asset management environment, we talk with Daniel Trauner, director of security at Axonius.
SC Media: Some fast-growth companies that have focused on sales and expansion might not have an effective asset management program. How do you start building an asset lifecycle management database and why do you need it?
Daniel Trauner: Companies starting to think about a centralized asset management program for the first time should begin by considering their current mode of operating without a single asset lifecycle database, and focus on building a single solution to address the use cases most important to their organization.
Even though a number of use cases will be universal for almost all technology-enabled organizations – lifecycle management for IT, incident response investigations for Security, and certain auditing tasks for Compliance – an organization’s industry, structure, or primary line of business may result in a particularly strong focus on any one of those areas. Your asset lifecycle database should always start with a focus on enabling your organization’s most important use cases, while still remaining general enough to be used in a cross-functional manner as the organization continues to grow and discover new use cases.
Once your primary use cases are established, you should start by taking a survey of all existing decentralized asset management systems, the process for adding new assets to those systems, and the data sources that are used to identify new assets. Even prior to a formal asset management program, most organizations will likely find that they’re using multiple spreadsheets or custom in-house tools to manually track asset information. Over time, you should aim to automate the discovery of new asset data as much as possible by leveraging API functionality across multiple data sources, as well as focusing on picking a single solution and team to manage the centralization effort.
SC: Generally speaking, for a mid-size company with perhaps 1000 employees and multiple domestic locations, how much should a company plan to allocate for first-year expenses to launch an asset management program? What would be some of the one-time and continuing expenses that often get overlooked when building an asset management budget and program?
DT: Aside from any initial one-time development costs, one of the most difficult aspects of understanding the ongoing cost of a centralized asset management program is understanding what types of assets an organization has, and ultimately how many assets need to be tracked. It’s easy to overlook the impact of special-purpose devices such as tablets, VOIP desk phones, or even IoT devices such as IP-based security cameras on the grand total. Most organizations today will also have a significant number of unmanaged “BYOD” devices such as employees’ smartphones connected to a “guest” WiFi network.
A good rule of thumb for an initial estimate is to consider the number of employees at your organization, and multiply that total by three. If your organization actually manufactures devices itself or otherwise has special infrastructure requirements, this factor may be as high as four.
So for a 1,000-person multinational company, that organization should assume that they have anywhere from 3,000 to 4,000 assets across all types — desktops, laptops, servers, and special-purpose devices (and remember, users themselves should be considered as well to some degree!) This total asset count will almost certainly play a role in the ongoing cost of a centralized asset database, and should help you determine the scaling requirements for the system as your organization grows.
SC: How does asset lifecycle management fit into the overall corporate and security reporting structure? Who are the key stakeholders and what are their responsibilities?
DT: Most organizations will elect to have their IT or corporate security teams as the primary owners of their asset management program. As a centralized asset database is likely to be used early on by multiple teams, however, it’s critical to establish a proper governance structure around both its development and use.
Some companies will elect to have IT responsible for managing the addition of new data sources during the development process, although certain teams outside of IT may be the owners of some of these data sources. A single team should be ultimately responsible for the integration of new sources, but once integrated, tracking certain manually-managed attributes on specific types of assets may be delegated to a separate team.
SC: Let’s say an incident occurs. From an incident response perspective, what is the difference between having an effective and complete asset management database from having an incomplete accounting of assets? How can an incomplete account hinder the forensics investigation?
DT: Any incident response investigation will benefit significantly from up-to-date asset information. Even when an organization has a strong centralized logging facility such as a SIEM integrated with many of their asset-related services, understanding asset-related events – that is, “what happened” — is just one piece of the puzzle. The most time-consuming part of an investigation is often the process of correlating multiple disparate sources of data to understand the state of a given asset at a given time, which is what a strong asset management program should help you solve.
For example, say that your IDS has flagged network traffic destined to a known botnet command-and-control server coming from a DHCP-assigned IP on your network likely belonging to an employee’s laptop. Once you’ve narrowed down your investigation to a particular identifier such as an IP address as a part of a particular network event, you then will want to know everything you can about the machine that had that DHCP IP address at a given time, as well as everything about the user associated with the affected machine.
Even though you may have multiple tools in-use within your environment which can provide that richer context information past what your IDS detected, including an endpoint security agent on the end user’s machine, how are you consuming this information? An effective centralized asset database should enable you to see as much context information as possible in a single location, without having to manually export, correlate, deduplicate, and recombine separate data sources manually.
SC: How can an asset lifecycle management analysis help a company when it comes to budgeting for purchases, standardization, and compliance requirements?
DT: Aside from security incident response investigations and more general IT use cases, an organization will almost certainly improve the efficiency of other types of tasks which would otherwise rely on significant manual data reconciliation efforts, especially if their asset database tracks the history of asset state over time.
For example, an organization’s finance team may be interested in tracking costs and purchase dates for depreciation purposes, and the Compliance team may want to run a 90-day report on a particular set of servers to demonstrate compliance with applicable regulations or standards.
By leveraging a centralized up-to-date asset database with API-driven data sources, these types of tasks can be performed much more quickly, and will not become nearly as difficult in a rapidly-growing, modern environment with independent teams constantly introducing new assets.