Today we continue with our on-going series of Q&A with Axonius CISO Lenny Zeltser. In this installment we look at how to get the most from understanding the basic of IT asset management.
SC Media: What role does asset management play as part of an overall cybersecurity and GRC strategy?
Lenny Zeltser: Asset management is the foundation of a cybersecurity program. Don’t take my word for it: It’s the first set of controls in CIS Critical Controls and the NIST Cybersecurity Framework. The need to inventory hardware and software is also highlighted in security guidelines published by the SEC. And it’s called out in ISO 27001. PCI DSS talks about it. Most auditors want to see it. This isn’t surprising.
Modern, properly implemented asset management allows CISOs and risk managers to understand what IT resources the organization has and how they’re configured. This allows them to discover and address security gaps, validate compliance with the expected state, and track the security program’s advancement.
SC: One of the big problems for asset management projects today is identifying IoT devices, both those owned by employees and the company. What are the challenges and best practices in finding and recording IoT devices within an enterprise?
LZ: Enterprises often rely on software agents to enforce security measures on traditional endpoints. Since deploying agents to IoT devices is usually impractical or impossible, we need to rely on other approaches to manage IoT device risks. The risks are exaggerated when the devices are owned by end-users and not enterprises (in BYOD scenarios) or by other third parties (for example, in some healthcare scenarios).
Knowing which IoT devices the organization has, what their state is, and what aspects of it are unmanaged is difficult for most organizations. The good news is that there’s usually at least some system within the company’s environment that knows something about the devices. For example:
- Network switches or routers might know that the devices are active and how they’re communicating.
- Vulnerability scanners might spot that the devices are present and flag any potential security weaknesses on them.
- Proprietary device management software might know how to communicate with the devices to determine their state from the inside.
The challenge is that each of these data sources knows something about a portion of your IoT devices, but not all of them. And the tools exist as siloes, so the organization needs to find a way to extract the necessary information from them then clean, deduplicate, and correlate the data. Building such a silo-spanning system on your own is very burdensome. (Axonius created a product that does just that for our customers.)
SC: Not all IoT devices are managed by IT – many are operational technology devices managed by the facilities team (lighting systems, electronic door locks, sensors, a plethora of medical devices in healthcare, etc.) What impact can these OT devices have on the IT infrastructure and how should the CISO be involved in managing OT IoT devices?
LZ: Any device that connects to the company’s network or has access to sensitive data poses a risk that CISOs need to understand and help manage. OT equipment is a great example of this, since OT is often the blind spot of IT teams. Moreover, OT devices are often set up by groups that might lack a strong relationship with the cybersecurity team.
There are certainly OT-specific considerations that CISOs should keep in mind. More broadly, it’s a reminder that IT and security-related assets are distributed across many teams, business units, and geographies in a modern enterprise. To get full visibility into all asset types across all areas of the organization, you need to capture and aggregate the relevant details from each data silo.
SC: Not all IoT devices are on site — some are in the fog and the cloud. How can asset management help with managing these devices — perhaps even those not directly owned or managed by the company?
LZ: IT resources such as IoT devices are geographically dispersed in modern enterprises and can exist on-premise and the cloud. Therefore, keeping track of their existence and state is as important as ever. Afterall, how can you secure that which you don’t even know you have? Yet, the very nature of distributed and flexible deployments today complicates the task of assembling an authoritative and accurate asset inventory.
To tackle this challenge, start by identifying all the physical and logical locations where the devices might exist. Then, look for a way to interrogate your IT and security management tools at each location to discover the devices that reside there. To keep up with the ever-changing nature of the environment, look for a way to automate the process of capturing, correlating, and acting about this data.
SC: What should CISOs know about asset management that they might not know — or perhaps things they get wrong?
I’ve seen something amazing in organizations that have mastered asset management. They may have initially justified the project because of a specific cybersecurity initiative or to cover a particular risk. Then they noticed that colleagues for other groups want to use the asset management system too. This is where individuals with a diverse set of responsibilities want to turn with questions related to vulnerabilities, threats, incidents, compliance, troubleshooting, and more.
This is a testament to the foundational role of asset management: It empowers IT, security, and risk functions in a way that dramatically exceeds its initial use-cases.
Lenny Zeltser is Chief Information Security Officer and was previously VP of Product at Axonius. Prior to Axonius, Zeltser led security product management at Minerva Labs and NCR. Before that, he spearheaded the U.S. security consulting practice at a leading cloud services provider acquired by CenturyLink. Zeltser also helps shape global cybersecurity practices by teaching at SANS Institute and by sharing knowledge through writing, public speaking, and community projects. He has earned the prestigious GIAC Security Expert designation and developed the Linux malware analysis toolkit REMnux. Lenny is also on the Board of Directors of SANS Technology Institute.