How can we secure an IT resource if we don’t know that it exists or if we don’t have visibility into its state? To quote respected industry practitioner Adrian Sanabria, “Most security and IT problems begin with visibility.” Security practitioners crave visibility into the state of laptops, vices, virtual machines, applications, and users in their organization.
Overseeing security aspects of the configuration of such resources is the practice of cybersecurity asset management.
What does cybersecurity asset management involve?
To address security issues, you must discover the gaps, and to do that you need a comprehensive and reliable inventory of your asset. Therefore, cybersecurity asset management involves:
- Obtaining and continually updating an accurate inventory of all IT resources.
- Discover security gaps related to the asset’s presence or configuration.
- Enforcing security requirements to rapidly address the identified gaps.
Asset management plays such a foundational role in a cybersecurity program, that CIS Critical Controls lists the need to inventory and control hardware and software assets as its first two security measures. Along these lines, asset management is the first category in the NIST Cybersecurity Framework. For yet another example, consider guidance by the Security and Exchange Commission, which highlights the need to inventory hardware and software so the organization knows where its assets “are located, and how they are protected.”
Unfortunately, implementing this process in a reliable, timely, and efficient manner has been one of our industry’s major challenges.
Repercussions of poor asset management
Poor asset management practices dramatically increase the chances that threat actors will be able to achieve their objectives, be they to steal sensitive data, disrupt business operations, or otherwise put the organization at risk.
After all, an attacker’s entry point is often the server that nobody knew existed, the laptop that lacked antivirus software, the application that was missing a patch, the port that was left open, or the user account that wasn’t locked down. Asset management is essential to being able to address such risks efficiently and consistently.
Why don’t we all have asset management already?
If asset management is so important for cybersecurity, why haven’t all enterprises implemented it yet? “Basics are hard,” as Adrian Sanabria put it.
Even outside cybersecurity, we know that essential hygiene steps such as washing hands can prevent diseases. Yet, many people (including healthcare professionals) don’t regularly wash their hands. And look at our habits related to eating and exercise: though we know what we’re supposed to do, many of us don’t do it.
In cybersecurity, we’re often attracted to exciting-sounding disciplines, say threat hunting or red-teaming. We’re drawn to sexy technologies such as machine learning for malware or anomaly detection. We struggle taking a step back to build a foundation for the security program, even if we know it’ll enable cool efforts such as spotting intrusions and fighting malware.
Another reason why asset management has been a challenge is the lack of effective tooling. Keeping track of IT resources is often a manual, error-prone process that consumes much time and yields few benefits. For asset management to deliver its full potential, it needs to be automated and easy to implement.
The joys of asset management
Security leaders who’ve implemented effective asset management will live longer, healthier, and more fulfilling lives. More seriously, asset management allows security leaders to succeed at other initiatives, from rolling out a new antivirus agent to improving oversight of cloud resources. It bolsters the security organization’s efficiency, allows it to track and demonstrate progress, and enables preventing a variety of issues before they escalate into major incidents.
Those who’ve implemented asset management in a way that keeps up with today’s dynamic environments derive another benefit. Such organizations discover that every group related to IT and cybersecurity comes to the asset management system for answers to questions about vulnerabilities, threats, incidents, compliance, troubleshooting, and more. The once unsexy asset management system becomes the crux of critical decisions and investigations.
Approaching cybersecurity asset management
Here’s the good news. Today’s enterprises already have many IT and security systems that know about some portion of the organization’s assets. These include:
- Identity and systems management tools
- Endpoint security management software
- Vulnerability scanning tools
- Passive and active network monitoring solutions
- Cloud orchestration technologies
The challenge from the perspective of asset management is that these systems typically exist as data silos, requiring cumbersome efforts to get a unified and actionable view on asset details across multiple systems.
Organizations can advance their asset management program by extracting useful configuration and other state data out of these systems. The next step is to clean the data to find useful information across the multiple data sources.
As you can imagine, achieving this involves a lot of automation and know-how. This is where Axonius, where I lead the cybersecurity program, comes in.
Axonius de-duplicates and correlates the data to automatically provide an authoritative and accurate inventory. By looking at their assets from several perspectives, our customers can ask meaningful questions, such as:
- Which systems are missing an endpoint agent or where is the agent misconfigured?
- Which cloud or other resources aren’t being scanned for vulnerabilities?
- Which unmanaged devices are present on the network?
- Which users with access to critical systems don’t have two-factor authentication enabled?
After asking and answering questions like these, customers can direct Axonius to take action, such as open a ticket, email an analyst, quarantine the system, deploy an agent, and so on. Want to see the Axonius Cybersecurity Asset Management Platform for yourself? Watch our demo video or request a demo.
Lenny Zeltser is Chief Information Security Officer and was previously VP of Product at Axonius. Prior to Axonius, Zeltser led security product management at Minerva Labs and NCR. Before that, he spearheaded the U.S. security consulting practice at a leading cloud services provider acquired by CenturyLink. Zeltser also helps shape global cybersecurity practices by teaching at SANS Institute and by sharing knowledge through writing, public speaking, and community projects. He has earned the prestigious GIAC Security Expert designation and developed the Linux malware analysis toolkit REMnux. Lenny is also on the Board of Directors of SANS Technology Institute.