Recently the topic of continuous asset management for cybersecurity has spawned some interesting discussion. From Daniel Miessler’s piece “If You’re Not Doing Continuous Asset Management You’re Not Doing Security” to Anton Chuvakin’s note about “asset discovery and asset management for the modern era becoming a BIG HUGE problem”, the topic is gaining steam.
A few weeks ago, I spoke with Nuance Communications CISO Ken MacCuisharound asset management for cybersecurity, and the conversation gravitated to how CISOs and security teams can measure their current state as well as what success looks like when it comes to asset management.
NB: Ken, when we spoke about how you would set metrics to measure both baseline and improvement around any asset management program for cybersecurity, you had an interesting idea: mean time to inventory. Can you give a little more info on what you mean by that exactly?
KM: Mean time to inventory determines how long it takes a Security Operations Center (SOC) analyst to identify the system owner or custodian. The goal being to determine when incident response is lagging as a result of missing inventory information. A good substitute or addition to mean time to inventory would be to identify the event and if and/or how the asset information was ever obtained. It would include aspects like:
· Unable to ID owner/custodian
· Automation (the information was automatically embedded in ticket, or a simple click away)
· Manual determination via CMDB, spreadsheet, Active Directory and so on.
· Call/email/ticket and/or other research
NB: Without adding any tools or changing the way they currently operate, how would a security team currently gather the information needed to come up with that metric?
KM: You’d come up with that metric by adding a field to whatever ticket or orchestration system being used (if they are using one) or simply embedding it in some common format within incident comments so that it get be grepped out with some scripting to aggregate.
NB: In Daniel Miessler’s piece, he suggested one single metric to judge the accuracy and freshness of the asset and data inventory, looking at both accuracy percentage and how old the inventory is. For instance, 90% accuracy, or 1 week old. Any thoughts on whether that’s a valuable metric or how hard it would be to get it?
KM: I like this idea but I think most teams will need a substitute in the beginning that simply indicates the source of the data. If the source is a well-managed CMDB, great. The last update/review date could be drawn out via APIs or queries. If it’s a spreadsheet or sticky-note, at least there is something.
NB: One of the most difficult challenges I’ve seen for CISOs is getting headcount. Whether a result of budget or talent shortages, the talent gap is something that is always in the news. Daniel Miessler concludes his piece stating that simply hiring 1–3 people who are dedicated to this task will reduce breaches and the cost of buying more products. Do you think that many CISOs would dedicate headcount to asset management?
KM: It depends on what you mean by asset management. It might work if you have a security pro on staff who can simply associate IP addresses, machines or containers with the owners/custodians. If you are talking about a timeline from requisition to end of life, no, that is a discipline all to itself.
NB: Final question. Asset management seems to be one of those problems that resulted in changes to the way we work over decades, and the explosion in the number and types of devices we use today has brought the problem into focus today. If you look into your crystal ball, do you see any other big cybersecurity trends that will arise in the next 5–10 years that we’re not dealing with now?
KM: As an industry we are still not doing a good job addressing certain issues like asset management, patching, malware prevention, and for that matter, the rest of the security CIS 20.
That said, IoT will just amplify the problem where low-powered, low-cost devices get deployed without concern for security. The convergence of cyber and personal safety concerns will be one of tomorrow’s big challenges and the warning signs are already here if you consider everyday exposed systems like self-driving cars or automated ski lifts. We’ll see a positive effect here with well-defined, mature DevOps that can start to truly automate some of the basics.
Ken MacCuish is the CISO at Nuance Communications, an innovator in voice, natural language understanding, reasoning and systems integration to make technology more human. Nuance is a pioneer in making technology fluent in all things human: from understanding spoken words and extracting their meaning to adaptively and seamlessly interpreting the swipe of a fingertip.