n a widely shared article by Daniel Miessler and a post by Anton Chuvakin, the topic of asset management and its relationship to cybersecurity has been resurrected. And although cybersecurity asset management isn’t as sexy as AI, ML, and some of the other hot topics in cyber tech today, it’s an issue whose time has come. In this post, we’ll look at why asset management is still a problem, what success looks like, and an approach to getting there.
Continuous Asset Management for Cybersecurity: The Holy Grail
This weekend, a post made the rounds from Daniel Miessler entitled “If You’re Not Doing Continuous Asset Management You’re Not Doing Security.” From his post:
“The more a company can tell me about their assets the better their security is, and the more comprehensive and realtime the inventory is, the more mature they are. This has been true for me over 15 years of consulting across hundreds of organizations.
Companies pay hundreds of thousands a year to keep snacks in the break rooms. They pay to send people to training and conferences that usually have very few tangible benefits. And we dump millions into marketing campaigns that we can’t tie to sales results.
But pay 100K a year to have a list of what we’re actually defending? Nope. Too expensive. Wasteful, really.”
In the same article, Gartner Research VP and Distinguished Analyst Dr. Anton Chuvakin posted a comment:
I usually just say “if you show me an org with great asset management, I will tell you that you found a door to an alternate dimension” :-
Additionally, in his RSA 2018 roundup post, Chuvakin wrote:
Here is one “was old, now new” bit — and this is an insight to me. I saw a lot of asset management. Say, what? Well, asset discovery and asset management for the modern era is a BIG HUGE problem, and so I am happy to see some vendors appear to handle it creatively.
Anecdotally, after speaking with hundreds of attendees at this year’s RSA conference, I can say with confidence that asset management is a problem. A quick video on that:
You Can’t Have Compliance Without Asset Management, Right?
Miessler’s post continues:
And while we’re poking bears, let’s ask another question: what value is being compliant with an information security regulation if you can pass while having zero idea whatsoever where your data is and what systems you have? How is that even possible?
It’s like an auto manufacturer passing a crash safety test without providing a car.
Forget everything you know about information security. Dump it in the toilet. All the regulations. All the scanning tools. All the vulnerability management. All the auditing. Let’s call those the nice-to-haves.
Looking just at the basics of the CIS 20 controls, the first two are:
- Inventory and Control of Hardware Assets — Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
- Inventory and Control of Software Assets — Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
So if companies are required to continuously manage assets to adhere to regulations, why is this still an issue?
Why Asset Management is a Big Problem and Getting Bigger
The problem is getting worse because in the last 5–10 years, there have been fundamental shifts in the way we compute:
- BYOD — Who is responsible for devices that aren’t owned by the organization? Is it IT’s responsibility to understand which devices are accessing corporate resources? Should IT just make sure devices can connect to the network and access resources, or is access management now a security function?
- Cloud and SaaS — When corporate data is stored on physical, on-premise networks, it’s reasonable to expect IT and security departments to have ownership. When data is stored in multiple third-party cloud services, how can we expect our own IT/Security resources to keep information safe?
- Virtualization — Think of how easy it is to spin up a VM or an Amazon instance. Then think of how easy it is to forget them. Additionally, because virtual instances are ephemeral, they break security models that don’t do active discovery. How do you make sure your VA tools are scanning instances that only exist for unpredictable intervals?
- Mobile Devices — Now that everyone has access to email, applications, and corporate information on their smartphones and tablets, how are the IT and Security departments to know whether those devices are satisfactorily secure?
- IoT Devices — With thousands of always-on, always-connected devices, how can IT and Security know which devices are sanctioned, secure, and should be allowed? How can they even keep up?
As the number and types of assets increase exponentially, so do the tools we use to manage them. This leads to both fragmentation and the kind of problem we see in our favorite tweet:
Solving the Continuous Asset Management Problem
As tempting as it is to plug our platform as the silver bullet, let’s talk about an approach instead. Organizations already have tools that contain device information like:
- Active Directory
- Endpoint Protection
- Vulnerability Assessment Tools
- SIEM Solutions
- Mobile Device Management
- Switches and Routers
One approach would be to connect to all these systems, collect the data about devices, correlate the data and present a view of what’s managed and unmanaged, including things like:
- All software installed on each device with version information
- Patch status
- All users that have logged in to the device
- Which endpoint agents are running
- The last time they were scanned
- Device profile information like CPU status, RAM, whether the device is currently on
- Where the device is
Miessler’s post ends with one way to judge whether a continuous asset management program is successful:
If we want to make a real difference in security, let’s get the entire industry to use a single metric: the accuracy and freshness of the Asset & Data Inventory. And perhaps we use something like this.
A: 90% accuracy, or 1 week old
B: 80% accuracy, or 1 month old
C: 70% accuracy, or 2 months old
D: 60% accuracy, or 3 months old
F: 50% (or less) accuracy, or 1 year old
Now put in every security leader’s deck that the goal is to get to 95% accuracy with daily/weekly updates within 6 months. And the cost is simply hiring 1–3 people who are dedicated to this task.
That would reduce breaches, and it would cost infinitely less than the dumpster fire of products we constantly purchase and deploy for millions of dollars a year
I think that’s a good idea, but have another metric to suggest: mean time to inventory. We spoke to a CISO that offered this as a metric that could really show improvement when it comes to asset management for security. How long does it take to get a full inventory on all assets at any given time?
The original article from Dan Miessler is a must-read, and passionately and humorously shows just how important the problem of asset management has become. And although /u/spydum on the cybersecurity subreddit suggested the following about the Miessler piece and asset management more broadly:
100% agree but here’s the problem: asset management isn’t sexy. Penetration testing and red team and analysis gets all the job reqs, because it’s far more flashy.
Effective security is boring.
We hope that Axonius can help. Even if what we do is boring.