How can we secure an IT resource if we donāt know that it exists or if we donāt have visibility into its state? To quote respected industry practitioner Adrian Sanabria, āmost security and IT problems begin with visibility.ā Security practitioners crave visibility into the state of laptops, vices, virtual machines, applications, and users in their organization.
Overseeing security aspects of the configuration of such resources is the practice of cybersecurity asset management.
What Does Cybersecurity Asset Management Involve?
To address security issues, you must discover the gaps, and to do that you need a comprehensive and reliable inventory of your asset. Therefore, cybersecurity asset management involves:
- Obtaining and continually updating an accurate inventory of all IT resources.
- Discover security gaps related to the assetās presence or configuration.
- Enforcing security requirements to rapidly address the identified gaps.
Asset management plays such a foundational role in a cybersecurity program, that CIS Critical Controls lists the need to inventory and control hardware and software assets as its first two security measures. Along these lines, asset management is the first category in the NIST Cybersecurity Framework. For yet another example, consider guidance by the Security and Exchange Commission, which highlights the need to inventory hardware and software so the organization knows where its assets āare located, and how they are protected.ā
Unfortunately, implementing this process in a reliable, timely, and efficient manner has been one of our industryās major challenges.
Repercussions of Poor Asset Management
Poor asset management practices dramatically increase the chances that threat actors will be able to achieve their objectives, be they to steal sensitive data, disrupt business operations, or otherwise put the organization at risk.
After all, an attackerās entry point is often the server that nobody knew existed, the laptop that lacked antivirus software, the application that was missing a patch, the port that was left open, or the user account that wasnāt locked down. Asset management is essential to being able to address such risks efficiently and consistently.
Why Donāt We All Have Asset Management Already?
If asset management is so important for cybersecurity, why havenāt all enterprises implemented it yet? āBasics are hard,ā as Adrian Sanabria put it.
Even outside cybersecurity, we know that essential hygiene steps such as washing hands can prevent diseases. Yet, many people (including healthcare professionals) donāt regularly wash their hands. And look at our habits related to eating and exercise: though we know what weāre supposed to do, many of us donāt do it.
In cybersecurity, weāre often attracted to exciting-sounding disciplines, say threat hunting or red-teaming. Weāre drawn to sexy technologies such as machine learning for malware or anomaly detection. We struggle taking a step back to build a foundation for the security program, even if we know itāll enable cool efforts such as spotting intrusions and fighting malware.
Another reason why asset management has been a challenge is the lack of effective tooling. Keeping track of IT resources is often a manual, error-prone process that consumes much time and yields few benefits. For asset management to deliver its full potential, it needs to be automated and easy to implement.
The Joys of Asset Management
Security leaders whoāve implemented effective asset management will live longer, healthier, and more fulfilling lives.
More seriously: Asset management allows security leaders to succeed at other initiatives, from rolling out a new antivirus agent to improving oversight of cloud resources. It bolsters the security organizationās efficiency, allows it to track and demonstrate progress, and enables preventing a variety of issues before they escalate into major incidents.
Those whoāve implemented asset management in a way that keeps up with todayās dynamic environments derive another benefit. Such organizations discover that every group related to IT and cybersecurity comes to the asset management system for answers to questions about vulnerabilities, threats, incidents, compliance, troubleshooting, and more. The once unsexy asset management system becomes the crux of critical decisions and investigations.
Approaching Cybersecurity Asset Management
Hereās the good news. Todayās enterprises already have many IT and security systems that know about some portion of the organizationās assets. These include:
- Identity and systems management tools
- Endpoint security management software
- Vulnerability scanning tools
- Passive and active network monitoring solutions
- Cloud orchestration technologies
The challenge from the perspective of asset management is that these systems typically exist as data silos, requiring cumbersome efforts to get a unified and actionable view on asset details across multiple systems.
Organizations can advance their asset management program by extracting useful configuration and other state data out of these systems. The next step is to clean the data to find useful information across the multiple data sources.
As you can imagine, achieving this involves a lot of automation and know-how. This is where Axonius, where I lead the cybersecurity program, comes in.
The Axonius Asset Management Platform
Axonius de-duplicates and correlates the data to automatically provide an authoritative and accurate inventory. By looking at their assets from several perspectives, our customers can ask meaningful questions, such as:
- Which systems are missing an endpoint agent or where is the agent misconfigured?
- Which cloud or other resources arenāt being scanned for vulnerabilities?
- Which unmanaged devices are present on the network?
- Which users with access to critical systems donāt have two-factor authentication enabled?
After asking and answering questions like these, customers can direct Axonius to take action, such as open a ticket, email an analyst, quarantine the system, deploy an agent, and so on. Request a demo to see the Axonius Cybersecurity Asset Management Platform for yourself.
