Modern enterprises have a major problem: They use broken processes for tracking and securing their IT assets. These organizations find themselves in risky security scenarios where they do not have comprehensive visibility about every asset they need to secure. At the same time, attackers spend more time familiarizing themselves with the networks they are attacking. As a result, attackers are often more familiar with their target networks than the IT teams trying to secure it. Once inside the network, attackers often start by creating an asset inventory – and the odds are that it will come out far more accurate than the asset inventory that IT and security teams compile.
Beyond attack risk, the inability to create an accurate asset inventory can undermine an organization’s entire risk management program by leaving the company exposed to the possibility of cyber insurance non-compliance. Without an accurate IT asset inventory count, security teams don’t know if their operational risk mitigation controls such as endpoint security and patch management are deployed in the proper places. Keep that in mind as the team reviews its cyber insurance policy, which typically has a “failure to follow” clause.
Essentially, if an expected security control has not been put in place, the insurance company can deny a claim. If operational mitigation controls are missing, the cyber insurance carrier has a good argument to make that they are not responsible for paying a claim – even if it’s an asset that the company’s IT team didn’t know existed.
Security and IT teams have long focused on availability, performance, and security as the pillars of IT, but many have ignored the fourth stabilizing leg of that critical stool: Accountability. The efficiency of an organization’s people, processes, and products relies on a foundational investment into accountability, which begins with simply inventorying and tracking assets with the same discipline applied to buttoned-up processes, such as financial transactions. If accountability isn’t being enforced internally, security teams can expect that the cyber insurance carrier will try to enforce it when the time comes to decide whether they pay a claim.
A critical lack of visibility
Most organizations own the tools to secure their infrastructures effectively, but they have little insight into how these investments are deployed across their environments. A lack of comprehensive visibility into assets handcuffs security teams and creates significant gaps in the foundation of security frameworks.
There are two primary pain points that contribute to insufficient asset inventories:
Siloed systems: The tools used to report inventory only have visibility into their own environments. Agent-based tools are aware of where they are installed, and are often limited to specific operating systems like Linux, Windows or iOS. Meanwhile, directory services only see registered accounts. And network tools only see what’s connected, but will miss remote employees accessing cloud applications. No single system offers a clear view of every asset.
Monitoring a dynamic environment: Periodic snapshots—the current approach to asset inventory—can’t accurately account for the assets in today’s constantly changing environments. It’s like trying to understand a movie by looking at a series of still photos and “filling in the blanks.” Without continuous monitoring, IT and security teams never fully understand what is happening in the environment.
A new approach to asset management
Solving the problem of poor asset inventory starts, of course, with gaining clear visibility into the enterprise and maintaining that view as the environment continually changes. But securing those assets involves an active approach. Organizations should consider three important factors to make that happen:
- Comprehensive asset inventory. Correlating data from siloed asset tracking tools will help organizations gain a comprehensive understanding of what they own. A cloud-native platform that brings together the information from those disparate tools, while maintaining source attributes, not only gives users a clear view of the enterprise, but allows tailored queries, such as machines in Active Directory that aren’t running a specific patch.
- Asset telemetry. While it’s important to have a converged inventory, it only offers the current state at a point in time. Telemetry generation via continuous monitoring of endpoints gives organizations an ongoing view of the enterprise, while also answering key questions such as why and how asset counts change.
- Publishing to other systems. Data on asset telemetry published to SIEMs and log management platforms gives security and IT operations teams easy access to details in addition to alerts, such as who had an IP address or what host had a MAC address. It allows teams to be more effective at remediation without slowing down operations.
Dynamic times, dynamic measures
Organizations have told auditors for years that they have asset management under control, but the evidence clearly says otherwise. In a fast-moving, cloud-based environment, enterprises need an equally dynamic means of identifying, tracking and controlling their assets. It’s the only way they can confidently secure all of their assets, which too often have become a glaring weakness in enterprise security.
If deployed effectively, a more active approach to asset management can help to bridge that gap, giving IT teams the dynamic visibility they need to track and protect all of their enterprise assets while empowering organizations to apply security evenly and effectively across their entire network.
JJ Guy, founder and CEO, Sevco Security