In our first post, we covered the three critical components of security posture in the form of three questions.
- What IT Assets do you have?
- Who owns each asset, where is it located and how should it behave?
- How well do your security controls work against known attacks?
In this post, let’s have a look at the IT assets inventory dilemma that everyone has today and tie it back to their security posture tightly. First, let’s be real. No CISO ever can say definitively what assets they have. This used to be a relatively straightforward question. Enterprises had hardware (Laptops, desktops), infrastructure (servers, networking gear), and software (running locally). That changed over the past two decades as cloud and SaaS took over, scrambling the definition of assets.
In the cloud, containers proliferated, turning into a giant web of microservers, each increasing both the asset inventory and the attack surface. SaaS replaced software and mission critical applications and data moved from a single physical location in a dedicated server to mirrored, sharded databases located in multiple data centers around the world. This shift further complicated accurate measurements of security posture.
At the same time, more of the work people do moved to mobile devices (which are often BYOD), punching holes in the traditional security perimeter. The final blow to the old IT asset inventory paradigm was COVID-19 and the massive shift to work-from-home (or, more accurately, work-from-anywhere.). This obliterated any remaining notion of perimeter and also radically expanded the attack surface of enterprises. Suddenly, every Starbucks or cafe near an employee became a potential node on the corporate network. The net result of all this? Gathering an IT asset inventory and understanding what security controls are in place and performing to expectations — measuring security posture — is more challenging than ever.
How to Think About IT Asset Inventory
Because IT assets developed in technology waves, specific solutions evolved to each wave. Each wave played a role in security posture measurement but they rarely connected. Older generation solutions might include configuration management databases (CMDBs) or traditional IT asset management (ITAM) systems and software asset management (SAM) systems. Newer generations might include mobile device management (MDM), universal endpoint management (UEM), and solutions for managing cloud infrastructure assets and SaaS assets. There are also infrastructure management solutions for monitoring servers and networking gear, and for managing networks. For the most part, each of these systems has their own discovery agent focused on the assets it is tracking. In other words, they are all siloed.
To get the best picture of all the data in all the silos for asset management and to build a comprehensive view of security posture, enterprises should think about how to aggregate the different data sources into a federated solution that can leverage all existing mechanisms for discovery, data capture, and data correction. There are large software packages that claim to be able to do all of this in one engine, but, in reality, no one tool does all asset management well. This means that enterprises need to consider how to create a data layer that aggregates, dedupes, reconciles, and publishes a unified view of all IT assets. Creating this data layer might be a bespoke software project or it might leverage one of the newer generation of “agentless” IT asset management solutions, which is designed to pull in data from the agents of existing systems plus from SSOs, identity management systems, and employee directory systems. Lastly, include in the inventory exercise a list of all security controls deployed and to which systems. It is impossible not to emphasize this enough; evaluating and improving your security posture will depend on having a comprehensive inventory of assets and mapping those to security controls (or lack thereof).
Automate and Elevate Your IT Asset Inventory Work
If you are building inventories with manual labor, errors will be introduced and the process will be painstaking and time consuming. Automating the inventory process quickly reaps rewards with accuracy and cost savings. It also creates repeatable processes that can streamline audits, compliance due diligence and security posture assessment exercises. Just automating discovery and aggregation of asset data is only the start. You also need to add an additional layer of information about each asset including:
- Asset type, asset role, whether the asset is attached to the Internet or only to internal networks
- IP addresses and physical or virtual (cloud) locations of each asset
- Asset owner, business unit and geographic area
- Asset status (running security agents, encrypted, properly patched, not running sunsetted / unsupported software)
- If an asset is a security control, a backed-up copy of present and past configurations for audit purposes. Granular detail on security control deployment and status will enable better security posture by allowing teams to quickly understand what control was compromised, and where they need to improve.
Communicate and Educate with IT Asset Data
Because most organizations today must manage software and technology infrastructure, IT asset inventory data increasingly has strategic value both for business owners and finance teams, and for security teams. Monitoring asset status over time can be one of the best ways to track consumption, usage trends, and plan for future spending on IT. At the same time, asset behaviors can provide insights into security risks and help security teams visualize their risk profile. In addition, asset inventories can become a key part of building security metrics to reflect not just whether controls are deployed by also behaviors and security status of all the endpoints that are in the crosshairs of cyberattackers. Tracking IT asset coverage changes and whether those assets are covered by controls, is a useful objective measure of security posture that can be recorded and reevaluated over time.
Having an accurate view of an organization’s IT asset inventory is a first key milestone in creating a practice of continuous security posture assessment and evaluation. It is also a wonderful foundation to build a communications strategy for CISOs looking to leverage the strategic value of IT asset information to raise the awareness of the strategic value of information security initiatives. Just don’t put it in spreadsheets, please. Learn more about how to better manage your security posture.