On June 10, 2021 Noord hosted a virtual boardroom in association with Axonius. The event consisted of an overview by Lenny Zeltser, Chief Information Security Officer at Axonius, followed by a discussion among senior IT professionals on the role of asset management in cyber security.
Reasons for attending and key challenges
Participants had a broad range of expertise, including in data analytics, secure innovations, digital connectivity, regulatory capability and data protection, in addition to IT and security in general. They came from the military, banking, energy and healthcare sectors, among others.
One attendee cited the challenge of aligning with the requirements of the Cybersecurity Maturity Model Certification (CMMC), given their organisation’s work with a US government department. Others were keen to learn about asset management in the context of remote and hybrid working, particularly in determining which assets are connected and sanctioned, and which of them posed security concerns. A few participants noted that their respective sectors of banking, pharmaceutical and oil & gas were highly regulated, which presented specific challenges in relation to asset management, particularly when it comes to data leaks and security management.
Asset management in a remote environment
Lenny noted that in 2021, asset management posed a particular challenge given that anyone can work remotely from wherever they are in the world. In this context, it is difficult for organisations to keep track of what components may compromise IT security, what they should be overseeing from a security perspective and how they can ensure the right IT security measures are implemented.
One attendee pointed out that the asset landscape has changed over the last few decades, with more forms and models of ownership. Another suggested that the definition of an asset has evolved, given that 40 years ago assets were purely financial, rather than destined for IT management. Data has also changed, as evidenced by the rise in digital twins and data lakes, while the vectors for attacking assets are increasing all the time. In addition, cultural challenges were mentioned, which require relationship building and education across organisations.
Tracking assets or tracking users?
In terms of which assets should be tracked as a priority, one participant mentioned cloud assets, noting that their organisation not only tracks cloud assets but attempts to ascertain their criticality. Another noted that in Kubernetes, it was difficult to actually define what constitutes an asset. Interestingly, the point was made that the real challenge perhaps lies in tracking users, specifically their authentication and identity. In this context, zero trust environments were seen as key.
In terms of the reasons cited for managing assets, these ranged from mitigating cyber security risk to minimising data sprawl and keeping costs low.
Asset management in the cloud
The point was made that while security professionals used to be the gatekeepers of assets, approving and recording them before they were rolled out across an organisation, developers can now spin up resources of their own accord, meaning that IT departments only have visibility after the fact.
To remedy this, one participant mentioned that they tag cloud resources and use a third-party tool which searches for anything without a tag. Another idea was to run weekly discovery scans. However, while these are good enough for most assets, they cannot capture infrastructure which may be present on the network for a short period of time and they can expose an organisation to risk before disappearing undetected.
Determining asset criticality
One participant mentioned that they applied a basic framework centered around confidentiality, availability and the desired level of asset security from a business perspective, along with additional overlays. Another noted that they used organisational data classification as a metric. A couple of attendees said that they had different sets of controls for different assets, which were segregated from the usual network and more complex to access.
There was then a discussion on what type of information organisations gathered about an asset. One challenge in this regard included monitoring third and fourth-party risk in ever-growing ecosystems. In this connection, it was felt that IT professionals need to gain organisational buy-in so that employees understand the increased risks.
Identifying end of life
One participant mentioned that replacing every piece of hardware that had been classified by vendors as end of life was unrealistic owing to the monumental cost of doing so. A potential solution to lifecycle challenges was the IP Fabric platform, which can scan global networks very quickly and can identify end of life down to each network device. Moreover, with respect to compound risk, one attendee wondered whether their organisation ought to be testing its resilience by ensuring that the environment could be powered off and on, with vendors put on standby.
Unsanctioned use of the cloud and SaaS
There was mention of employees using their corporate credit cards and signing up for unsanctioned SaaS solutions. This was particularly challenging because employees sometimes enter sensitive data into such apps, and some solutions – including certain web host and domain platforms – make money by rendering asset retrieval difficult and costly.
The point was made that technology could be used to some extent, such as in scanning the web for breadcrumbs or looking for unexpected devices on a network, but that unsanctioned use essentially boils down to a human problem. In other words, employees must be made aware of the seriousness of putting a company’s integrity at risk by means of clear and strict management policies. However, the idea of positive reinforcement was also raised, whereby organisations make it easier for people to adhere to a policy rather than actively refusing to comply with it.
While organisational policy and education were seen as instrumental to reducing risk, the suggestion was raised for having strict controls whereby all software is purchased, managed and signed off by an organisation’s IT department.
One attendee noted that the Covid-19 pandemic had helped them to gain full control of the network, as all employees had to enter via a secure route. Nonetheless, the point was made that even in controlled scenarios, organisations were essentially reliant on the honesty of their employees to prevent data leaks. While care can be taken during the hiring process to ensure that the right people are hired, organisations must always be prepared for a potential breach stemming from human error or malicious intent, despite best efforts and watertight procedures.
The future of asset management
Summing up, Lenny noted that asset management would continue to be challenging given the speed at which technology and business requirements continued to evolve. However, modern approaches and tools could nonetheless offer effective solutions to asset management problems.