Opening of the session
On July 7th 2021, Noord hosted a virtual boardroom in association with Axonius. The event consisted of an overview from the speaker, Dean Sysman – CEO & Co-Founder of Axonius, followed by a discussion among senior IT professionals on the role of asset management in cybersecurity. Participants outlined their key challenges with regard to the topic and their main reason for attending.
Understanding your IT estate
Dean noted that when asked how many devices they have, organisations commonly give an estimate in the form of a range. Such estimates would not provide much confidence if they were made in other areas of the business, such as finance, so they should not be used as a confidence benchmark in cybersecurity either. In the post-Covid world, where any activity can be done from any device, location or network, the ideal asset management solution is one which supports any kind of interaction and provides a full view of one’s estate. This is the only way to provide organisations with 100% assurance about their assets and any potential security risks.
One participant echoed this concern that any device, piece of information or scrap of paper is now located at the edge of every organisation’s estate and vulnerable to attack. Without an awareness of where such data and devices are, it is difficult to defend them. Another participant added that they liked the principle of a data lake, which involves putting all data in one place and using AI to provide a confidence rating as to whether an asset is live or not. In that respect, they disagreed with Dean’s view that relying on estimations and confidence ratings was necessarily a flawed approach; at the very least, such estimations provide organisations with a certain degree of confidence about their threat landscape. Moreover, they questioned whether any tools currently on the market could truly deliver on providing this type of 365° asset management view while remaining cost effective.
Dean agreed that the data lake approach was the only way to gain a full understanding of what is in a network. However, the downside of AI is that it is heuristic and statistical rather than deterministic. In other words, it can only offer a degree of confidence, not full certainty.
Participants then discussed vulnerability management, with one attendee noting that they don’t allow any device onto their system unless it has the necessary software installed, which provides the organisation with a reasonably good overview of its estate. The areas of margin, however, concern employees with multiple laptops, or laptops which are generally kept in storage. This linked in with a wider point about how employees access the network, and whether connections through Outlook Web or Citrix should be dealt with in the same way as connections through other managed devices.
Build or buy?
Dean asked whether there was a benefit to building versus buying an asset management tool, and whether anyone had experience of buying a tool which ultimately did not cater to the solution. In response, one attendee said that they prefer to shop around and then buy to solve the problem as effectively as possible.
Dean explained that the Axonius platform is catered to security and IT teams. Axonius had approached the asset management problem from the basis that applying a network approach to building an inventory is not comprehensive and cannot offer a real-time view. Mindful that the data was all there to be exploited, the company developed a solution whereby its 350-plus adapters connect to any control and pool all the data together. After this, the data can be put in a data lake to be correlated, deduplicated and normalised.
Challenges in asset management
Dean asked attendees to share their current challenges in this area. One participant noted that inheriting another company had proved difficult; while understanding the value of assets seems like a simple task, it is not easy in practice. Another noted that the term ‘asset’ was problematic, as there are many different types. For example, there are IT assets, information assets and human assets (or human capital).
A representative from the policing sector noted that very few organisations manage assets effectively, as they either want to avoid the issue or take a laissez faire attitude to risk. In that respect, they noted that organisations must make their executives aware of the importance of asset management. As for building or buying, it was noted that there is a gap between what businesses think their need is compared to what’s on the market, with many opting for solutions which aren’t fit for purpose.
Three key reasons for poor asset management were outlined: 1) where organisations see it as a cost, not an investment; 2) the language used around cybersecurity, which is seen as an IT issue rather than a business issue; and 3) the unfounded belief that organisations won’t be affected by a breach, as their employees have common sense and they can’t see why their business would be a target of interest. As a result, it was felt that the UK still hasn’t experienced a sea change in approach towards cybersecurity, even in the light of high profile attacks.
The basics of asset management
Attendees were asked if they currently had a baseline level of asset management. One noted that they had several different tools, from antivirus to vulnerability scanners and active directory, which together formed a good picture of their assets, often as part of multiple inventories. Dean agreed with the sentiment that multiple asset inventories exist, and suggested that the answer is to correlate these sources and data silos.
This led on to a discussion about securing company buy-in for asset management tools, with attendees agreeing that they struggle to get the cyber security message across at a company level. Moreover, there is the difficulty of demonstrating return on investment – with one participant noting that actionable plans were much more backable from a finance perspective.
Other challenges discussed included whether organisations measure return on investment in terms of risk, compliance or operational value, how organisations can keep track of assets in different locations, the move to a zero trust model and the difference between asset inventories and asset assessments.
Closing of the session
In closing, Dean noted that security practitioners can be very cynical about the problems they face, but every challenge has its solution. While Axonius has created what it believes to be an effective asset management tool, it is great to see that organisations are approaching the problem from different angles. He welcomed further conversations with attendees about their asset management challenges.