On September 15, 2021 Noord hosted a virtual boardroom in association with Axonius. The event consisted of a brief overview by Dean Sysman, CEO and Co-Founder of Axoniuis, followed by a discussion among senior IT professionals on the role of asset management in cyber security.
Dean explained that since its establishment in 2017, Axonius has become the fastest growing cyber security company in history in terms of revenue. The company prides itself on being a trusted vendor and strives to provide customers with value-for-money solutions.
Reasons for attending
Participants were asked to introduce themselves and give their reasons for attending. They represented various sectors, including wealth management, investment banking, risk management, retail and entertainment, and brought expertise in areas such as cloud security architecture, cyber threat management, fraud investigation, and regulation and compliance.
The evolving regulatory focus
One attendee from an investment company noted that while the regulatory focus had long been on defence and mitigating-type controls, the regulator was now asking organisations to assume that a significant disruption had already happened and present their recovery plan, which represented a real shift in mindset for CISOs. It also represented a shift in business processes; whereas previously, organisations had to think in terms of implementing mitigating controls for one investment period at a time, they are now being asked to enhance their entire operational resilience, which is extremely challenging.
Dean added that while computing environments used to be very homogenous – with one network, one device, one operating system and one management console – there are now dozens of variations, which causes data to become siloed. In this context, it is imperative that organisations have a full understanding of their environment, which starts with a strong asset management capability. To achieve this, organisations can start by asking a few fundamental questions. Is their agent make-up deployed everywhere that it should be? Is their vulnerability management programme really covering all of their environment, including the cloud? And are there any unmanaged devices on their privileged networks?
What is an asset?
Another attendee representing a financial services company highlighted the difficulty of defining an asset in the first place and questioned whether an asset could be regarded as a physical device, alert or security object. As organisations move into a zero trust or identity-centric world where access rights, machines and services can be ephemeral, this raises questions about how best to manage asset inventories and whether asset inventories are even relevant any more.
Making the case for asset management
Dean noted that asset management is important for two key reasons. Firstly, from a security point of view, it is important to ascertain the source of risk in an attack — and assets match this description. This could include IoT devices, anything in the cloud and ephemeral assets. Secondly, from an operational point of view, asset management is important to enable organisations to make the most use of their infrastructure while keeping it within the confines of the policies there are in place. One participant added that another crucial asset that had not been mentioned was human beings; they felt that whether attacks happen through malicious intent or accidental error, human beings will always be the weak link.
Following on from this, Dean added that another layer of complexity is the sheer amount of data that organisations are faced with in the move to digital transformation. Feeling that they can’t possibly analyse all the data available to them, organisations naturally get overwhelmed and lack a full understanding of their environment. However, the key is to be data agnostic to the data source. In other words, organisations need to take a view of all of their assets, pull together the different strands of data and correlate it.
Asset management solutions versus open source tools
One attendee raised the point that asset management solutions represent a significant business expense, in contrast to open source tools which are free of charge. In response, Dean highlighted the difference between an asset management tool and a solution, noting that many companies need the experience, guidance and implementation assistance that a fully-fledged solution can offer in addition to the information tools freely available to them. He drew on the analogy of driving a Ferrari: if you want to drive in the fast lane and accelerate your business, you need the right control system to stop you spinning out of control.
Quantifying asset management in relation to cyber security and operational resilience
Dean noted a common problem, which is that IT and security tend to see data and events very differently. To illustrate this, he gave the example of two people standing at opposite ends of a figure of six drawn on the ground: one will indeed see the number six, while the other will see the number nine. In this context, there is a need to bridge the gap between these opposing operational and security perspectives. For this reason, Axonius offers a standardised language, known as a system of record, in which it correlates all sources and enables IT and security teams to see data from the same viewpoint.
Best practice in asset management
Presenting a best practice case study, Dean cited the example of an Axonius client which had been forced to ban certain brands of devices in line with new regulations issued by a contractor. Armed with an asset management tool, the client — which has over 100,000 employees — had been able to locate all of the relevant devices within five minutes. Without an asset management tool, the company would have had to set up countless meetings between teams and sub teams and ultimately provide the contractor with a rough answer, risking non-compliance with its regulatory requirements.
‘The value of nothing happening’
One participant was keen to understand whether there was a correlation between the amount spent on asset management versus the likelihood of being hit by a security issue. Dean noted that according to an IBM study, the cost of an average data breach is $3.92 million. Essentially, asset management revolves around how much of their environment organisations understand; the parts which are not understood are usually where the breaches occur. In other words, companies can’t secure what they can’t see.
In closing, Dean gave attendees pause for thought by asking: what’s the value of nothing happening? While asset management tends to only attract widespread attention once a breach has already occured, it is an essential function which organisations must understand and implement to feel in control and ensure business continuity.