Most organizations have dozens of cybersecurity asset management products in use. Which is good for security teams, especially because some commercial
offerings can help consolidate all this data in one, convenient system of record. However, teams should expect to do some necessary custom development work and invest time/resources to get everything working as planned. There is no one correct way
to build and maintain an asset inventory.
This piece outlines the best methods and what’s needed for comprehensive cybersecurity asset management system, along with descriptions of different tools and categories.
Asset Management Challenges for Security Teams
Many security teams have adopted a centralized asset management system (CAM). When high-tech organizations do not have CAMs and critical vulnerabilities occur, there is a scramble to determine which systems are affected, because asset data is spread across
multiple systems and even spreadsheets.
Asset management is a challenge nearly all departments across all business verticals face. Each group has different needs and requirements from an asset management solution:
- Security is focused on discovering new assets, assessing their state and finding asset information quickly during an incident.
- Finance and IT management are concerned with cost and license management.
- The IT service desk requires the ability to manage systems remotely to help employees in need of assistance.
- DevOps engineers need the ability to monitor and manage systems in real time, often with the aid of automated scripts and rule-based processes to scale workloads to meet performance demands or remain within guardrails.
- System administrators must monitor, manage and patch both legacy and more modern workloads.
- Developers need the capability to generate and maintain software bills of material programmatically or with the assistance of software composition analysis (SCA) tools.
Using a single asset management system doesn’t make a lot of sense for most organizations. However, that hasn’t stopped organizations from trying, and when that happens, we usually see the effort centered around an IT service management (ITSM)
tool.
Most large organizations have multiple asset management solutions to satisfy a wide range of needs for different parties. This works and is ideal for the security team, especially now that newer asset management tools can combine and deduplicate
the data from many of these asset management solutions.
Differences in Cybersecurity Asset Management Categories
The following categories are related to cybersecurity asset management in some way, and all can be useful, depending on the use case: Many of these have “management” in the name; although, security teams don’t typically manage assets—
they just need information related to the assets.
- Asset discovery
- Asset management
- Attack surface management
- Vulnerability management
- Patch management
- Mobile device management
- ITSM
- IT asset management (ITAM)
- Cloud security posture management
- Network device management
- Identity management
- SCA
Consider identifying the risk related to certain assets. This use case often requires combining data from:
- Vulnerability management tools, which identify issues and attempt to assign scores.
- Patching tools, which can validate the vulnerability management findings. Is the patch really missing or is it a false positive from an unreliable vulnerability check?
- Asset management tools, which can provide data that helps make scores from vulnerability management tools more accurate.
A whole class of risk management tools exist to combine the data above, along with threat intelligence to give a more accurate score. These tools assign an accurate risk score to each issue and asset. Risk management tools aren’t designed to replace
an asset management tool, but their data is incredibly valuable. Most asset management tools can integrate with risk management tools, and we highly recommend taking advantage of these integrations.
Some additional cybersecurity asset management use cases include:
- Paying down tech/security debt: This requires lists of systems that are out of support, abandoned or have no assigned asset owner.
- Incident response: For example, consider an alert associated with a particular IP address. What’s the hostname? Who owns it? Who is currently logged into it? Where is it? How is it connected to the internet? What has it been doing for the
past 24 hours? If employees are associated with it, what other assets do they regularly interact with?
- Risk metrics: This includes information such as vulnerability age, asset age and time to patch or remediate vulnerabilities.
- Vulnerability intelligence: Let’s say an issue is discovered with a particular NPM library—for example, the ua-parser-js NPM package was recently found to be hijacked and downloading malware. How could someone identify whether they’re
using this NPM package? In the recent hijack case, simply using ua-parser-js did not make you vulnerable. Because the malware is delivered via the NPM package installer scripts, it’s necessary to be aware of how ua-parser-js is installed or
updated. If it’s updated from GitHub, then no malware, but if it’s updated from the NPM repository, malware would have been downloaded and executed.
READ: How to Improve Your Vulnerability Management Program
Cybersecurity Asset Management Best Practices
Cybersecurity Asset Management Success Factors vary. Four key factors are explained below:
1. Visibility Tools:
Teams need a visibility tool that can, ideally, pull information from multiple sources on a regular basis. While some of these tools also offer the ability to automate changes to systems, the key need is visibility, so read-only access to other asset
management systems is sufficient for the core security use case here.
2. Access to data at several levels:
- Hardware or platform model, manufacturer, serial number, configuration, state
- Operating system version, patch level, configuration
- Installed application versions, patch levels, configuration, metadata
- Software libraries, versions, configurations
- Means and source of external software updates and internal software updates or configuration changes
3. Access to critical data sources:
Full responsibility infrastructure
- On-premises
- Collocated
- Corporate-owned assets assigned to employees, contractors or partners
Shared responsibility infrastructure
- Cloud workloads
- Cloud control plane
Employee information
- Human resources
- Directory services
- Identity management systems
Asset ownership
- Existing asset management, ITSM or change control systems
- Procurement data
4. Strong business unit relationships:
Collaboration between business units is necessary to obtain and maintain the data to make asset management systems work. Often, there are alternative ways to obtain the same data, but it typically involves more time and work than simply asking another
department for a read-only account to their system.
Why Purpose-built Security Asset Management Tools Beats All-in-One
Some organizations push everyone to standardize onto a single asset management/ITSM/change management platform. This might work out for parts of IT, but usually does not for security teams. The challenge for security is that it needs as much data as possible
in a short timeframe, but it doesn’t have access to extended development resources. Monolithic offerings typically disappoint when faced with these constraints. Security teams should go after purpose-built security asset management tools instead.
Keep in mind that even with a cybersecurity asset management tool in place:
- Existing IT and security tools may not be gathering all the data you need. For example, you may need to acquire a SCA tool to reach the right level of visibility.
- You will likely have to do some custom development work. This will help get all the desired integrations working.
- The process will be a time sink. Tracking down asset owners and getting access to existing data stores owned by other departments takes considerable time and resources. Organizations that dedicate full-time resources to the project see the best
results with security-focused asset management.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.