Asset management and security -- how to secure your whole tech stack
In a tumultuous geopolitical environment, organizations use digital transformation initiatives to accelerate and maintain their productivity. Companies want IT to increase innovation and improve the efficiency of processes across their business. At the same time, IT leaders are under mounting pressure to gain full visibility of their infrastructure. This pressure stems from the need to minimize or mitigate the risk of any disruption that could directly impact customers, shareholders and employee data.
Without a clear understanding of where your tech stack sits today, those future goals will forever be out of reach. Whether you are a brand new CIO taking on IT responsibility for the first time, or a seasoned CIO with years of experience, being able to go between the big picture and the nuanced details is a necessary skill to develop.
Start at the beginning
Asset management is the foundation of any organization’s information security policy. It sounds simple - to have a complete, accurate and timely list of all the IT assets that the company has in its environment. But why is it difficult in practice? And why should a CIO care about this level of detail?
The answer to this question is that without this detail, you -- and your department - will always be a step behind. A comprehensive, up-to-date and accurate asset management (AM) program is the linchpin for your team to succeed. Without it, your department will struggle to drive the business impact for which they are targeted, and you are measured. Try as they might, the IT team will struggle to function effectively without AM.
Getting an accurate understanding of your organization’s entire IT estate allows security and IT teams to take necessary steps to mitigate security threats. It allows for quicker identification of misconfigurations, vulnerabilities and end-of-life hardware. It also allows for prioritization, which ultimately frees up time for staff to focus on the most pressing issues that might affect the company.
Look inward…
Establishing a comprehensive asset inventory seems like an obvious baseline that every organization would have by now, but research shows that 69 percent of organizations have experienced an attack targeting an "unknown, unmanaged or poorly managed internet-facing asset." If you don’t know what assets you have on your corporate network, you can’t protect them.
If your team can’t report on this to you, then you can’t effectively know how well those security risks are being handled. Creating a comprehensive view of your organization's assets will no doubt uncover some hidden secrets -- like shadow IT implementations -- that may have taken place over the years.
The key goal is for the inventory not to be treated as an afterthought, but rather as the first building block. It is all too easy for this job to be downgraded or ignored, with competition for attention against the next big project or malware threat. Instead, you must emphasize that getting the basics right first allows for better concentration on other important projects and pressing issues that might arise.
Once your catalog of assets has been established, you must then work out how to keep the program up to date. For example, categorizing these assets based on how critical they are to the business ensures that they get the right level of attention. This should make it easier to decide how to manage and protect them moving forward, and provide you with better data on how well your team is doing around security.
For example, vulnerabilities exploited by bad actors almost always start with endpoints within an organization’s environment. When these devices have old or out of date software on them, they represent "low hanging fruit" for attackers to target. Without full visibility at your fingertips, it's almost impossible to keep up with growing threats -- organizations can only mitigate once there is a clear picture of constantly changing infrastructure.
Re-gain control on end-of-service components
As software and hardware ages over time, old versions fall to the wayside. Once you have an accurate picture of your IT estate, you can map this alongside each item’s life cycle to ensure that hardware and software continue to be supported by the original manufacturer and are proactively managed in terms of vulnerabilities and patching. End-of-service components can introduce significant security risks, and proactive management should be sought to update or replace them to reduce the attack surface.
Unfortunately, however, there is no industry standard for product or service life cycles, or how manufacturers may report these. But there are tools that can map known life cycle information about popular assets from within your inventory to centralize information.
As a CIO, replacing out of date software is necessary over time, but it also has to be balanced against cost and what new services can be delivered. For some projects, it may be possible to mitigate those risks and use software for longer. For others, there will come a time when a replacement will need to be carried out. The alternative is to leave that software running, which can lead to future exploitation.
Normalize, categorize and prioritize
Within any enterprise organization, there are likely to be tens of thousands of assets to identify and manage. This is where security tooling can help your team manage at scale, and automate processes to save manual intervention for repetitive tasks. Combining your asset inventory with end-of-life and end-of-service information allows you to view all relevant information within a single management pane rather than the team manually searching for the information.
The earlier categorization of assets is useful as you build agreed sets of rules around particular low risk assets to ease your team’s workload using automation. This allows them to focus on higher value tasks.
Get the holistic view
Asset management can be complex and focused on detail. As you scale up infrastructure and use more platforms to meet your business needs, it is difficult to keep up with potential risks.
Asking the question, "What does my organization look like from a hacker’s point of view?" gives you a holistic view of your entire IT estate. This practice of scanning for any internet-facing devices helps to understand what an attacker would see, and most importantly, how they might exploit any gaps. Attack Surface Management is contingent upon a strong asset management approach and takes this practice one step further by assessing the security levels of all of those identified assets. Like asset management, this should be a continuous process to discover, classify and assess.
For the CIO, approaches like Attack Surface Management can help to build up that picture of risk to the business. This can then be translated into terms that the leadership team can understand. Speaking about risk is much more helpful -- and more likely to be listened to -- and so can be used to justify the work that your team is putting in.
Getting a firm understanding of every IT asset under your control might seem like a level of detail too far. However, this should be a top priority for every CIO because without this, there is uneven ground to build on for the future. Investing in solutions that allow your organization to better understand, track and secure assets is critical to your success.
Image credit: deepadesigns / Shutterstock
Isphreet Singh is Chief Information Officer at Qualys, where he has global responsibility for corporate IT infrastructure and operations, enterprise applications and architecture, data integration and IT security.