Current trends in information security see things like security information and event management (SIEM), machine learning, and advanced threat protection (ATP) becoming buzz-words. As a result, it’s enticing for organizations with big enough checkbooks to test drive these new toys. While research into these areas certainly is interesting, I would caution businesses towards jumping for what’s shiny and new at the expense of being mature at what’s bland yet effective. For example, one of the most effective means of cybersecurity is a mature IT asset management process. Let me explain why.
Know So You Can Value (and Protect)
You can’t value what you can’t measure, and you can’t measure what you don’t know about. Once senior management has signed off on security policies and scope, the first part of implementing it is to know what you have. This is not only a logical starting point, but also a fundamental crux of making everything else work. The gold standard framework for all public US government agencies (and, increasingly, the private sector as well), is the NIST Cybersecurity Framework (CSF, or sometimes just referred to as “Framework”). The first part of the CSF Core is to identify, and the very first category under that function is asset management (ID.AM). To quote the Framework,
“The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.” (emphasis mine)
The only way you can analyze and secure your organization’s threat landscape is to know the breadth of that landscape (i.e., you need to know what you have). This will help with the ”identified and managed” part. However, of paramount importance too is the next part of the statement, ”consistent with their relative importance….” I know everyone thinks the CEO has the most important laptop, but they’re just one person (and probably more likely to be spear-phished anyway). Remember, to access risk, you have to keep in mind impact and likelihood. You might have one CEO, but you have possibly tons of people in your sales-force travelling in and out of airports, cabs, etc. (you know, places where devices go “missing”), with company secrets, customer lists, and access to PII data on their devices. Figuring out what those pieces are and accurately accounting for them is the first step in effective cybersecurity management.
Get Your Head Out of Your Asset(s)
Once you know what you have, you need to know what it means, its use, and its delivery methods. Only then can you can understand what the actual risk is to the business and protect it accordingly. Thinking of things only as assets gets us only as far as the financials associated with said pieces of hardware. To get to good levels of security, we need to consider an asset’s role as a configuration item as well. Without getting too technical on what is an asset vs. what is a configuration item, for simplicity's sake, let’s use the following definitions:
Asset: Anything that can be procured and has a value lifecycle (think “things”)
Configuration Item: Logical items that exist on your infrastructure or CMDB
A table can be an asset. A vLan is a configuration item. For this article, I’m talking mainly about things that at some point throughout their lifecycle are both: laptops, PCs, PDAs, servers, switches, etc.
While this simplifies things, it is still very important to know which part of the process an asset is in, because each stage has its own risks involved. A basic ITAM process may look something like this:
Procurement → Receipt → Configuration → Deployment → Support → Retirement → Disposal
This is helpful, but it doesn’t show business impact and is mainly more concerned with the asset with regards to financial depreciation and accounting. A 2015 HDI study showed that the main reason companies had hardware asset management in place was for inventory tracking (96%), not data security/compliance (55%). This is a stunning revelation when you think about it.
Why is it that the most important stages (disposal aside) from a security perspective happen when the asset exists as a configuration item, yet most managers are primarily concerned with inventory tracking, which has to do with financials? Stop and think about that for a second. How often have you been in the middle of a hardware warranty refresh and are sweating getting the numbers right so you can provide proper forecasting to leadership and budgeting? I know I’ve been there. These are hard numbers; their value is easy to understand. But now let me ask you, how much do you worry that a device is named incorrectly or has the wrong rights? Or doesn’t have the proper updates? Or is misconfigured and as a result left unneeded ports open? These are less tangible and harder to see, but these are what should really worry you. What’s the cost of losing a physical asset? Let’s say $2k for a decent laptop. What’s the cost of a data breach that happens as a result of a poorly secured lost laptop? About $3.62 million, according to one estimate.
The importance of the assets you have, while certainly important, pales in comparison to the data on those assets and entry points to your network. It’s not even close. Unless you’re using a collector’s items like an Apple II or Xerox Alto in your environment, the value of your hardware as hardware can never be more than its purchase price. In fact, it’s depreciating from the moment you get it. But the data that exists on there, and the myriad of ways to exploit it and your infrastructure well, that’s a different story. So get your head out of your assets, and start placing importance where it should be: properly configured configuration items.
The importance of the assets you have pales in comparison to the data on those assets and entry points to your network.
Be Explicit About the Process
Asset management and risk modeling is not a one-time thing; it’s a continual process. Knowing where items are at single-points in time, or even that they’re protected and configured properly, is just one piece of the puzzle. Asset values depreciate, change hands, data gets stale and less or more important, etc. You must be clear on the whole lifecycle—including and especially retirement and disposal—to build effective security into your process. Some ideas to help with this are:
- Clearly defined asset standards, configurations, and exception processes
- A transparent refresh cycle (is it by asset depreciation? Warranty? Lease? Asset performance?)
- A support staff that has been properly trained on the importance of listing affected CIs in any ITSM ticketing system you use
Using the above will help create a more holistic approach to the process, and since you’re being transparent, drive adoption and eliminate doubt.
Identify and Protect
All security, like hacking, needs to be cost justified. Dropping money on the latest SIEM because you’re getting sold on sophisticated attack vectors while ignoring the low hanging fruit like how many out of warranty or unpatched OS laptops you have is a recipe for trouble. There’s a reason why IT asset management is first on the list for several security frameworks, and it has little to do with the actual “asset” itself. Instead, you have to think bigger picture. That laptop over there is not just a dollar-sign to your procurement department and a sometimes bane in your service-desk’s side. It’ a gateway into all of your company secrets. Identify and protect them accordingly.
Adam Rauh has been working in IT since 2005. Currently in the cybersecurity space, he spent over a decade working in IT operations focusing on ITSM, leadership, and infrastructure support. He is passionate about security, data analytics, and process frameworks and methodologies. He has spoken at, contributed to, or authored articles for a number of conferences, seminars, and user-groups across the US on a variety of subjects related to IT, data analytics, and public policy. He currently lives in Georgia. Connect with Adam on LinkedIn.