For security’s sake, companies need to fix their asset visibility problems — and fast!
Alastair Dickson, Director at Quod Orbis
Getting a clear view of digitally connected assets — and not just those related to cyber security — has been an on-going challenge for organisations for as long as they’ve had to manage those assets. Such assets include not only computers, phones, applications, IoT devices et al, but also, of course, the people who use them.
Now made more complex by the rise in flexible working and WFH (working from home) and rapidly expanding attack surfaces, this is an issue that continues to challenge security and IT teams. But now it’s also coming under the gaze of CIOs and other senior business leaders. And frankly, when those at the top table focus on the potential consequences of poor asset visibility and asset management they become extremely frustrated with the ongoing challenges.
There are two reasons for this. Firstly, should a CIO get wind of the extent of the asset visibility and problem, there’s the stark realisation of immediate security vulnerability and exposure to severe financial penalties. And while CIOs tend not to be involved in asset visibility detail, they are quick to see the big picture and understand where the buck stops. Secondly, CIOs are increasingly seeing that this absence of an accurate, up-to-date asset inventory will delay or block the deployment of advanced security technologies and the achievement of improved maturity of security posture.
On top of this, we’ve seen that CISOs sometimes take a ‘hands-off’ approach to any assets that don’t fall under their security-related remit — and, of course, there are plenty of such assets within the enterprise! Tactically, and strategically, it can add up to something of a mess.
CISOs and CIOs need confidence in asset visibility and management
Effective asset management is critical because if you don’t have the confidence you can see everything (that is, all of your assets and potential attack surfaces), how can you have the confidence that your cyber tools are providing your organisation with the protection they should be?
To be clear, this is not a cyber issue alone. However, the negative impact of poor asset visibility to the cyber team can be huge.
From a cyber perspective having a rogue asset, or assets that are not managed, can often mean the difference between your cyber investments keeping you safe, passing compliance and accurately managing risk, or failing in all of these areas.
Without an accurate (and ideally real-time) asset inventory an organisation doesn’t have the solid base understanding of its IT environment that is needed to keep it secure within its designed cyber standards.
Benefits of asset visibility and effective asset management extend beyond security
It’s not only about the threat perspective. The benefits of effective asset visibility are extensive and can include:
- Improved efficiency by understanding technology utilisation and coverage
- A first step to the ideal state of 24/7, real-time CCM (Continuous Controls Monitoring)
- Reduced exposure to cyber risk, and more easily reduced or mitigated risks
- Eased burden of Audit and Compliance, through being confident that you have complete coverage
- Reduced operational costs, as teams don’t need to be constantly looking for missing assets.
- Increased ROI of all technology investments — know what you’ve got and you can ensure that all assets are necessary and working to meet your goals
In short, best-practice asset management means: You can see it, you can manage it, and you can protect it — while also protecting its owner or user.
The reasons why organisations are struggling with asset visibility
There are several reasons behind the asset visibility challenge but the main ones are the complexity of the modern working environment and the sheer number of assets in use (often multiple assets per user). Scratch the surface and many questions and unknowns emerge. What hardware do those assets sit on? Who owns what? What controls should exist on each to ensure the organisation is able to maintain its cyber posture?
Add into the mix relatively ineffective CMBDs (Configuration Management Databases) and you have a complex combination of issues which essentially means that cyber teams have limited confidence in the assets they need to manage.
The bigger issue, explored a little later, is that without a base level of knowledge of your assets, rolling out any other kind of technology will not be as effective as it could be if it cannot be deployed on everything that it should be.
Traditional CMBDs are and should remain a key component of managing assets, but unfortunately they often rely on manual processes to keep them updated. As such they are not reliable enough on their own to offer the assurance to the cyber team that they provide the accuracy needed to base their controls, risks and compliance on.
The key to success: a live asset repository
These ongoing challenges are forcing businesses to address the way they manage their assets.
Key to success will be a live asset repository capable of evolving with the constant change that is now prevalent in business.
The solution needs to have multiple touchpoints feeding into it, and to have the capacity to self-correlate — thereby automating the process of asset visibility and management.
It needs to be intelligent so that it knows what should or should not be on an asset at any time to be able to accurately reflect its status in the wider tool set. For example, if a user is signed off for a few months, you would not expect their asset to be active or receive updates and patches. So, this should be factored in when assessing how patched your systems are. Only by correlating HR (Human Resources) data with AD (Active Directory) data and IAM (Identity and Access Management) data can this be automated and kept accurate, live and intelligent.
In short, it means IT — and IT systems and processes — being connected to the business in the closest possible way, which in the digital age makes perfect sense!
Removing manual work and automating the whole asset visibility and management process also has many benefits. Not only does it make your asset repository more accurate, it also saves operational costs by not having to manually update systems.
Clearing the roadblocks to improved security maturity
Many organisations ask themselves: “Are we too big, or too complex, or just too immature to properly manage our assets?” It will surprise no-one when I say that CCM (Continuous Controls Monitoring) is the ultimate solution to these questions and the most logical and sustainable answer to the asset visibility and management challenge.
For an organisation that is already in control of asset management, CCM shouldn’t be seen as a big step. But surprisingly few organisations are at this point on the journey to their ideal state — and many are simply unsure which way to turn.
When discussing CCM’s many benefits with interested organisations, one of the first challenges we often get posed is this: “What’s the point of knowing in real-time how our business is performing against our cyber and risk posture if we are not confident that the assets and controls data going in is accurate?”
Similarly, an excited and positive discussion with an organisation about how they can benefit from CCM is often dampened by an admission from their CTO or CISO along the lines of: “Actually, we don’t have an up-to-date and accurate assets inventory…. and, umm, I’m not sure when we will have one.”
This can lead to the organisation feeling that they will have to:
- Live with their existing immature approach to asset management, and
- Accept indefinitely that this will be a barrier to their progress to a more mature state of IT and security controls across their organisation.
Both a and b, of course, will impact the organisation’s cyber KRIs, Compliance, Audits and Risk management, but what can be done?
Thankfully, a rapid, largely automated solution to the asset management problem is at hand for medium-sized and large organisations that are struggling and can see no end in sight.
Seeing everything — your 100% accurate and intelligent live asset repository, made possible by Quod Orbis CCM
Connecting to multiple pieces of technology — from cyber tooling to HR and business process tools — Quod Orbis CCM sees all of the assets on a client organisation’s network, and then records them in real time.
This first step towards a full-fledged CCM managed platform will also highlight any gaps in coverage you might have with regard to assets and controls. In this respect it does the same job as a CAASM (Cyber Asset Attack Surface Management) solution — and much more besides.
It will tell you what software is installed on each asset and if it’s patched correctly. And as an intelligent solution, it will know what should be on each asset and when.
It automatically correlates multiple pieces of data and technology and presents the comprehensive findings back to you in the form of ‘Entities’ — a 100% accurate and intelligent live asset repository.
In short, you get asset identification and you gain the full visibility of assets and coverage that your business needs.
Once this live asset repository is in place, it’s a relatively small further step for us to map your organisation’s controls for continuous monitoring should you so wish. You’ll then have the assurance that you are seeing everything required and that 100% of the data and assets are being monitored 24/7 and aligned to any in-house or public compliance requirements or regulations.
But most importantly, with this first easy step towards CCM, you’ll be secure in the knowledge that your assets have been quickly and accurately brought under your control.
Read more about Quod Orbis Asset Visibility and Management on our dedicated web page. Or call me, Alastair Dickson at Quod Orbis on 07939 286 006 and I’ll be delighted to answer any questions and to demo the solution for you.