Asset management is a pain. It’s like the gatekeeper to all the great cybersecurity controls. It’s like the cold vegetables on your plate you know you should eat before diving into that hot juicy piece of Midwest steak…
And most of the time, as security professionals, we having nothing to do with asset inventory. It’s outside our core control. It’s usually being supported by IT. Why should security get held up accomplishing cyber goals because the technology department hasn’t been keeping records of what they have?
Asset management is a cybersecurity maturity topic I see come up time and time again. It prevents businesses from acquiring the visibility needed to improve the security program.
I’m going to outline four steps to help you improve you asset management.
Tracking is Critical
It’s critical to know what you have. Without that it’s impossible to measure risk. Too many times I’ve been preparing a cybersecurity report for senior executives, only to stop and question the integrity of my report because I wasn’t 100% confident of the inventory.
You can’t measure what you don’t know.
Framework Alignment
NIST and CIS both include asset management as being a core security capability. When aligning with NIST, it’s the first control set within the Identify pillar. Improving asset management will improve your Identify score, and mature your overall cybersecurity program.
NIST starts with the category of Asset Management, and the first two controls under the Identify pillar are:
- AM-1: Physical devices and systems within the organization are inventoried
- AM-2: Software platforms and applications are inventoried
CIS top twenty has inventory controls listed as the first two basic controls:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
Goals
The primary goal of asset management is to know what you have. Once you know, then you can better assess risk and apply controls.
The secondary goal is to measure these inventory improvement practices against a framework so you can track and report the maturity of the cybersecurity program.
Don’t get these goals confused. Do what’s most right. Then do what is most desired.
Four Steps to Improve Asset Management
- Start with policy
I’ve found that more things get done when they have executive approval. When we have an approved policy that states what we should be tracking and how accurate it should be, we have more leverage and support to help ensure it gets done.
Asset management is one of the areas that cybersecurity has to depend on other technology staff to help mature the process. When approved via a policy, it’s easier to get the resources needed to accomplish improvements. Often these improvements center around process. All that is required at this point in maturity is time. One good thing about improving asset management is it doesn’t need to required additional funding or software solutions. A lot can be done to improve the process with simple tools readily available. Matter of fact, I often discover companies already have a robust inventory management tool that was included in an existing software suite that wasn’t previously being used.
For the policy statement, come up with an inventory accuracy number that should be achieved. Consider where the program is at currently, and what number makes sense and is achievable. I like to start by asking the technology department,
“How accurate do you feel the current inventory list is?” (They most frequently over estimate.)
Then use this stated number as a baseline for improvement. And because this number is based on what technology resources stated, there is little room for push back.
Propose a policy statement like “An accurate and up to date list of all company provisioned endpoint assets should be maintained within 90% accuracy.”
- Independent source of truth
A source of truth is the defined as; “the practice of structuring information models and associated data schema such that every data element is mastered (or edited) in only one place”
Ultimately, we want one source that is independent and accurate.
To achieve independence, we need to ensure that malicious parties can’t alter the data set. We want a source that is separated from downstream inventory sets. Let’s walk through a few examples;
- AWS Cloud for public cloud applications
A source of truth for current and accurate public cloud hosted applications should be kept somewhere separate than the AWS console. The console itself should not be used as the source of truth. The reason is that if a malicious attacker was able to break into the AWS console and add new applications, those applications would be viewed as accepted as they are in the authoritative list.
By creating a separate inventory that takes an export of the AWS list and reviews it with a set of owners or approvers, and then gets approved and added to the separate authoritative source of truth, you get a list you can depend on and trust.
- Microsoft Active Directory for Service Accounts
Again, if you trust AD as the inventory of user and service accounts, if a malicious attacker adds an account it will not be identified.
By keeping a separate authoritative list that reviews and approves accounts, then account discrepancies can be identified and investigated.
- Vulnerability Scanner for desktop applications
Recently a client wanted to use their vulnerability scanner as a source of truth for desktop applications. Their reason was the scanner had an accurate and up to date list of all applications installed on endpoints. When I asked how they would identify a maliciously installed application on a desktop, they didn’t know.
These secondary sources can and should be used as part of the process. There should be a segregated source of truth that holds the inventory with integrity.
- Start small and easy, with a spreadsheet
Decide on where the inventory list will be managed. It doesn’t have to complicated; it can be as simple as a spreadsheet. Many people laugh at the idea of managing IT disciplines from a spreadsheet, but simple gets done. It’s a great place to start.
I recommend not dictating where to manage asset inventory. Instead, state your desired goals, and let the technology staff decide the solution. Ensure that their proposed solution meets your goals.
Some goals might be:
- Authoritative source
- Records asset name (and IP if it has one)
- Date asset introduced
- Department assigned to asset
- Owner assigned to asset
- Risk or Data Classification
- Security review performed
- Active (yes/no)
- Date asset retired
- Governance review process
Asset management can start strong and fail
No one maintains the list. It’s the unfortunate ugly truth that this is an ongoing effort that needs to be prioritized and moved into operation.
To accomplish that, a standard operating procedure (SOP) should be written and approved. The SOP will state who is responsible for adding assets, maintaining asset status, and removing or retiring assets. It should also have a regular review cadence for going through the inventory and ensuring it’s accurate and up to date. An output of this ongoing governance exercise might be to assign a ticket to someone that is listed as the owner of the asset to update it if there isn’t evidence the SOP has been followed.
So, in short, three steps
- Write a standard operating procedure that states what assets should be added to what list. What fields needs to be filled out. Who and when does the list need to be reviewed or updated.
- Assign ownership for maintenance. Essentially, who’s going to maintain this list? There are two ways I recommend handling this. Based on the company culture one will be a better fit.
- Subject matter expert: Assign a single person with the responsibility of maintaining and owning the asset inventory list and asset management process. They will add assets to the list, document ownership, and update fields.
- Distributed: If it’s your asset, you put it in and maintain it. For larger companies this is more realistic.
- Schedule regular review. Add it to the on-going governance tasks that should be completed. This can be assigned to IT or Security, but someone needs to verify the review is being done. Add the review as a recurring task on the calendar with multiple attendees. In addition, add this responsibility to a role. Have this task be reviewed with evidence at the end of the year as part to of the performance review cycle.
Further Steps
To take this process maturity even higher you can continue by applying these next steps below. If you want more information on how to do this please reach out.
- Add fields and attributes that are valuable
- Tie process into procurement
- Create a destruction procedure and add attributes
- Create process to validate against other sources (network IP, scanning, endpoint protection)
- Perform gap and discrepancy cross-reports to identify missing assets
Summary
Asset inventory is critical to the success of a mature cybersecurity program. Progress is often hindered by the lack of process around developing and maintaining an accurate and up-to-date asset inventory process.
By following these simple steps outlined you can quickly and easily mature your asset inventory process and mature the Identify pillar of your NIST program, or quickly increase the maturity of your CIS aligned program.
Applying these steps will increase the visibly of what assets you have, ensure proper controls are applied, and reduce the overall risk to your organization.
As a further benefit, if you perform annual cybersecurity maturity assessments, your score in these areas will increase and you can celebrate higher maturity scores at the end of the year.
Asher Security helps Minnesota businesses increase security and decrease risk by applying industry best practice process improvements like this. If you want help, or just want to have a quick discussion, please reach out to us. One of the core solutions we offer is Program Development. Learn more about it here:
Recent Comments