In the digital age every enterprise heavily relies on technology to manage and grow its business. As technology becomes more complex and siloed, it has become increasingly difficult for enterprises to keep track of all their IT assets. IT asset discovery and management is an essential practice that helps organizations identify their assets, reduce risk, and maintain business continuity. In this blog post, we will explore the basics of IT asset management through discovery, its importance, why cybersecurity teams struggle with it, and how Cybersecurity Mesh Architecture addresses those problems.
What is IT Asset Management and Why is it So Important?
IT Asset Management (ITAM) is the process of managing an organization’s IT assets. This includes hardware, software, applications, users, code, and other digital resources. ITAM is critical to the success of any enterprise because it helps organizations understand what they have and how these assets relate to the business. This knowledge is crucial to ensure the continuity of business processes, reduce risk, and optimize resources.
For example, consider a large retail chain that has several stores across the country. Each store has a point-of-sale system that connects to the company’s central inventory and billing system. If the IT team does not have a complete inventory of all the POS systems, it could result in lost sales, inaccurate inventory, and billing errors. A complete inventory of all the POS systems (and their tracked inventories) is critical to ensure the smooth functioning of the business, consistency in revenue, and customer satisfaction. And while POS systems are critical for the business, they only make up a small number of connected devices. It’s critical to delineate them from other assets due to their importance to the business to prioritize response during outages and security to reduce the risk of a breach of critical systems.
Why Do Enterprise Cybersecurity Teams Struggle with IT Asset Management?
In the context of cybersecurity, it is essential to know what IT assets an organization must secure. However, cybersecurity teams face several challenges regarding IT asset management. One of the primary challenges is the fragmentation of tools and data across different teams and silos. Each team may have its tools and processes, making it difficult to gain a complete view of all assets. Consider the typical process for discovering and securing assets.
- An asset is discovered (either through monitoring or business process)
- Security controls must be designed for that asset
- A setup process is created for the asset’s security controls
- Adherence to the process is measured for compliance by audit
- Assets are monitored and managed by a team responsible for that type of asset
And as enterprises design and employ these processes and distribute them across teams, multiple teams have comparable goals that are misaligned due to their singular perspective. Without the complete picture, teams miss IT assets and have partial profiles of their attributes, which often leads to partial or incomplete responses to alerts.
For example, the network team may have its tools for monitoring network traffic, while the security team may have a separate tool for securing endpoints. The network team is primarily focused on IP addresses that are communicating, while the security team is focused on hosts being fed by a CMDB. Each team has its focus, but it cannot see what they do not know. For example, network traffic identifies new devices connecting to the network but does not provide insight into whether they are without EDR agents. And this is a challenge to resolve because IP addresses would need to be translated to MAC addresses and their hosts to appropriately feed the CMDB. All, while each team may be working alerts on assets, only to find out each team, is being tasked on the same asset originating from different alerts which duplicates response efforts at the cost of wasted time and resources – the exact opposite of IT’s goals.
Another challenge is the constantly changing nature of IT assets. Assets can be added or removed, the software can be updated, and configurations can change. Cybersecurity teams need to keep up with these changes to ensure that they are securing the latest versions of software and configurations. However, this can be a daunting task, especially in large enterprises with hundreds or thousands of assets.
Every organization has monitoring and alerting tools that generate data about assets but consolidating that data in a converged format for contextual analysis has historically been a significant challenge. Many organizations have nineteen exercises in IT asset inventorying per year and by the time of each exercise’s completion, the results fall out of accuracy quickly.
Don’t SIEMS and Data Lakes Aggregate Everything?
SIEMs (Security Information and Event Management) and data lakes are data aggregation tools that collect data from multiple sources and provide a centralized view of events. While they are useful in providing a high-level view of security events, they have limited telemetry and metadata enrichment capabilities. This means that they cannot provide a complete view of all IT assets, and they require significant manual data convergence to assemble into a normalized format that can be used effectively.
In addition, SIEMs and data lakes are often the first hop of data, but their reactions to that are often not immediate, which results in delays in detecting changes in the IT environment. Assets can be ephemeral, meaning that they may exist only for a few seconds or minutes, and for asset inventories to be accurate, they must be updated incrementally, frequently, and quickly. While SIEMs serve the valuable purpose of warehousing data they provide their own barrier of access behind proprietary query languages often requiring an SME (just search “Reddit SIEM query help!” to understand if you don’t already).
How Organizations Discover IT Asset Inventories
Cyber Asset Attack Surface Management (CAASM) solutions help provide accurate and up-to-date inventories of IT assets. These solutions integrate with the existing monitoring tools and provide data aggregation and deduplication capabilities to create a single asset profile for each asset. The benefit of automating data aggregation and convergence is an updated, accurate, and consistently accessible IT asset inventory. When all of your asset data is normalized it can be queried to identify gaps in security controls or provide information to understand the asset’s importance to the business.
From a compliance perspective, a generated and maintained asset inventory aligns with CIS Core Controls 1 and 2 while eliminating the burden of IT teams to generate and maintain asset inventories manually.
CAASM solutions provide a necessary level of asset visibility, but once a complete asset inventory is established other data points are needed to understand those assets, such as ownership, applications, code, vulnerabilities, network dependencies, and all of their impact to the business. Asset visibility provides an answer of what, but the who, what, why, and how typically require much more enriched data from telemetry sources.
The Future of IT Asset Discovery and Management: Cybersecurity Mesh Architecture
While IT asset inventories provide visibility across an organization’s infrastructure, they do not provide business relevance without more context. Aside from the fables of Skynet, everything is not automated – every enterprise relies on humans. And as long as we avoid enslavement by robot overlords, we need to accommodate humans. Humans administer IT assets – servers must be patched, code must be tested, and institutional knowledge is often required to determine a course of action (even when automated) when a response is needed.
Moreover, each asset has a different impact on the business and its applications. Simple tasks like identifying a server or code’s owner can be incredibly complex simply due to organic changes. Employees leave the company, and sometimes the only thing you see is a deactivated account. This is not helpful to identify the new owner of a server. That’s where telemetry enrichment for IT assets is critical. When identifying stakeholders for the response, seeing inactive employees as owners is not helpful – we need to understand administrative logins. And to do that, we need to understand authentication, login activity, and network connections. This perspective requires an understanding of employees, their asset ownership, roles of ownership, network access, and login activity which represents several data sets. For security to understand an asset, its impact on the business, and incident response plans, they must know everything about the asset. They need to know their environment. Especially throughout changes.
When assets are understood from an authoritative perspective, it means criteria can be set and queried against with automated actions to reduce manual intervention. For example, consider login activity. One of the most common methods of ransomware installation is through Active Directory accounts without MFA enabled where passwords have been leaked. This still provides many results, but when you incorporate failed login activity or those from unexpected locations there is a greater refinement on which accounts require a prioritized response to reduce the probability of a successful attack.
Cybersecurity Mesh Architecture vs CAASM
CAASM and Cybersecurity Mesh Architecture (CSMA) are two product categories in the realm of cybersecurity, each offering different capabilities and benefits while overlapping on the core requirement of security – total IT asset visibility. CAASM focuses on Cyber Asset Attack Surface Management, providing an inventory of assets along with basic telemetry and data correlations to identify gaps in security control coverage. However, it is limited in its ability to understand the importance of each asset in the business context, as well as the direct and indirect dependencies they have. As a result, enterprises are moving towards a more mature cybersecurity architecture, CSMA.
CSMA, or Cybersecurity Mesh Architecture, offers a centralized data plane that automates outcomes and provides complete context of an asset for informed prioritization and non-disruptive incident response. This platform ensures the interoperability of services, reducing the costs of breaches. To achieve this, CSMA relies on multiple sources and types of data to converge it into an authoritative source for automated analytics and submission of findings to the different response tools. Overall, CSMA is a more comprehensive and integrated approach to cybersecurity, providing a holistic view of assets and enabling a more proactive and efficient incident response by eliminating the ambiguity of data and automating outcomes with existing tooling. To better understand CSMA, you can read the first whitepaper authored here.
The Benefits of Contextualized Assets within a Cybersecurity Mesh Architecture for Risk Management
Having accurate and up-to-date IT asset inventories with contextual attribution is crucial for maintaining a secure enterprise. With this information, security teams can define outcomes based on the results they see. For example, consider assets that are missing certain security agents – these assets have gaps in their security controls. Instead of sending a massive list of these assets to the appropriate team, it is more efficient to trigger tickets or initiate playbooks for agent installation. And if findings surpass an ability to manage all of them, refinement criteria can be applied such as network context or application impact. As inventories are updated, remediation can be tracked, and new gaps can be identified.
By utilizing a high-fidelity source of asset data, a self-healing closed-loop system for automated attack surface mapping and remediation can be created. This system provides continuous monitoring of the IT environment and the ability to identify and prioritize vulnerabilities in near real time. It also allows security teams to quickly respond to security incidents and prioritize remediation efforts and communicate with all stakeholders based on business impact across all perspectives. You can see that below.
Context eliminates ownership confusion
IT asset management is important not just for security teams, but also for application owners. When telemetry data is enriched with administrative logins, new admins can be identified when employee accounts are inactivated. This provides evidence of the new owner, and any anomalies in that behavior can identify compromised accounts or insider threats.
Additionally, application owners need to know what assets their applications are running on and how they are being used. With IT asset inventories, application owners can understand the dependencies between different assets and ensure that their applications are running on the appropriate infrastructure. New owners are also able to explore asset connections based on network traffic to identify the direct and indirect dependencies of an application they inherited. The outcome is fewer disruptions to the business.
Upleveling the SOC
Implementing automated IT asset management and enriching it with telemetry data provides a high-fidelity source of data that is not only referenceable for incident response but also a platform that can drive increased security with reduced reliance on manual intervention. This can help uplevel the SOC (Security Operations Center) by enabling security teams to move to a faster pace focused on leveraging the skills of the team and not their ability to manage Excel spreadsheets. All by providing an authoritative source of truth by which analysis and automated actions reduce manual security control gap analysis and remediation while significantly reducing MTTR for incident response.
By implementing a Cybersecurity Mesh Architecture framework, security teams create a unified view of their environment and better understand the relationships between different assets. This can help teams identify gaps in security controls and implement remediation strategies quickly and efficiently.
Summary
In conclusion, IT asset discovery is critical for maintaining a secure enterprise. It is not just about understanding what devices and software are on the network, but also understanding how they interoperate and depend on one another to ensure continuity in business processes. With automated IT asset management and enrichment, security teams can gain a high-fidelity source of asset data that can drive increased security with reduced reliance on manual intervention. This can help uplevel the SOC for incident response, drive enhanced prioritization, and create a self-healing closed-loop system for automated attack surface mapping and remediation. Cybersecurity Mesh Architecture is the next logical framework for implementation for organizations that seek to develop an extensible integration mesh that increases the ROI of their tooling, reduces risk, and enables far more efficient non-disruptive incident response.
appNovi is the first Cybersecurity Mesh Architecture platform and can be deployed on your network or as SaaS — you can get same-day results through a trial of our software available here.
