Asset and SaaS management provides the basis for Zero Trust efforts and architectures
As the end of the 2023 federal fiscal year approaches, agencies are prioritizing their needs for FY2024 – and having a comprehensive approach to cybersecurity asset management tops many organizations’ digital transformation to-do lists. A perusal of every cybersecurity mandate of the past few years shows that asset inventory management is critical to minimizing an agency’s attack surface. Beyond Executive Order 14028 and the Office of Management and Budget’s (OMB) Zero Trust memorandum, CISA’s Binding Operational Directive 22-01 (BOD 22-01) calls for “ensuring the security of information technology assets across the federal enterprise.”
The latter’s counterpart, BOD 23-01, outlines several actions agencies must take to ensure asset security. BOD 23-01 also stipulates that agencies must provide a progress report every six, 12, and 18 months following the directive's issuance. That 12-month mark is also fast approaching on October 3.
With the clock ticking toward the end of FY2023 and the first anniversary of BOD 23-01, let’s look at the actions and solutions agencies can invest in today to meet the requirements.
1. Perform automated asset discovery every seven days
Maintaining an up-to-date inventory of assets is essential to a good cybersecurity posture, but it’s become increasingly difficult. The average organization uses about 200 applications and users often rely on multiple devices, many of which are outside of the purview of IT. This creates shadow IT challenges, making it difficult to meet the requirements of BOD 23-01 and the event logging policies in M-21-31, among other mandates.
Traditional asset management methods, including spreadsheets and collecting information from different siloed sources, are unsuitable for this growing environment. Those methods are too time-consuming and lead to significant asset inventory and data knowledge gaps that exacerbate agencies’ security challenges. We’ve estimated that each manual asset audit takes about 86 hours of labor. So, even if they could find the assets, IT professionals wouldn’t have the ability to audit and report on them every week.
That’s why automation is so important. With automated and comprehensive asset discovery, agencies can find assets at any cadence and not be tied to periodic and time-consuming manual scanning cycles. Their inventories can be updated not just in seven days, but in real-time, ensuring that they always have a handle on which assets are being used on their networks.
2. Enumerate vulnerabilities across all discovered assets every 14 days
CISA requires agencies to tell which of their assets were impacted by vulnerabilities, and what those vulnerabilities are, every 14 days. That way, issues can be quickly remediated through patching or other tactics. An ancillary, yet no less important benefit, is that this practice provides a good overview of an agency’s potential attack surface, which can then be locked down accordingly in the event of a cybersecurity operations order (“opp ord”).
But correlating assets to known vulnerabilities, remediating them, and then double-checking to ensure everything’s been patched can be a difficult and onerous task to do manually. Even if security personnel keep a running tally of known vulnerabilities, combing through a thicket of data compiled through disparate sources can be confusing and error-prone. It can also take much more time than CISA’s 14-day cadence allows.
It’s better to employ an automated system to quickly correlate information from disparate sources and assets, including those IT may not know about. It’s even better if that system discretely integrates with an information repository like CISA’s Known Exploited Vulnerabilities Catalog and automatically matches vulnerabilities to assets.
Axonius uses non-intrusive API-based adapters to bring in context from hundreds of different data sources. Data is automatically normalized and de-duplicated, creating a comprehensive “single source of truth” for all assets. This process greatly simplifies asset and vulnerability management so that agencies can quickly collect accurate information and keep to CISA’s timetable.
3. Initiate on-demand asset and vulnerability discovery within 72 hours of receiving a request from CISA
Per CISA, agencies must “develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration.” This requires a level of agility that goes beyond many agencies' traditional asset-tracking methods. Therefore, CISA included a caveat that organizations may be unable to complete full vulnerability discovery within that time frame, though they still need to begin the enumeration process.
But it’s not just about responding to CISA’s request within three days; it’s about proactively protecting organizational data and systems. That requires the ability to perform on-demand queries.
On-demand queries reveal vulnerabilities and coverage gaps and let security managers know immediately if a vulnerability has impacted ten, 100, or 1,000 (or more) devices. Agencies can quickly determine the blast radius incurred by a vulnerability and immediately begin the remediation process. They can also identify agent gaps and see which devices may not receive the latest virus protection feeds.
This and the other aforementioned actions all highlight the need for a more comprehensive and modern approach to protecting the attack surface. No longer is “good enough” good enough. Agencies need complete confidence that they have total and clear visibility into every asset, gap, and potential vulnerability and that they can manage, remediate, and report on all three of them very quickly.
Axonius can help. Our solutions are on the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) Approved Products List (APL). They are also approved for use within the Department of Defense following the completion of successful prototypes in which we helped the DoD create a comprehensive asset inventory, daily dashboard updates, and more. Our work with the DoD exemplifies the effectiveness of automated cybersecurity asset management as a fundamental component of meeting federal mandates.
