Cybersecurity Asset Management for Federal Agencies, Part 1

Axonius CMO Nathan Burke recently sat down with Federal News Network to talk about cybersecurity asset management in federal agencies, federal regulations, and more. Watch the first in this three part series or read the transcript of the conversation below.

Federal News Network (FNN): Where do NIST, CMMC, and NDAA section 889 fit in the discussion of asset management for federal agencies. 

Nathan Burke (NB): So I think that the idea that you can't secure, what you can't see is probably a cliche by now, but that doesn't mean it's not true. And if you look at any of the cybersecurity frameworks, whether it's something as broad as the CIS 20 or industry specific regulations like HIPAA and PCI or something more specific to federal, you'll notice that every single one of them start with understanding what assets you're responsible for, what's on them, and who has access. And as it relates to NIST, for example, there's really five things that are outlined that everyone needs to be able to prove. And, and these are things around identify.  Having a process in place and NIST in fact has a specific asset management call-out to be able to identify the devices, the software, the users, and then to understand their context and then how they relate to the overall risk. Then there's Protect. Right? So developing and implementing processes around securing devices and cloud instances, making sure the right identity and access management policies are in place for both users and accounts. And then ensuring that the proper controls are in place. Then there's Detect knowing anytime an incident takes place. Respond- being able to trigger the appropriate response action and then Recover to make sure that you've done all you can to ensure that the same event doesn't take place again.

And in every one of those steps, you need to know exactly what assets you have, what's on them, who has access, and what controls are either in place or missing. And that's what we mean when we talk about cybersecurity asset management. It's really the most foundational part of your program. 

FNN: I've read some of these NIST regulations. The problem is, you know some of them are kind of complex and byzantine and sometimes you get lost on page three and it seems like it's contradictory. It gets difficult just to understand them, doesn't it?

NB: Absolutely. And that's, that's why I think there's such a real focus on nailing the basics first, because it can be overwhelming and it can be complex, but that's why, what we really try to focus on is if you get that first part, right.

Understanding exactly what you have, then the rest makes sense, because if you're trying to satisfy all of these requirements, whether getting the foundation right, then it's never going to work. 

FNN: Let's maybe focus in on one  framework itself? Let's look at CMMC – how can Axonius help with CMMC?

NB: If you are looking at CMMC you find that there are both processes and practices that range from like the most basic level, which is level one to the most advanced and progressive at level five. And to get to level five, you've got to satisfy all of the previous four.

It includes 17 domains. And one of them – I bet you'd be able to guess – is asset management. At the most basic level, organizations need to be able to identify and document all of the assets and manage an asset inventory. That's the first thing that Axonius does by connecting to all of the different data sources that know about devices that know about cloud instances and users.

Axonius is able to collect and correlate all that data to give an always up to date asset inventory. And because it can do that, it can also show customers how every asset and every user either adheres to, or deviates from, their overall security policy. So Axonius customers are able to satisfy a lot of the different requirements within the CMMC.  These are things like 

1. Access control – understanding who has access to what 
2. Asset management 
3. Auditing and accountability – making sure that you can perform that audit automatically. That's something we hear from customers all the time, instead of treating an audit like an event – like spring cleaning – they want to be able to satisfy the audit requirement at any time without pulling out a clipboard or using Excel and creating a bunch of pivot tables. 
4. Configuration management – having a baseline and then understanding anytime, something that changes that no longer meet your expectations, 
5. Identification and audit authentication – making sure the only the right accounts and users have access to the appropriate resources. 
6. Incident response – providing the relevant contextual information to inform an investigation and then also triggering whatever automated action makes sense when an incident is detected 
7. Risk management, 
8. Security assessment systems 
9. Communication protection
10. System and information integrity 

Out of the 17 domains, CMMC addresses 10 of them already. When you add to that the fact that Axonius connects with all of these other solutions that you're already using, it's probably likely that it addresses all 17. 

FNN: That's the question I have next is this whole connection question. You know, you waltz into any federal agency, at least before COVID, you could walk into any federal agency and see a variety of systems being used, can Axonius provide easy ways to connect to this heterogeneous environment found in federal IT? 

NB: Yeah, and that's exactly what we do. And in fact, we did a survey last year with an analyst firm called ESG and it found that on average organizations have over 108 different security tools and I'd be willing to bet that's even higher in federal IT.

Having a hundred or more different tools could definitely be a management headache. But we see that as a positive thing because the good news is that the federal agencies already have all the data that they need. The issue is that the data just lives in different silos that don't talk to each other.

So it's not a problem of, “I don't have enough data.” It's just that they need a way to be able to correlate and collect this information, deduplicate it, and then be able to ask questions that span that entire result set. And that's exactly what Axonius is does.

This is what we hear all the time from customers is that they have so many different tools from endpoint protection, to vulnerability scanners, agent-based tools, things that are different by operating system.

They just want a way to be able to ask questions that relate to their security policy so they can get answers and then automate action. When we get started with a customer, that's the first thing they do – they configure what we call adopters. We have over 300, I think it's like 356 different integrations with the tools that know about assets and users, and they just choose the adopters that they use, provide credentials, and that's it. Then the system immediately starts pulling back data, correlating it, and then showing exactly what's in the environment. And then customers can create queries to understand how everything relates to their policy.

So just a basic example, let's say that I say every Windows device needs to have CrowdStrike or Carbon Black or whatever. That's a query that can be done with just two drop downs. And that's exactly what we do for our federal customers.