Our own CISO Lenny Zeltser was recently interviewed on Season 2 of Hacker Valley Blue, the cybersecurity podcast from Webby Awards nominated hosts Ron Eddings and Chris Cochran. In episode 4 of the podcast, Lenny talked about looking into the root cause of the day-to-day fires security teams fight and then leveraging existing data and tools to solve problems.
He also shed light on the origin and growth of REMnux – a Linux toolkit for malware analysts, and talked about the biggest discovery about himself.
In this excerpt from the podcast, Lenny provides insight on who owns asset management and the implications of not knowing what’s in your environment. He also offers advice for organizations that are starting to prioritize asset management.
Editor’s note: The following transcript has been edited for brevity and length.
Chris Cochran: Is asset management an IT centric function, a security centric function, or a combination of both?
Lenny Zeltser: The way that technology supports businesses today involves a lot of groups being responsible for different aspects of the technology. You might have a group that's responsible for corporate infrastructure, corporate IT, employee laptops, and other endpoints. You might have another group that’s responsible for your data center or cloud infrastructure. You might have yet another group that's responsible for R&D that demands certain specialized hardware or specialized software.
The reason why I'm bringing this up is because the way that technology is used today creates a lot of groups and silos. Each of those groups tracks or wants to track its assets, perhaps in a slightly different way. The way that you keep an eye on your cloud infrastructure, virtual machines, or even containers, is different from how you'd track employee laptops.
We need a way to allow each of those groups to do what they do best to maintain some level of independence. But at the same time, find a mechanism to take the information that they know how to access and then make it available to other teams. Just because corporate IT is responsible for maintaining employee endpoints, doesn't mean that security doesn't want to take a look at those endpoints to make sure that the appropriate endpoint security software is installed.
Asset management is a shared problem. But it’s becoming a little bit more difficult to address than when our infrastructure was more uniform and it was much easier to draw a line between IT and security responsibilities.
Chris: When we talk about asset management, we talk about the benefits of knowing what's in your environment. But what happens when you don't know what's in your environment?
Lenny: I can think of some scenarios from my incident response days where my team would help an organization deal with a suspected breach. We would come in and we would ask questions about what's in this environment. We would get silence besides a few config files. Config files don't give us full visibility into what systems reside within an environment, how they communicate, and what software is installed on them.
That made incident response hard. It really just slows you down because you now have to start gathering the information about the state of the environment.
Another instance is when dealing with auditors, who often begin their conversations with requests like, “Can you give us a list of assets that you're aiming to secure that are in scope of our audit?” In many cases, the information about IT components of the environment resides in different places. You have to look into lots of information sources. How do you know that you've gathered all the details that you need to satisfy your audit requirements? Time is the common source of stress and a disadvantage when we have to manually gather all this information.
Chris: There's someone listening right now that's thinking, "We've neglected asset management. We've neglected understanding what's in our environment," and they want to start moving in a positive direction. What advice would you have for them?
Lenny: Understand what are the major data sources that you can tap into to know what you have in your environment, rather than thinking, “Let me create this one new way of serving everything that I have.” An organization probably already has information about its assets, but that information is spread across multiple technological silos.
If you have Active Directory, that is an information source about what systems are a part of your organization's infrastructure. If you're using Azure or AWS or GCP, then the cloud orchestration layer can tell you something about your assets there. Think about how you can tap into those information sources. Start with three sources of information that might get you the biggest bang for the buck.
That could be your vulnerability scanner, your Active Directory, and AWS orchestration layer. Tap into those information sources, extract the data from there, and then see what you end up with. You might have a much better understanding of what you have after you complete the exercise than you did before.
Want to gain more insights from Lenny on all things security? Start exploring Life as a CISO today.