As the CISO of Axonius, I think a lot about asset management, since Axonius pioneered a modern approach to this practice. Having benefited from our own Cybersecurity Asset Management platform, I’ve learned that to gain asset visibility in today’s business and IT ecosystem we should:
You can spot the trend toward automated asset data collection in the recommendations from multiple organizations. For example, the recent binding operational directive (BOD) 23-01 from Cybersecurity and Infrastructure Security Agency (CISA) requires federal executive branch agencies to implement processes that ensure continuous visibility into their assets.
At the heart of CISA’s BOD 23-01 is the observation that knowing the assets that comprise your IT infrastructure is foundational to reducing security risk. That’s why CISA considers identifying assets and vulnerabilities a baseline requirement for a security program. This is valuable in the public and private sectors and is echoed in other security frameworks, including ISO 27001 and CIS Critical Security Controls.
An insight shared by CISA that’s easy to miss is the recognition that gathering asset details involves obtaining data from a variety of sources, including network scans and traffic monitoring, as well as API queries. This is necessary, in part, because multiple groups in the organization deploy and manage assets independently, in different environments, and without the need or desire to manually register the assets with a single system.
CISA isn’t unique in recognizing this approach to asset management. Extracting data by connecting to enterprise tools via their APIs is a modern take on asset management and resonates with the approach that Gartner calls Cyber Asset Attack Surface Management (CAASM).
Furthermore, CISA’s directive highlights the need for gathering asset data continuously, going beyond static, point-in-time approaches to asset visibility. Manually entering asset data in a spreadsheet or CMDB cannot provide the up-to-date and in-depth visibility that IT and security professionals need. Instead, organizations should automate the gathering of asset data to ensure comprehensive and current asset coverage.
How can you devise such a modern approach to asset management?
First, implement asset discovery from multiple data sources. Connect to all the data sources that can reveal the existence of IT assets. This involves programmatically (via APIs) gathering asset details from tools that handle identity management, endpoint security, systems management, network management, vulnerability scanning, and more.
Each of these data sources has its own view of the assets. The asset management tech should interact with as many relevant sources as possible, including on-prem tools, cloud resources, and SaaS applications.
Continue with correlation and deduplication to get a unified view of the assets. Your tooling should recognize a unique asset even though multiple data sources might refer to it in different ways. For example, an external network scanner might refer to a host using its public IP address while a systems management tool might refer to the same asset using an internal address. Such correlation abilities not only ensure that the asset listing is duplicate-free but also combine data from multiple sources.
Next, consider the quality of data about each asset. The raw data provided by asset data sources is messy, confusing, and sometimes incorrect. A modern asset management approach needs to account for idiosyncrasies, bugs, and other nuances of the tools that supply asset information. It needs to extract details useful to security and IT practitioners.
Further, think about how you’ll act on asset information to address security gaps. Consider what you need to know about the technologies or capabilities for the cybersecurity asset management solution you’re thinking about. For example:
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010