As the CISO of Axonius, I think a lot about asset management, since Axonius pioneered a modern approach to this practice. Having benefited from our own Cybersecurity Asset Management platform, I’ve learned that to gain asset visibility in today’s business and IT ecosystem we should:
- Recognize that asset records come into existence too quickly for a static, manual-entry system, such as CMDB, to track on its own.
- Create a mechanism for automatically gathering and correlating asset information from existing data sources.
You can spot the trend toward automated asset data collection in the recommendations from multiple organizations. For example, the recent binding operational directive (BOD) 23-01 from Cybersecurity and Infrastructure Security Agency (CISA) requires federal executive branch agencies to implement processes that ensure continuous visibility into their assets.
At the heart of CISA’s BOD 23-01 is the observation that knowing the assets that comprise your IT infrastructure is foundational to reducing security risk. That’s why CISA considers identifying assets and vulnerabilities a baseline requirement for a security program. This is valuable in the public and private sectors and is echoed in other security frameworks, including ISO 27001 and CIS Critical Security Controls.
An insight shared by CISA that’s easy to miss is the recognition that gathering asset details involves obtaining data from a variety of sources, including network scans and traffic monitoring, as well as API queries. This is necessary, in part, because multiple groups in the organization deploy and manage assets independently, in different environments, and without the need or desire to manually register the assets with a single system.
CISA isn’t unique in recognizing this approach to asset management. Extracting data by connecting to enterprise tools via their APIs is a modern take on asset management and resonates with the approach that Gartner calls Cyber Asset Attack Surface Management (CAASM).
Furthermore, CISA’s directive highlights the need for gathering asset data continuously, going beyond static, point-in-time approaches to asset visibility. Manually entering asset data in a spreadsheet or CMDB cannot provide the up-to-date and in-depth visibility that IT and security professionals need. Instead, organizations should automate the gathering of asset data to ensure comprehensive and current asset coverage.
How can you devise such a modern approach to asset management?
First, implement asset discovery from multiple data sources. Connect to all the data sources that can reveal the existence of IT assets. This involves programmatically (via APIs) gathering asset details from tools that handle identity management, endpoint security, systems management, network management, vulnerability scanning, and more.
Each of these data sources has its own view of the assets. The asset management tech should interact with as many relevant sources as possible, including on-prem tools, cloud resources, and SaaS applications.
Continue with correlation and deduplication to get a unified view of the assets. Your tooling should recognize a unique asset even though multiple data sources might refer to it in different ways. For example, an external network scanner might refer to a host using its public IP address while a systems management tool might refer to the same asset using an internal address. Such correlation abilities not only ensure that the asset listing is duplicate-free but also combine data from multiple sources.
Next, consider the quality of data about each asset. The raw data provided by asset data sources is messy, confusing, and sometimes incorrect. A modern asset management approach needs to account for idiosyncrasies, bugs, and other nuances of the tools that supply asset information. It needs to extract details useful to security and IT practitioners.
Further, think about how you’ll act on asset information to address security gaps. Consider what you need to know about the technologies or capabilities for the cybersecurity asset management solution you’re thinking about. For example:
- Should you notify an analyst that an internet-accessible system has a severe vulnerability?
- Does your systems management tool need to deploy a security agent missing from the corporate endpoint?
- Do you need to add that just-deployed virtual machine to the list of systems your vulnerability scanner should examine?
- Do you need to enrich your CMDB with freshly discovered asset details?