This is an updated repost from the Axonius Medium blog.
Back when we were just getting started building Axonius, I spoke with Cerence, Inc.’s CISO, Ken MacCuish, around asset management for cybersecurity, and the conversation gravitated to how CISOs and security teams can measure their current state as well as what success looks like when it comes to asset management.
Nathan Burke: Ken, when we spoke about how you would set metrics to measure both baseline and improvement around any asset management program for cybersecurity, you had an interesting idea: mean time to inventory. Can you give a little more info on what you mean by that exactly?
Ken MacCuish: Mean time to inventory determines how long it takes a Security Operations Center (SOC) analyst to identify the system owner or custodian. The goal being to determine when incident response is lagging as a result of missing inventory information. A good substitute or addition to mean time to inventory would be to identify the event and if and/or how the asset information was ever obtained. It would include aspects like:
- Unable to ID owner/custodian
- Automation (the information was automatically embedded in ticket, or a simple click away)
- Manual determination via CMDB, spreadsheet, Active Directory and so on
- Call/email/ticket and/or other research
Nathan: Without adding any tools or changing the way they currently operate, how would a security team currently gather the information needed to come up with that metric?
Ken: You’d come up with that metric by adding a field to whatever ticket or orchestration system being used (if they are using one) or simply embedding it in some common format within incident comments so that it get be grepped out with some scripting to aggregate.
Nathan: In Daniel Miessler’s piece, he suggested one single metric to judge the accuracy and freshness of the asset and data inventory, looking at both accuracy percentage and how old the inventory is. For instance, 90% accuracy, or 1 week old. Any thoughts on whether that’s a valuable metric or how hard it would be to get it?
Ken: I like this idea but I think most teams will need a substitute in the beginning that simply indicates the source of the data. If the source is a well-managed CMDB, great. The last update/review date could be drawn out via APIs or queries. If it’s a spreadsheet or sticky-note, at least there is something.
Nathan: One of the most difficult challenges I’ve seen for CISOs is getting headcount. Whether a result of budget or talent shortages, the talent gap is something that is always in the news. Daniel Miessler concludes his piece stating that simply hiring 1–3 people who are dedicated to this task will reduce breaches and the cost of buying more products. Do you think that many CISOs would dedicate headcount to asset management?
Ken: It depends on what you mean by asset management. It might work if you have a security pro on staff who can simply associate IP addresses, machines or containers with the owners/custodians. If you are talking about a timeline from requisition to end of life, no, that is a discipline all to itself.
Nathan: Final question. Asset management seems to be one of those problems that resulted in changes to the way we work over decades, and the explosion in the number and types of devices we use today has brought the problem into focus today. If you look into your crystal ball, do you see any other big cybersecurity trends that will arise in the next 5–10 years that we’re not dealing with now?
Ken: As an industry we are still not doing a good job addressing certain issues like asset management, patching, malware prevention, and for that matter, the rest of the security CIS 20.
That said, IoT will just amplify the problem where low-powered, low-cost devices get deployed without concern for security. The convergence of cyber and personal safety concerns will be one of tomorrow’s big challenges and the warning signs are already here if you consider everyday exposed systems like self-driving cars or automated ski lifts. We’ll see a positive effect here with well-defined, mature DevOps that can start to truly automate some of the basics.
Ken MacCuish is the CISO at Cerence, Inc., the global industry leader in creating unique, moving experiences for the automotive world. Cerence’s expertise is sophisticated AI, natural language understanding, voice biometrics, gesture and gaze technology and augmented reality. They are helping transform how a car feels, responds and learns. This track record is built on 20 years of knowledge and almost 300 million cars. Whether it’s connected cars, autonomous driving or e-vehicles, Cerence, inc. mapping the road ahead.