Many forward-leaning companies now recognize that maintaining an always up-to-date inventory of IT assets is best practice. Relying on manually updated databases often leads to more headache and work in the long run — (not to mention that the data is often outdated and incomplete in the first place).
Unfortunately, this often becomes most apparent in the event of an IT outage or security event. When an event occurs that introduces significant risk to the organization, IT and security teams need to provide quick answers into what happened and which assets were affected. This should take minutes, but it often takes days and weeks.
The Implications of Physical Security for Cybersecurity Asset Management
We’re also learning that continuous, up-to-date asset data is also important in the wake of physical security breach. Physical security risks can easily transpire into IT security risks, and recent events that transpired at the U.S. Capitol on January 6, 2021 are a great example.
My heart goes out to the unsung IT heroes at the Capitol tonight. My guess is they've never had to run asset inventory IR before - a daunting, stressful task in a tabletop exercise - and they're running one (prob w/o a playbook) following a full on assault of the Capitol.
In this case, while the systems accessed likely did not contain classified materials, unauthorized access can quickly lead to the theft, compromise, or destruction of IT assets — including sensitive (and even national security) data.
To respond to these events, federal IT and security teams likely had to quickly answer questions, such as:
Which IT assets (workstations, laptops, etc.) are missing or stolen?
Has there been a change in configuration and user access to any IT assets that may pose a security risk?
Were security controls, such as encryption and identity and access management, deployed everywhere they should be?
Without an up-to-date asset inventory, this becomes a grueling and time consuming exercise (as expressed in the above tweet).
How This Applies to Other Risks
A physical security breach isn’t the only risk that may catalyze teams to reevaluate their asset management practices. As companies begin to return to their offices this year, even events like natural disasters can force IT and security teams to re-inventory their IT assets to truly understand the residual risk and the fallout.
Beyond geopolitical and environmental risk, there’s also legal risk. We’ve already seen how legislation like the National Defense Authorization Act (NDAA) has led teams scrambling to identify assets associated with prohibited hardware and software vendors.
Asset Management Should Accelerate Incident Response, Not Become Incident Response
Not all security breaches (even physical breaches) are preventable — so responding quickly when breaches do occur is imperative. This means that cybersecurity asset management can’t be a reactive exercise conducted after a security event occurs.
Instead, cybersecurity asset management should be a proactive and continuous process that helps speed incident response when events do occur. Having an up-to-date, comprehensive asset inventory can help security analysts correlate alerts, understand the relationship between devices and users, and look both at the current and historical state of an IT asset.