Automating Asset Management for Better Cyber Hygiene
Cyber Hygiene – Cyber hygiene is the ongoing process and discipline required to ensure that all assets adhere to the cybersecurity protections outlined in an organization’s cybersecurity policies.
Similar to personal hygiene (brushing teeth, washing hands, bathing, etc.), cyber hygiene refers to all proactive steps taken to reduce the risks of infection related to devices and the underlying data. Cyber hygiene practices can be as simple as ensuring that laptops are running the most up-to-date version of their operating system and as complex as automatically patching, blocking, or updating systems.
While the personal hygiene metaphor helps to explain the main idea, the comparison breaks down quickly when looking at the challenges related to cyber hygiene. The following are just 5 of the top challenges related to cyber hygiene:
With personal hygiene, it’s likely that there is no problem locating the hands that need washing. But with cyber hygiene, simply having the visibility into all assets is a massive challenge.
The increase in the number and types of devices in our corporate environments has made it difficult to answer the most basic question: how many devices do I have, and are they secure?
Between unmanaged devices, cloud instances, and personal devices that have access to corporate data, just having a comprehensive inventory becomes a challenge.
When companies are able to solve the visibility challenge, they can then move on to cyber hygiene challenge 2: understanding security solution coverage.
Organizations spend time, effort, and dollars implementing security and management solutions to address every kind of device and user. Just a few examples:
Just to name a few. For a full list, see Axonius Adapters.
Without understanding where security solutions are both installed and active, coverage gaps exist. Until you can uncover gaps in security solution coverage, good cyber hygiene is impossible.
There will always be vulnerabilities, and it is highly likely that there will always be more vulnerabilities than resources to address them. This makes prioritization essential when it comes to including vulnerability management as part of a cyber hygiene program.
Understanding which devices have critical vulnerabilities lets security teams understand severity, thereby helping teams prioritize what needs to be addressed.
In addition to the device side of cyber hygiene, understanding which users have privileged access and continually verifying permissions is a necessary component of any cyber hygiene program.
A few examples of user-related queries that should be part of a cyber hygiene initiative:
Finally, two types of assets have a tendency to trip up cyber hygiene initiatives: cloud instances and IoT devices.
As organizations move more and more to the cloud, they often find that the security and management solutions that protect their on-premise and network devices don’t necessarily translate to the cloud.
One good example is the use of Vulnerability Assessment tools. These scanners do a fantastic job of scanning devices on a network to find which vulnerabilities are present. But the dynamic nature of cloud instances and their short lifespan often means that VA tools simply don’t know that a new cloud instance exists, so it is never scanned.
IoT devices present another challenge to security and IT departments when it comes to cyber hygiene. With thousands of always-on, always-connected devices hitting our networks, these devices are unmanaged and therefore often are not part of security policies.
A great recent example of IoT Devices and the challenge around cyber hygiene can be seen in our post “The NASA JPL Hack: Why Asset Management Matters in Cybersecurity“
The Center for Internet Security (CIS) lists a prioritized set of actions to protect organizations from known cyber attack vectors. Known as the CIS 20, the list is broken down into:
The most basic controls, CIS 1 and 2 deal with the following cyber hygiene practices:
“Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.”
To achieve CIS Control 1, the Center for Internet Security highlights 3 key steps:
“Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.”
To achieve CIS Control 2, the Center for Internet Security requires you to:
The Axonius Cybersecurity Asset Management platform helps organizations implement, monitor, and automate their cyber hygiene programs by doing exactly 3 things:
For an overview of the Axonius platform, see the following video:
At its core, patch management is a discipline that combines both knowledge and action. It requires IT and security teams to understand which devices are known and unknown, the version and subsequent vulnerabilities of software being used, and the impact of change.
You've purchased the perfect security solutions to fit your needs, but are the deployed everywhere they should be? Understand where solutions are missing and maximize your security investments.