Cyber Asset Management
Keeping up-to-date visibility of its physical assets, digital assets and informational assets, their usage and interconnexions, to improve organization-level decision-making.
Cyber(security) Asset Management (CSAM) is crucial to most business operations. IT operations, financial accounting, managing software licenses, procurement and logistics, among others, all rely on asset information. Where are they located, how must they cost, how much they contribute to revenue, how to use them, when to dispose of them, who are their owner and maintainer.
The information required for each function may not be identical, but there will be some overlap and interdependency. Security should not be viewed as an isolated function or as a major consumer of asset information, so asset management across the organization will help minimize or manage any conflicts between these processes.
It is impossible to maintain preventive security operations without Cyber Asset Management, for organization to gain the best position to identify and address cyber risks.
What is Cyber Asset Management?
Asset Management creates, establish, and maintains accurate and authoritative information about your assets for crucial day-to-day operations and efficient decision making. Traditional IT Asset Management (ITAM) revolves uniquely around hardware and software. Desktop computer, laptop, printers, servers. Internal application, third-party licensing agreement, and software-related contractual relation. It is all about maximizing the value of IT equipment within an organization. As it is first technology-oriented, with the raise of cloud computing and BYOD, ITAM is not enough anymore to deal with governance and security concerns of organizations in cyberspace.
Cyber Asset Management take a global approach by looking at the facilities, the digital hardware and configuration, in-house software and cloud application, user and their physical persona. As everything is connected, you can’t change one thing without impacting the global system. Cybersecurity and Cyber Risk Management also became a key feature in organization’s governance.
As you can’t protect something that you don’t know it exists, Cyber Asset Management is a critical component of Cybersecurity and Cyber Risk Management. Up to the point that the Asset Manager role tends more and more to shift from the Chief Information Officer (CIO) to the Chief Information Security Officer (CISO). The rise and sheer volume of new assets, combined with a shift to remote work, has made it more difficult to manage and inventory assets because they are more widely distributed.
As a key productivity vector for any organization, Digital tools and environment contribution to the organization well-being is a powerful axis of communication for CISO to catch senior executives and the Board attention.
What is an Asset?
An asset is anything that can be used to create value for an organization. It is the connected coffee machine that provide comfort to employee and improve their productivity. Or the database holding all customer information. The design app in the cloud is valued by the graphists for social media communication. All strategic discussion about the current strategic shift are conducted from the Chairman’s smartphone. And don’t forget Sam, your loyal employee for fifteen years that is the living memory of the organization.
Cyber Assets are Information, hardware, people knowledge and skills, software, facilities, employee, online avatars and bank accounts. All assets don’t have the same impact for the organization’s ecosystem if they are disrupted. We can categorize them into three main categories:
- Critical Asset, Crown Jewel or Business Asset: the most critical assets that are vital for the company (example: a production line, the treasury, a billing system). If a Crown Jewel is disrupted it can endanger the survival of the organization and even heavily impact all its sector or the stability of the sate.
- Supporting Asset or Steppingstones: the assets on which the Crown Jewels are based, that give access to the Crown Jewels or that is powering the Crown Jewels (example: a facility, a safe deposit, a server).
- Common asset: all the other assets that are needed to accomplish the organization’s mission but not vital.
Cybersecurity and Risk Management initiatives needs to be aware of all the assets of the organization. It is not rare that the first time a company perform a Risk Assessment is when they discover their true Crown Jewels and the associated steppingstones they overlooked until now. The goal of Preventive Risk Management is ultimately to protect all assets with the same level of cybersecurity. But in reality the effort must be focused on the Critical Asset and an enforced monitoring of Supporting Assets.
Risk Management and Cybersecurity will then look at Assets and categorize them into two categories : those you can turn into a security features (those assets are called Configurations items in ITILv4 or ISO/IEC 20000:2018), and those that need additional layer of protection.
Features and Benefits of Cyber Asset Management
An asset management system can provide a number of advantages from a cyber security, productivity and financial perspective. With increased visibility of their asset inventory, organization are empowered to make decision based on business priorities and the most up-to-date view of their asset. When Security Teams continuously monitor the IT infrastructure for new deployments and risks, they don’t have to wait until they detect an active attack to respond.
Preventive risk management is very economical compared to reactive security. In case of a cyber attack, Cyber Asset Management gives the security group an inventory of assets and risks that they can use to gain context on what went wrong and when. Having an up-to-date record of resource deployments and configurations that can be referred to immediately instead of having to reconstruct them to research the origins of a breach or vulnerability saves time and effort.
In order to address security issues, you must first identify the cyber asset attack surface and require a comprehensive list of all of your assets. CSAM, therefore, involves:
- Asset Discovery and Classification: Maintain a precise inventory of your assets by regularly scanning your environment for new, altered, or removed assets. Continuous scanning may be used to detect unauthorized alterations to your environment. Categories are used to classify assets, and a tag system is used to identify your most important assets, their maintainers, and the data they access.
- Human factors: Across your organization, you should account for human factors like usability and accessibility in the asset management procedure. By automating asset information discovery and enhancement, you can streamline business procedures and avoid excessive bureaucracy. This will prevent asset information from becoming inaccurate as a result of users finding workarounds and using Shadow IT.
- Automation and Change detection: Use multiple data sources to spot discrepancies as you update device information. For example, you might notice a device on the network without an associated owner or affiliated Business Unit. By identifying unauthorized alterations to your environment you can investigating security incidents before any harm is done. Automated processes should be used whenever possible to record information in response to environmental changes, rather than detect changes after they’ve happened. To avoid risky technical debt or costly system abandonment as systems grow, new initiatives should have automated asset management from the start. Maintaining accurate records and reducing ongoing costs and efforts are among the benefits of this approach.
- Vulnerability Scanning: Automated Vulnerability Scanning enriched asset’s information, including operating system and patch level, to continuously discover security flaws on each asset. It ensures all assets are included in the Cyber Risk Management process by maintaining an updated asset inventory. Your organization’s Internet presence should include physical, virtual, and cloud resources, as well as social media accounts, domain names, IP address spaces, and digital signatures. Inventory and uncover vulnerabilities ensure all assets are protected with the right security controls and you can easily act on control gaps.
Cyber Asset Management Best Practices
#1 - Include all your relevant assets
Cyber Asset Management should must everything from hardware to software, from service to data, from network to cloud. It should also include people, building, organization structure and documentation, in relationship with related digital services.
- Hardware: end-user devices, network and telecom equipment, significant peripherals
- Facilities & Building
- Datacenter: storage units, backup systems, power supply
- Operating Systems
- Personal and server applications
- Web services (internet and intranet)
- Cloud services:
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
- Business mission: the organization’s reason of existence and key strategic objectives
- Business Units: a subpart of an organization that is working on one or several Business Missions
- Third parties: provider, partner, customers
#2 - Centralize your register
A lot of organization have Asset Registers that are duplicated or require a lot of rework, resulting in wasted time and resources. It is quite likely that teams use spreadsheets, while others use software. An Asset Register is an important tool for identifying and tracking your assets, it is also a living entity. An audit may identify an asset information change and recommend that it be updated, but this advice is lost in all of the other tasks and not communicated to every asset register instances.
Use a centralized and automated solution that act as a Single Source of Trust (SSoT) and make it easy to automatically and manual update the Asset Register. Having your processes automated will not only free up your time, but also enhance the accuracy and security of your assets.
#3 - Integrate with other software tools
Cyber Asset Management software will assist other processes if it blends in nicely with the other digitalized parts of your organization. You can integrate your asset management software with your incident management system to enhance your incident management, endpoint management, CMDB, change management, and other processes. By using your CSAM tool, you can gather data that can be shared across other tools, creating a comprehensive, real-time data source.
#4 - Be ready for any audit
Remote work environment and hybrid work culture, Shadow IT, cloud-scattered infrastructure, all of those are making the life of internal and external auditors a nightmare. Using an CSAM solution across the organization not only helps you compile information for an audit if required but also enables you to perform audits internally, so you can address issues beforehand.
It is not so much a question of playing the good student in front of auditors. It is a matter of exercising a proactive posture to solve problem, optimizing your usage and cost out of your cyber asset. An accurate posture that can impress vendor auditor, open up new opportunities and eventually save you from lawsuit and fines in case of trouble.
#5 - Score your asset by criticity
Keeping a closer eye on Crown Jewels, more frequent vulnerability scanning and vulnerability mitigation with greatly reduce your full enterprise risk scoring. Associated your Cyber Asset Register with a Business Impact Analysis (BIA) will also greatly help your to prioritize vulnerability management efforts by focusing your effort where the real problems are.
Dealing with Shadow-IT, Internet of Things and Operational Technologies
Some assets, in comparison to others, are much simpler to administer in some environments. A standard corporate network is usually deployed at scale, easy to operate and not that complex to secure, thanks to all the automation solution available on-the-shelf. However, what about other types of technologies? Legacy system that, let’s be honest, you can’t replace? Factory lines that would cost ten years budget to upgrade? IOT sensors that you put all over the place – and some your are even not aware of, included in third-party machine to perform remote monitoring?
The silver bullet don’t exist and won’t work in these scenarios. It’s then crucial to integrate asset management use cases with your governance structure. For example, vulnerability-driven asset management might be driven directly by the team operating the engines as part of the maintenance process. When you look at how you report vulnerabilities to the CISO, the most relevant information is not a fine-grained inventory of which assets have vulnerabilities, but a list of which systems are vulnerable and can be exploited, meaning are outside of your risk tolerance. A summarization with context is required to provide such a view.
Prioritizing the devices that are most important in an OT/IOT environment that is diverse is one option for collecting asset information. You must also consider whether the data that can be collected is useful.