A CISO’s list of responsibilities are vast. They need to protect, defend, and identify any risks and potential attacks that may hit their company’s environment. However, knowing what needs protection is its own challenge. Keeping track and knowing what your environment consists of what devices are connecting to your network, what your company’s access points are, how many cloud-based apps are in use and more, can be an overwhelming and daunting task.
We spoke to Joey Johnson, CISO of Premise Health, to get his take on asset and inventory management. We’ll go over how to get started, get organized, and stay protected.
Why is Asset Management Important?
Here’s a sample of recent major data breaches:
- FedEx : Discovered in early 2018, this breach was a result of an insecure Amazon S3 server that belonged to an acquired third-party.
- Panera Bread : This incident resulted in the leak of millions of customers’ personal information via a publicly accessible page on the company’s website.
- Equifax : One of the biggest data breaches to hit consumers was due to the company’s failure to apply a CVE patch on one of its web servers.
These data breaches could have been prevented with the right asset management process in place. Hackers are looking for the lowest hanging fruit and without proper asset management, you may miss that a server hasn’t been updated, or have forgotten about a domain you own. These are the kinds of vulnerabilities hackers are looking for.
Organizations should employ evergreen and ongoing asset management, which means that you take inventory of your assets at a point in time but also leverage tools and methods in order to continually account for them.
Getting Started with Asset Management
Whether you’ve joined a new organization or are planning to implement an asset management and process in place for the first time, here’s a quick playbook.
Obtain Organizational Visibility and Context
One of Johnson’s cardinal rules is “you cannot protect what you can’t see.” Without proper visibility, your asset management may suffer.
He recommends starting by understanding your company’s environment. If you’re in a company that deals with acquisitions, your security priorities are very different compared to a consumer-facing retailer.
Once you can identify your company’s security needs, take stock of what’s in place already. Here are a couple of key questions to ask.
- Is there an asset management process already in place?
- What tools and resources are available?
- How is your security department organized (is there a data center, a disparate, outsourced staff, and how big is the team?)
- How are responsibilities and decision-making organized? What is your information security team responsible for? IT team? Legal?
To get additional context, Johnson recommends speaking to other departments such as marketing, legal, procurement, and HR. This will give you insight into tools, licenses, domains, and other services your company is using that you may not be aware of. By talking outside of your team, you’re able to get a much clearer picture of what your company is working with.
Prioritize Your Assets and Manage Growth Accordingly
Identifying your most critical assets and developing a security model to protect those should be your next step. Johnson warns that it’s easy to exhaust yourself trying to classify and manage every single thing. Prioritization will help you get quick wins, which is necessary when taking on such a large task.
From there, expand your scope and work concurrently with your team on discovery, identifying your IPs, domain names, devices, third-parties, and more. Johnson recommends leveraging what’s already available to you.
“You can get a lot of traction by getting two people to talk to each other and harvest information than if you were just by yourself,” he says. While you’ll have to pull information from different sources, it’s up to you to centralize the information you’ve collected.
It’s easy for asset management to be obstructed by scope creep and a company’s growth. In these cases, Johnson recommends going straight to the source. “For example, if your cloud architecture is scaling in costs because your company’s dev team is growing, start tightening things. Put in some bandwidth controls and alerts when you hit a dollar amount on hosting,” he says.
Paying attention to a team’s spending power is a good way to limit scope creep and gives you a chance to re-prioritize and set goals accordingly. As organizations grow, it’s up to you to have a process in place that allows you to manage growth in respect to employees, devices, network changes, and more.
Choosing the Right Tools
Johnson mentioned that companies are increasingly leveraging tools and outsourcing staff-based applications because building software or tools in-house is usually not enough. Organizations are dynamic and move too fast for in-house tools to keep up with.
“When you look at [an organization’s] information structure, assets are very fluid and very dynamic. AWS, Azure, Rackspace can all connect to an organization at lightning speed,” Johnson says. “Companies need to have asset protection that’s just as fast or asset management becomes difficult to wrangle.”
However, before blindly buying tools, organizations first need to perform their due diligence.
“From a security perspective, don’t trust every tool to be completely comprehensive,” he cautions. Leverage the ‘trust but verify’ model when considering tools or using any that are in your environment already.
Joey outlines the kinds of questions to ask when considering any new purchase.
“What is the problem we’re going to need to solve? What’s going to emerge? What’s the process or technology that’s going to address that?”
From there, it’s important to understand how the tool will incorporate into your company’s infrastructure and department to improve you asset management.
If there’s no right solution on the market, you may have to develop your own, which brings us to our last point.
Looking Ahead: Proactive Asset Management
The need for ongoing management is necessary as your asset model is subject to change. Part of your tool and method selection is an exercise in proactivity.
As Johnson puts it, “bigger is not better. As [companies] grow and scale, [they] get more complex so solutions need to address that complexity.”
The expectation and output of an organization as it grows runs into novel situations where a more mature or sophisticated asset management model might be needed. Or you might run into unique situations that may need to be solved for the first time.
This provides an opportunity for leaders in an organization to solve these risk problems at the “bleeding edge of technology before there’s any blueprint,” as Johnson describes.
For example, at Premise Health, Johnson takes a five-year proactive approach to forecast what the company may run into as it grows. They may not have the answer now, but by being proactive, they can build a roadmap and start working on solutions now.
This allows them to tackle new issues dealing with the proliferation of medical devices and wearables generating sensitive data. For Premise Health, the question “what’s a corporate device?” doesn’t have a clear answer. A similar line of thinking can be applied to IoT (internet of things) where companies need to consider how they’ll engage in proper asset management aside from implementing an MDM (mobile device management) process.
“The lifetime of these devices can be very short but the risk posture can be huge,” Johnson says.
As companies continue to evolve and utilize new technologies, it’s up to security leadership to be proactive and be prepared. Asset management provides a defensive framework that helps you company stay secure as it grows.
For security leaders looking to learn more about topics such as this and other, MISTI's upcoming IT Security Leadership Exchange provides the perfect opportunity.