Effective asset management supports business continuity, cyber resilience, and compliance. Businesses can then continuously deploy proactive measures across all assets; but it is an area that many organizations struggle with. Ed Williams looks at why this is; and ways to improve...
Developing and deploying IT assets across the entire organizational infrastructure has never been easier than it is in today’s cloud-focused network environments.
Previously, IT assets were confined behind on-prem firewalls, where security configurations and parameters were set manually by administrators. In such rigid environments, deploying new Internet-facing assets required a complex change management process where all network ports needed to be optimised manually based on the collaboration of network and security teams.
Shifting to cloud environments has significantly reduced this burden for organizations. Anyone with the right administrative privileges can now deploy new Internet-facing assets on the cloud and connect them to the internal network ports without significant optimisation. This has boosted operational efficiency and third-party connectivity, allowing businesses to expand their digital footprints across the board. However, more often than not, this increased efficiency and scalability comes at the cost of security.
While racing to expand their IT estate, businesses often lose track of how many IT assets are operating within their networks. These invisible, unaccounted, and unmonitored assets create a back door for threat actors to deliver sophisticated cyber attacks.
In the world of cyber security, you can’t secure something you can’t see or don’t know even exists. Therefore, effective asset management is a leading priority for today’s cloud-first business model.
What’s causing IT assets to become blurred?
When it comes to digitisation and cloud expansion, there is still a persistent lack of due diligence across industries. Continuous business pressures, project deadlines, and KPIs often drive organizations to add new assets to their IT estate without conducting proper pentests or security assessment.
For instance, a business might be deploying a new SSH server to provide its third-party contractors with access to critical resources. If the SSH server isn’t pentested proactively, any underlying vulnerabilities and risks will not be identified in time. Threat actors today use automated malicious bots to scan the web for vulnerable or unpatched assets that can be detected in seconds after deployment, which can consequently lead to a cyber attack.
Also, in many cases, security teams only consider the deployed SSH server as a part of their IT assets. However, third parties are also using their own dedicated software and applications to connect to these servers and externally access the organization’s resources via the cloud. Therefore, these third-party applications should also be considered an integral part of the organization’s wider IT assets.
Another reason for this is the continuous proliferation of remote working. Ever since the pandemic, more businesses are providing remote working privileges for their workforce. This has led to an increased use of RDP (Remote Desktop Protocol) applications. RDP allows users to connect to organizations’ systems and machines using their own personal devices from a remote location. So, an employee might be using several personal devices to log into organizational systems without the security team’s knowledge. These assets often remain unknown or unmonitored until a major cyber incident occurs.
The continuous disengagement between network and IT security teams
Another key reason for bad asset management is the lack of engagement between network and IT security teams. When these teams work in isolation, they may not have a complete understanding of the organization's assets. This can result in limited visibility into the network and a lack of knowledge about critical assets that need to be protected.
As both teams have different priorities, network teams might be more focused on ensuring network availability and performance. So, they will often deploy new servers or applications without the security team’s assessment.
In most organizations, security teams are already under staffed due to the ongoing skills shortage. Overburdened security teams are less likely to always be on the lookout for new assets across the wider organizational network. This disengagement often causes new assets to be deployed without proper vulnerability assessment and evaluation, leading to a major incident like ransomware.
Due to these reasons, organizations need to emphasise effective asset management. Having a robust asset management strategy integrated into your business processes enhances the security team’s ability to operate more efficiently. They have a clear idea of which components to monitor, how to optimise security policies for different assets, and how to configure existing solutions for better security.
This allows businesses to achieve more proactive results from their existing security investments, whether it’s through solutions or security professionals, thus driving their ROI. Additionally, it also helps businesses to meet important compliance requirements such as PCI-DSS, HIPAA, and NIST.
How can businesses achieve robust asset management?
Planning an effective asset management strategy is a bit like being a shepherd. The first step is to count the number of sheep you have in the flock; only then can you tell for sure if one has gone missing or a wolf has snuck into the fold.So, to implement a robust asset management plan, businesses will need to first inventory their entire network. This includes identifying every device, software, firmware, or server connected to the network. This means scanning your entire cloud infrastructure, outward or Internet-facing system, and even carrying out physical inspection of on-prem infrastructure.
Once the initial asset inventory has been compiled, it needs to be regularly maintained and updated to track authorised changes and identify rogue or unexpected assets that appear on the network.
From there, businesses need to start implementing threat-hunting practices. It’s critical to run regular penetration tests and vulnerability scanning across all assets. All threats and vulnerabilities identified through these practices must be patched and updated immediately to reduce the risk of a potential breach.
For some businesses, conducting this extensive inventory process and regular threat-hunting exercises might not be feasible, given the lack of resources and shortage of skilled security professionals. More importantly, pentests are a point-in-time exercise. Your in-house security teams might finish a pentest on Friday and a new vulnerability might pop-up over the weekend, which will remain undetected.
In this case, it’s always advisable to attain third-party MDR (managed detection & response) services. Effective MDR vendors often provide access to a global SOC team that can help organizations to achieve visibility of all assets across their on-premise and cloud security infrastructure. MDR solution can provide round the clock service, so that businesses are always on top of newly identified vulnerabilities.
Establishing security policies and making new investments without robust asset management is like building a house on sand. When the threat comes, your organization will inevitably crumble down. Asset management plays a crucial role in ensuring an organization's security maturity and resilience in the face of today’s constantly evolving cyber threats. Therefore, asset management should be the top priority for business leaders implementing cyber security policies going forward.
The author
Ed Williams is VP, Consulting, Professional Services at Trustwave