Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Pablo Quiroga
Pablo Quiroga
Connect Directly
E-Mail vvv

Why You Need a Global View of IT Assets

It may seem obvious, but many companies lose sight of the fact that they can't protect what they don't know they even have.

There is one simple truth of effective cybersecurity: You can't protect what you don't see. Comprehensive visibility is the foundation of good security — and it is becoming increasingly difficult to achieve. The ultimate goal is to have a platform designed to simplify security by providing a single source of truth for IT, security, and compliance.

Seismic Shifts in the IT Landscape
The modern IT environment presents many challenges. As companies transition to the cloud, the result in most cases is a hybrid environment that includes both on-premises and cloud resources — sometimes scattered across a multicloud environment. At the same time, the network perimeter has become irrelevant and the lines of "inside" and "outside" the network have blurred. The explosion of Internet of Things devices, the use of mobile devices, and the rise of DevOps and containers mean an exponential increase in the number of resources connected to your network. A consequence of this expanding and shifting IT landscape is a lack of cohesive visibility.

The hodgepodge of tools yields a segmented, partial view of crucial information. For many organizations, the only way to achieve some semblance of "complete" visibility is an ineffective manual effort to combine and correlate data from the various tools. Ultimately, the manual effort is time-consuming and inaccurate, and it quickly becomes obsolete as the environment changes rapidly. The manual effort is also inefficient because it utilizes highly trained IT and security engineering personnel for menial tasks rather than allowing them to focus their skills on executing projects and making better business decisions.

The Inherent Challenges with IT Asset Data
To begin to solve this problem, you have to first understand the three challenges of IT asset data: volume, velocity, and variance.

Hybrid IT environments are volatile and dynamic. The number of managed and unmanaged devices connected to your network at any time can be massive. These environments are continuously changing at an unprecedented speed — software upgrades and configuration changes, containers and virtual machines being spun up and down. 

Perhaps the biggest challenge is variance. The same data point may be referenced in different ways or under different names across various products and services. As technology providers go through mergers and acquisitions, new tools and platforms are integrated into the mix, and correlating all of the IT asset data together can be complex.

Dealing with the volume, velocity, and variance in IT data could become quickly overwhelming. Legacy tools that attempt to collect partial data at infrequent times fail to deliver the foundation required for an effective security architecture framework.

Foundation of Your Security Architecture
A report from the U.S. Department of Defense Inspector General released in July 2018 found that none of the commands or divisions of the three military branches maintains an accurate inventory of their software. They all have gaps in visibility of what is on their own internal networks — resulting in a variety of negative consequences, such as software being underutilized, obsolete software that creates risk, duplicate or redundant applications being purchased, and — perhaps most importantly — no way to identify or remediate vulnerabilities or accurately assess security posture.

One example of the importance of effective IT asset management is the Wannacry ransomware attack in May 2017. Microsoft issued a critical patch in March 2017 that would have prevented systems from being compromised, yet nearly a quarter-million systems across 150 countries were paralyzed when the attack hit. In many cases, the reason organizations were caught off-guard is that the ransomware compromised vulnerable systems — primarily end-of-life systems and unauthorized software — on their networks that they were not even aware of.

You most likely have all of the data you need — you just need an efficient method of pulling in data from all facets of the company to harness it effectively. You need to be able to monitor and update asset inventory in real time, and normalize, categorize, and enrich it with context to ensure its relevance and accuracy. It's also important to have seamless integration with your CMDB (configuration management database) and service ticketing system to facilitate remediation and resolution of any issues.

Achieve Your First Compliance Milestone
Accurate IT asset management is also essential for compliance. You can't claim that you are taking reasonable steps to secure and protect assets or data that you aren't even aware of.

There's a reason why the Center for Internet Security (CIS) starts its list of 20 Critical Security Controls with these two:

  • Inventory of Authorized and Unauthorized Devices
  • Inventory of Authorized and Unauthorized Software

CIS estimates that organizations can slash their risk of cyberattack by a whopping 85% if they apply these two controls, along with the next three (Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers; Continuous Vulnerability Assessment and Remediation; and Controlled Use of Administrative Privileges).

First Steps
Effective cybersecurity and compliance are essential for organizations around the world, across every industry, and regardless of size. Businesses must look at assets in a different way than they have traditionally to address the shifting threat landscape and encourage cooperation and collaboration between DevOps and cybersecurity teams. Visibility is becoming increasingly important, and a single source of truth for IT asset management is crucial to simplify and streamline security and compliance.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.


Pablo Quiroga is a Director of Product Management at Qualys. He has 12 years of experience in enterprise IT and security. At Qualys, he leads product definition, road map and strategy for IT asset management solutions. Pablo has helped numerous customers gain significantly ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/10/2019 | 3:56:41 PM
Great commentary, this was good.
I wish NASA would have taken this into consideration because the data they lost in the Raspberry PI (the PI was not discovered only after 10 months passed with no detection) is beyond me.

This is something they need to practice and put in place, inventorying their environment (consistently).

I think this article is definitely meant for them, very good.

I have not heard any firings of anyone, it is interesting what we hear from this incident.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Up Close with Evilnum, the APT Group Behind the Malware
Kelly Sheridan, Staff Editor, Dark Reading,  7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Open redirect vulnerability in SHIRASAGI v1.13.1 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...