Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/10/2019
02:00 PM
Pablo Quiroga
Pablo Quiroga
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Why You Need a Global View of IT Assets

It may seem obvious, but many companies lose sight of the fact that they can't protect what they don't know they even have.

There is one simple truth of effective cybersecurity: You can't protect what you don't see. Comprehensive visibility is the foundation of good security — and it is becoming increasingly difficult to achieve. The ultimate goal is to have a platform designed to simplify security by providing a single source of truth for IT, security, and compliance.

Seismic Shifts in the IT Landscape
The modern IT environment presents many challenges. As companies transition to the cloud, the result in most cases is a hybrid environment that includes both on-premises and cloud resources — sometimes scattered across a multicloud environment. At the same time, the network perimeter has become irrelevant and the lines of "inside" and "outside" the network have blurred. The explosion of Internet of Things devices, the use of mobile devices, and the rise of DevOps and containers mean an exponential increase in the number of resources connected to your network. A consequence of this expanding and shifting IT landscape is a lack of cohesive visibility.

The hodgepodge of tools yields a segmented, partial view of crucial information. For many organizations, the only way to achieve some semblance of "complete" visibility is an ineffective manual effort to combine and correlate data from the various tools. Ultimately, the manual effort is time-consuming and inaccurate, and it quickly becomes obsolete as the environment changes rapidly. The manual effort is also inefficient because it utilizes highly trained IT and security engineering personnel for menial tasks rather than allowing them to focus their skills on executing projects and making better business decisions.

The Inherent Challenges with IT Asset Data
To begin to solve this problem, you have to first understand the three challenges of IT asset data: volume, velocity, and variance.

Hybrid IT environments are volatile and dynamic. The number of managed and unmanaged devices connected to your network at any time can be massive. These environments are continuously changing at an unprecedented speed — software upgrades and configuration changes, containers and virtual machines being spun up and down. 

Perhaps the biggest challenge is variance. The same data point may be referenced in different ways or under different names across various products and services. As technology providers go through mergers and acquisitions, new tools and platforms are integrated into the mix, and correlating all of the IT asset data together can be complex.

Dealing with the volume, velocity, and variance in IT data could become quickly overwhelming. Legacy tools that attempt to collect partial data at infrequent times fail to deliver the foundation required for an effective security architecture framework.

Foundation of Your Security Architecture
A report from the U.S. Department of Defense Inspector General released in July 2018 found that none of the commands or divisions of the three military branches maintains an accurate inventory of their software. They all have gaps in visibility of what is on their own internal networks — resulting in a variety of negative consequences, such as software being underutilized, obsolete software that creates risk, duplicate or redundant applications being purchased, and — perhaps most importantly — no way to identify or remediate vulnerabilities or accurately assess security posture.

One example of the importance of effective IT asset management is the Wannacry ransomware attack in May 2017. Microsoft issued a critical patch in March 2017 that would have prevented systems from being compromised, yet nearly a quarter-million systems across 150 countries were paralyzed when the attack hit. In many cases, the reason organizations were caught off-guard is that the ransomware compromised vulnerable systems — primarily end-of-life systems and unauthorized software — on their networks that they were not even aware of.

You most likely have all of the data you need — you just need an efficient method of pulling in data from all facets of the company to harness it effectively. You need to be able to monitor and update asset inventory in real time, and normalize, categorize, and enrich it with context to ensure its relevance and accuracy. It's also important to have seamless integration with your CMDB (configuration management database) and service ticketing system to facilitate remediation and resolution of any issues.

Achieve Your First Compliance Milestone
Accurate IT asset management is also essential for compliance. You can't claim that you are taking reasonable steps to secure and protect assets or data that you aren't even aware of.

There's a reason why the Center for Internet Security (CIS) starts its list of 20 Critical Security Controls with these two:

  • Inventory of Authorized and Unauthorized Devices
  • Inventory of Authorized and Unauthorized Software

CIS estimates that organizations can slash their risk of cyberattack by a whopping 85% if they apply these two controls, along with the next three (Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers; Continuous Vulnerability Assessment and Remediation; and Controlled Use of Administrative Privileges).

First Steps
Effective cybersecurity and compliance are essential for organizations around the world, across every industry, and regardless of size. Businesses must look at assets in a different way than they have traditionally to address the shifting threat landscape and encourage cooperation and collaboration between DevOps and cybersecurity teams. Visibility is becoming increasingly important, and a single source of truth for IT asset management is crucial to simplify and streamline security and compliance.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Pablo Quiroga is a Director of Product Management at Qualys. He has 12 years of experience in enterprise IT and security. At Qualys, he leads product definition, road map and strategy for IT asset management solutions. Pablo has helped numerous customers gain significantly ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/10/2019 | 3:56:41 PM
Great commentary, this was good.
I wish NASA would have taken this into consideration because the data they lost in the Raspberry PI (the PI was not discovered only after 10 months passed with no detection) is beyond me.

This is something they need to practice and put in place, inventorying their environment (consistently).

I think this article is definitely meant for them, very good.



I have not heard any firings of anyone, it is interesting what we hear from this incident.

T
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19729
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
CVE-2019-19373
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
CVE-2019-19374
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the se...
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...