Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/12/2020
02:00 PM
Kevin Kurzawa
Kevin Kurzawa
Commentary
50%
50%

Stop Defending Everything

Instead, try prioritizing with the aid of a thorough asset inventory.

What is your information security program defending?

This is a deceivingly difficult question for most. When I ask this at typical organizations, the answer is often disheartening. The standard response is "everything." The word everything causes my skepticism radar to start chirping like a Chernobyl Geiger counter.

The claim being made here is that all of the systems and all of the data created and stored by the organization are defended. These companies, and the "everything" claim, do not make distinctions between high and low levels of protection. To lump all systems and data into one category causes equality across the board, which is a recipe for inefficiency at best and disaster at worst.

Fredrick the Great said, "He who attempts to defend everything, defends nothing." If we attempt to defend everything, this means that we are not prioritizing. In this scenario, the same security controls and effort to defend a critical system storing the organization's crown jewels are going to also apply on a noncritical system. This would lead to either underprotecting a critical system, overprotecting a noncritical system, or potentially both.

The concept of opportunity costs is important here since we all have limited resources. No department is given a blank check for all the tools, training, and expert staff that one could desire. The opposite is more likely to be the case, where departments are being asked to do more with less.

In a reality with limited resources, every dollar spent on a tool also represents a dollar that could have been spent on a different one. Every staff member hired with a particular skill represents a candidate that got passed on who had a different expertise. Every hour spent researching a solution is an hour that could have been dedicated to various other projects.

Opportunity costs are why prioritization needs to occur. Without it, an organization is guessing as to what to protect and how best to defend assets. This prioritization begins with an asset inventory.

Collect Everything
What constitutes an effective asset inventory from which to prioritize information security? In a word, details. "No details" means no value. An inventory is a listing of detailed attributes that can serve as an authoritative and consolidated resource. It is the one-stop shop for everything that is relevant to information security regarding an asset.

It must also be detailed in the sense that it must be all-inclusive. It's every system that touches your network or handles sensitive information. It's everything that's wired, wireless, or even capable of either of those. It's printers, IP phones, kiosks, marquees, and Internet of Things devices. It's bare-metal hypervisors like ESXi. It's firewalls, routers, wireless access points, and switches. It's everything.

Understand Everything
Once all the assets are inventoried and information about them is collected, we begin to understand the big picture. Most of the asset details in an inventory play a supporting role to the system's criticality ranking. This ranking is derived from attributes, such as the purpose of the system, type of data it generates and stores, user community, and business function it supports. From this criticality attribute, the security controls to protect it can be determined in order to bring the risks in line with the business's risk tolerance.

Integration
Now we return to the asset inventory to reconcile those determined controls and provide assurances that they are in place and working as expected. Confidence in the functioning of a security program cannot exist without a complete asset inventory.

The various tools in the environment are typically tuned to determine what is working. Asset management, on the other hand, is used to determine what is not working. Assurance is a significant function of information security. Move past the assumptions that something should be working as advertised to a place of objective confidence that it is working.

A quality asset inventory allows a reconciliation process to occur. Comparing each tool's list of registered systems with an authoritative and all-inclusive inventory provides a clear and objective list of discrepancies. One can, at that point, put aside assumptions and actually know which systems are being protected or monitored by a tool — also, more importantly, which systems are missing and thus unprotected.

A Neglected Control
It is very rare that I see an organization with an accurate inventory. Why is this foundational control so often ignored?

For one, there isn't a tool to automate the process. We're conditioned to searching for a tool to solve our problems. A nail needs a hammer and a squeaky wheel needs oil. Asset inventory tools are basically repackaged spreadsheets. None readily automates a method to collect the type of information needed to understand the security posture of an asset and to ensure that each one has the controls that it should have.

It's also an indirect control. While firewalls and anti-malware tools can directly show the bad that they protect you from, asset management is a control that provides the assurances that your other controls are actually functioning as expected. It's not just a "helper" control, though, but more of a foundational control on which to build the entire program.

Asset management isn't sexy. It doesn't result in pretty graphs or quality filler for PowerPoint slides. Quite the opposite — it highlights the gaps in a security program. Asset management presents information that can be difficult to swallow. However, it will also help you achieve the next maturity level in your security program.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "From 1s & 0s to Wobbly Lines: The Radio Frequency (RF) Security Starter Guide"

Kevin Kurzawa has a background in a variety of environments, with each having its own unique business drivers. His experiences in IT and information security have ranged from Department of Defense contractors large and small (including Lockheed and Harris) to traditional ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.