What is your information security program defending?
This is a deceivingly difficult question for most. When I ask this at typical organizations, the answer is often disheartening. The standard response is "everything." The word everything causes my skepticism radar to start chirping like a Chernobyl Geiger counter.
The claim being made here is that all of the systems and all of the data created and stored by the organization are defended. These companies, and the "everything" claim, do not make distinctions between high and low levels of protection. To lump all systems and data into one category causes equality across the board, which is a recipe for inefficiency at best and disaster at worst.
Fredrick the Great said, "He who attempts to defend everything, defends nothing." If we attempt to defend everything, this means that we are not prioritizing. In this scenario, the same security controls and effort to defend a critical system storing the organization's crown jewels are going to also apply on a noncritical system. This would lead to either underprotecting a critical system, overprotecting a noncritical system, or potentially both.
The concept of opportunity costs is important here since we all have limited resources. No department is given a blank check for all the tools, training, and expert staff that one could desire. The opposite is more likely to be the case, where departments are being asked to do more with less.
In a reality with limited resources, every dollar spent on a tool also represents a dollar that could have been spent on a different one. Every staff member hired with a particular skill represents a candidate that got passed on who had a different expertise. Every hour spent researching a solution is an hour that could have been dedicated to various other projects.
Opportunity costs are why prioritization needs to occur. Without it, an organization is guessing as to what to protect and how best to defend assets. This prioritization begins with an asset inventory.
What constitutes an effective asset inventory from which to prioritize information security? In a word, details. "No details" means no value. An inventory is a listing of detailed attributes that can serve as an authoritative and consolidated resource. It is the one-stop shop for everything that is relevant to information security regarding an asset.
It must also be detailed in the sense that it must be all-inclusive. It's every system that touches your network or handles sensitive information. It's everything that's wired, wireless, or even capable of either of those. It's printers, IP phones, kiosks, marquees, and Internet of Things devices. It's bare-metal hypervisors like ESXi. It's firewalls, routers, wireless access points, and switches. It's everything.
Once all the assets are inventoried and information about them is collected, we begin to understand the big picture. Most of the asset details in an inventory play a supporting role to the system's criticality ranking. This ranking is derived from attributes, such as the purpose of the system, type of data it generates and stores, user community, and business function it supports. From this criticality attribute, the security controls to protect it can be determined in order to bring the risks in line with the business's risk tolerance.
Now we return to the asset inventory to reconcile those determined controls and provide assurances that they are in place and working as expected. Confidence in the functioning of a security program cannot exist without a complete asset inventory.
The various tools in the environment are typically tuned to determine what is working. Asset management, on the other hand, is used to determine what is not working. Assurance is a significant function of information security. Move past the assumptions that something should be working as advertised to a place of objective confidence that it is working.
A quality asset inventory allows a reconciliation process to occur. Comparing each tool's list of registered systems with an authoritative and all-inclusive inventory provides a clear and objective list of discrepancies. One can, at that point, put aside assumptions and actually know which systems are being protected or monitored by a tool — also, more importantly, which systems are missing and thus unprotected.
A Neglected Control
It is very rare that I see an organization with an accurate inventory. Why is this foundational control so often ignored?
For one, there isn't a tool to automate the process. We're conditioned to searching for a tool to solve our problems. A nail needs a hammer and a squeaky wheel needs oil. Asset inventory tools are basically repackaged spreadsheets. None readily automates a method to collect the type of information needed to understand the security posture of an asset and to ensure that each one has the controls that it should have.
It's also an indirect control. While firewalls and anti-malware tools can directly show the bad that they protect you from, asset management is a control that provides the assurances that your other controls are actually functioning as expected. It's not just a "helper" control, though, but more of a foundational control on which to build the entire program.
Asset management isn't sexy. It doesn't result in pretty graphs or quality filler for PowerPoint slides. Quite the opposite — it highlights the gaps in a security program. Asset management presents information that can be difficult to swallow. However, it will also help you achieve the next maturity level in your security program.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "From 1s & 0s to Wobbly Lines: The Radio Frequency (RF) Security Starter Guide"