Last Updated on January 8, 2024
“Cyber asset management” includes or relates to multiple connected disciplines, like asset discovery, asset inventory, asset classification/”fingerprinting,” unauthorized asset detection, and so on. What core capabilities do you need to manage your cyber assets, and why is fitting them together often difficult?
Completeness and accuracy
Huxley Barbee, Security Evangelist at runZero, pinpoints the two biggest challenges most companies have with cyber asset management: completeness and accuracy of the cyber asset inventory.
“Oftentimes we are using legacy asset discovery tools that only cover managed IT—the laptops and maybe the IP phones,” explains Huxley. “But it does not cover all these other environments where our devices have proliferated out to. That whole completeness of the asset inventory is the number one challenge.”
“And the second challenge is the accuracy,” Huxley continues. “Many of the folks that we work with, they are using older tools that basically just discover the operating system on a device and little beyond that. Frankly, that does the security team a disservice because oftentimes knowing other types of details like the software or the services running on there, or knowing the type of hardware it is, makes a material difference in how a security teams reacts to a particular incident.”
What about configuration management and vulnerability management?
But if you’re looking to discover the software or settings on assets, isn’t that part of configuration management? And/or vulnerability management, when it comes to patching and so on? How do these capabilities relate to cyber asset management?
“What you’ll find is folks are using vulnerability management tools to double as their asset discovery/asset inventory tool,” says Huxley. “Or they’re using a discovery tool for a configuration management database (CMDB) as their asset inventory/asset discovery tool. We’re using a lot of older tools that maybe were good back in the day when all of our devices were in the corporate office, and were just laptops and desktops issued by IT.”
But as corporate networks have diverged beyond the office and device types have proliferated, these legacy tools come up short in terms of completeness and accuracy of asset data.
For more guidance on this topic, listen to Episode 115 of The Virtual CISO Podcast with guest Huxley Barbee from runZero.
It's a little more complicated than just checking off a few boxes.
To learn more, download our ISO 27001 Un-Checklist now!