Last Updated on September 8, 2023
Cyber asset inventory and management top the list of most critical information security controls. But if cyber asset management is so important, why is it so rarely done well? And why do so many organizations expose themselves to inordinate cyber risk by failing to give security teams the asset data they need?
Huxley Barbee, Security Evangelist at runZero and lead organizer for the BSides NYC security conference, offers technical and business leaders the latest guidance on why many cyber asset management programs fall short and how the latest solution approaches can deliver improved results.
Join us as we discuss:
- What is and what is not a cyber asset (the answer is surprising)
- Top reasons so many orgs falter on cyber asset management
- How cyber asset management failures systematically led to the Equifax breach
What is a cyber asset?
To get cyber asset management right, a good first question is, what should we try to discover and manage?
Huxley defines cyber asset management this way: “A cyber asset as opposed to an IT asset is any sort of compute device on the network along with the related information that security teams care about.”
That’s not just the device hardware and/or software, but also associated settings (especially known “risky settings”), any security controls on the device, plus anything else that is listing on the network as being on that device as well. These are the key details that a security team cares about when they’re looking at assets.
Interestingly, applications and data are not cyber assets from this perspective, but are “characteristics” or elements of the systems they reside on.
“A cyber asset as opposed to an IT asset is any sort of compute device on the network along with the related information that security teams care about.”—Huxley Barbee
Top 2 cyber asset management challenges
The two areas where most cyber asset management programs fall short are completeness and accuracy of asset inventories.
Huxley explains: “Oftentimes we are using legacy asset discovery tools that only cover managed IT—the laptops and maybe the IP phones. But it does not cover all these other environments where our devices have proliferated out to. That whole completeness of the asset inventory is the number one challenge.”
The second challenge is the accuracy of the inventory. Many older tools provide very little data on what resides on devices, which often leaves security teams in the dark about what assets to focus on with an incident or alert.
“Oftentimes we are using legacy asset discovery tools that only cover managed IT—the laptops and maybe the IP phones. But it does not cover all these other environments where our devices have proliferated out to.”—Huxley Barbee
Why vulnerability management tools fall short on cyber asset discovery
Many orgs rely on legacy vulnerability management solutions for the asset discovery piece of their cyber asset management program. But these tools don’t work well on today’s highly diverse and dispersed networks.
Vulnerability management tools most frequently rely on an authenticated active scanning approach, where a network-based scanner attempts to login to as many devices as possible as fast as possible. But how can you know the credentials for a device unless you are already managing it? What about everything that’s being spun up in the public cloud, in the IoT realm, on remote workers’ home networks, and other elsewhere outside of corporate IT?
“When you have this solution approach that is optimized for managed IT devices against the backdrop of this proliferation of unknown things on the network, that authenticated active scan approach is falling short,” notes Huxley. “Vulnerability scanners are not going out there and finding the unknowns on your network.”
“When you have this solution approach that is optimized for managed IT devices against the backdrop of this proliferation of unknown things on the network, that authenticated active scan approach is falling short.”—Huxley Barbee
Active asset scanning in operational environments
Active scanning technology common in traditional vulnerability management solutions has a deservedly bad reputation for crashing operational technology (OT)—potentially leading to high downtime costs, long repair lead times, and even threats to health, safety, and the environment. Many orgs don’t even attempt asset discovery in their OT environments.
But with OT networks increasingly linked to IT networks, countless potentially vulnerable OT devices are now remotely accessible to hackers, who relentlessly probe for them. This puts growing pressure on companies to update their OT vulnerability management programs.
According to Huxley, runZero has developed a workable approach to safely ID OT devices using a security research based approach that leverages “incremental fingerprinting” to carefully analyze successive packets within an ongoing scan. runZero’s tools “learn” and adjust next actions, while avoiding probes that could destabilize devices. The result is “a full and final scan with accurate fingerprinting” that gives security teams better information on OT devices.
Can cyber asset management protect against ransomware?
As a cornerstone of any viable information security program, cyber asset management can help thwart ransomware threats in several ways:
- If ransomware strikes at least your security team has basic information about the device(s) involved.
- Knowing about misconfigurations and “risky settings” on devices can directly reduce vulnerabilities that ransomware and other malware is looking to exploit.
- Asset management integration with endpoint management can reduce the number of unmanaged or misconfigured endpoints that are vulnerable to ransomware.
- A complete and accurate asset inventory is 100% required as a starting point for any security program to even attempt to function proactively to reduce ransomware threats.
How cyber asset management shortfalls enabled the Equifax breach
Huxley shares how multiple shortcomings in Equifax’ cyber asset management enabled the colossal data breach that exposed personal data of 147 million US citizens.
Among the asset-related “underlying conditions” that prevented Equifax’ security controls from averting the breach:
- Their asset inventory didn’t include an accurate, up-to-date list of public-facing assets that ran Apache Struts.
- Their vulnerability scanning didn’t look for, or find, “unknown” or “unmanaged” assets—only things it already knew about.
- Their asset ownership data was incomplete, so whoever was responsible for patching the uncataloged breached device “never got the memo.”
- Incomplete asset fingerprinting meant they weren’t able to identify or track “risky settings” within assets. The packet inspection solution that should have flagged the attackers exfiltrating data was incorrectly configured to not scan data with expired encryption certificates. Months later when the problematic certificate was finally updated, the packet inspection control kicked on and the breach was revealed.
“Equifax to my mind is the prime example of what happens when you don’t have good asset inventory or asset management,” offers Huxley. “I feel like this happens all the time, but we just typically don’t hear about it.”
“Equifax to my mind is the prime example of what happens when you don’t have good asset inventory or asset management.”—Huxley Barbee