Last Updated on September 8, 2023
It’s hard to protect what you don’t know exists. That’s why “inventory and control of assets” tops the Center for Internet Security’s Critical Security Controls (CIS CSC) list. But as vital as it is to know your attack surface, many orgs fall short.
To get asset management right, a good first question is, what specifically are we trying to discover and track?
What security teams need to know about an asset
Huxley Barbee, Security Evangelist at runZero, has a surprising answer: “I’ll define a cyber asset as opposed to an IT asset. A cyber asset is any sort of compute device along with the related information that security teams care about. It’s not just the device itself, like the hardware, the software, but also the vulnerabilities, the, the risky settings that are associated with it. Also, the running software on there, the services, things that are listing on the network on that device as well. And to round it out, I would also include in there what are the security controls on that device? And who is the owner of that device? I think these are all the details that a security team would care about when they’re looking at assets.”
Are applications cyber assets?
What about applications—where do they fit? In Huxley’s view they’re not cyber assets. The server the application is running on is the cyber asset. Application software is a characteristic of the system it runs on. Same with data, from the standpoint of cyber asset inventory.
What about mobile devices? Yes, these are cyber assets because they’re computing devices that security teams definitely care about. Even BYOD devices are still cyber assets if they’re on your network.
Then there’s all the IoT devices from smart cameras to Amazon Alexa to robotic arms, which are also cyber assets. All your cloud resources are cyber assets, too.
The benefit of Huxley’s “cyber asset” definition
Many industry definitions of “asset” (like this one from NIST) are significantly broader than what Huxley proposes. What’s the benefit of focusing on “what security teams care about?”
Simple: this increases the likelihood that teams will have the asset details they really need in the event of a potential incident.
For more guidance on this topic, listen to Episode 115 of The Virtual CISO Podcast with guest Huxley Barbee from runZero.