September 23, 2014 By Peter Allor 2 min read

Shared Responsibility of Asset Management Reflects Patching Perspective

Asset management is a topic of conversation for many industry professionals due to several factors, including continuous diagnostics and mitigation, the National Institute of Standards and Technology (NIST) Cybersecurity Framework and other conversations around breaches and vulnerability threats.

Most organizations focus on one of two areas: hardware or software. Most people have participated in a hardware asset inventory by reporting which desktop or laptop they have, its serial number and where it is physically located. That is only the surface of that inventory process, however, and most times, it is not done very well or thoroughly. Software asset inventories are usually only done to true up license management practices.

Improving Asset Management

For security and data breach protection, you need a much more in-depth set of inventories, as illustrated by the IBM X-Force Threat Intelligence Quarterly. While conducting both the hardware and software asset inventories, both from an active, on-the-network aspect and the passive, what-is-installed-on-the-asset-itself aspect, we need to know the OS, the application and patch levels, the configurations and what the state of known vulnerabilities are to develop a truer picture of the threat and the risk picture we are willing to take on.

Here is where the X-Force discussion on Heartbleed has more meaning. Although patch rates for OpenSSL have increased, do you know every place in your network that uses OpenSSL? Do you have a risk assessment of the danger? Do you have compensating controls, either technical or operational, to limit or mitigate the dangers?

Asset management is all about providing the baseline for risk assessment and control. Management (not security management or information technology management) should be given the ability to know and assess risk and to assign means (resources and priorities) to mitigate that risk for the business and operations.

Setting a Security Risk Management Framework

The challenge in the Heartbleed example is in the number of vendors and internal, home-built systems that are incorporating third-party software. This is where the combination of asset inventories (hardware, software, configuration management and vulnerability management) set the baseline in any security risk management framework. The key is an established, frequently updated inventory that is pre-existent and quickly actionable for verification within several hours. It should be pre-existent so you know your assets and quickly actionable so you can verify certain parameters and risk strategies are in place.

A good asset management strategy has the following elements:

  • Endpoint reporting (servers, desktops, laptops and mobile)
    • Hardware is inventoried upon attaching to the network.
    • Software is inventoried for all logical and virtual installs.
    • Configurations are logged and enforced to organizational standard(s).
  • Network reporting
    • Records and logs from all traffic
    • Notification records of new equipment being attached to the network, correlated to endpoint reporting
    • Baseline activity
    • Scan of all systems for known vulnerabilities
    • Assignment of risk and remediation priorities

While we will never have the luxury of a completely secure environment from all manners of attack methodologies, we can gain a measure of success in dealing with the ever-changing flow of vulnerabilities and attacks we face. The assurance is in having the means and tools to do so quickly, have sure answers to the state of our domain and to flex for the changing risks we will face in the future.

Download the latest research from IBM X-Force

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today