September 23, 2014 By Peter Allor 2 min read

Shared Responsibility of Asset Management Reflects Patching Perspective

Asset management is a topic of conversation for many industry professionals due to several factors, including continuous diagnostics and mitigation, the National Institute of Standards and Technology (NIST) Cybersecurity Framework and other conversations around breaches and vulnerability threats.

Most organizations focus on one of two areas: hardware or software. Most people have participated in a hardware asset inventory by reporting which desktop or laptop they have, its serial number and where it is physically located. That is only the surface of that inventory process, however, and most times, it is not done very well or thoroughly. Software asset inventories are usually only done to true up license management practices.

Improving Asset Management

For security and data breach protection, you need a much more in-depth set of inventories, as illustrated by the IBM X-Force Threat Intelligence Quarterly. While conducting both the hardware and software asset inventories, both from an active, on-the-network aspect and the passive, what-is-installed-on-the-asset-itself aspect, we need to know the OS, the application and patch levels, the configurations and what the state of known vulnerabilities are to develop a truer picture of the threat and the risk picture we are willing to take on.

Here is where the X-Force discussion on Heartbleed has more meaning. Although patch rates for OpenSSL have increased, do you know every place in your network that uses OpenSSL? Do you have a risk assessment of the danger? Do you have compensating controls, either technical or operational, to limit or mitigate the dangers?

Asset management is all about providing the baseline for risk assessment and control. Management (not security management or information technology management) should be given the ability to know and assess risk and to assign means (resources and priorities) to mitigate that risk for the business and operations.

Setting a Security Risk Management Framework

The challenge in the Heartbleed example is in the number of vendors and internal, home-built systems that are incorporating third-party software. This is where the combination of asset inventories (hardware, software, configuration management and vulnerability management) set the baseline in any security risk management framework. The key is an established, frequently updated inventory that is pre-existent and quickly actionable for verification within several hours. It should be pre-existent so you know your assets and quickly actionable so you can verify certain parameters and risk strategies are in place.

A good asset management strategy has the following elements:

  • Endpoint reporting (servers, desktops, laptops and mobile)
    • Hardware is inventoried upon attaching to the network.
    • Software is inventoried for all logical and virtual installs.
    • Configurations are logged and enforced to organizational standard(s).
  • Network reporting
    • Records and logs from all traffic
    • Notification records of new equipment being attached to the network, correlated to endpoint reporting
    • Baseline activity
    • Scan of all systems for known vulnerabilities
    • Assignment of risk and remediation priorities

While we will never have the luxury of a completely secure environment from all manners of attack methodologies, we can gain a measure of success in dealing with the ever-changing flow of vulnerabilities and attacks we face. The assurance is in having the means and tools to do so quickly, have sure answers to the state of our domain and to flex for the changing risks we will face in the future.

Download the latest research from IBM X-Force

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today