September 23, 2014 By Peter Allor 2 min read

Shared Responsibility of Asset Management Reflects Patching Perspective

Asset management is a topic of conversation for many industry professionals due to several factors, including continuous diagnostics and mitigation, the National Institute of Standards and Technology (NIST) Cybersecurity Framework and other conversations around breaches and vulnerability threats.

Most organizations focus on one of two areas: hardware or software. Most people have participated in a hardware asset inventory by reporting which desktop or laptop they have, its serial number and where it is physically located. That is only the surface of that inventory process, however, and most times, it is not done very well or thoroughly. Software asset inventories are usually only done to true up license management practices.

Improving Asset Management

For security and data breach protection, you need a much more in-depth set of inventories, as illustrated by the IBM X-Force Threat Intelligence Quarterly. While conducting both the hardware and software asset inventories, both from an active, on-the-network aspect and the passive, what-is-installed-on-the-asset-itself aspect, we need to know the OS, the application and patch levels, the configurations and what the state of known vulnerabilities are to develop a truer picture of the threat and the risk picture we are willing to take on.

Here is where the X-Force discussion on Heartbleed has more meaning. Although patch rates for OpenSSL have increased, do you know every place in your network that uses OpenSSL? Do you have a risk assessment of the danger? Do you have compensating controls, either technical or operational, to limit or mitigate the dangers?

Asset management is all about providing the baseline for risk assessment and control. Management (not security management or information technology management) should be given the ability to know and assess risk and to assign means (resources and priorities) to mitigate that risk for the business and operations.

Setting a Security Risk Management Framework

The challenge in the Heartbleed example is in the number of vendors and internal, home-built systems that are incorporating third-party software. This is where the combination of asset inventories (hardware, software, configuration management and vulnerability management) set the baseline in any security risk management framework. The key is an established, frequently updated inventory that is pre-existent and quickly actionable for verification within several hours. It should be pre-existent so you know your assets and quickly actionable so you can verify certain parameters and risk strategies are in place.

A good asset management strategy has the following elements:

  • Endpoint reporting (servers, desktops, laptops and mobile)
    • Hardware is inventoried upon attaching to the network.
    • Software is inventoried for all logical and virtual installs.
    • Configurations are logged and enforced to organizational standard(s).
  • Network reporting
    • Records and logs from all traffic
    • Notification records of new equipment being attached to the network, correlated to endpoint reporting
    • Baseline activity
    • Scan of all systems for known vulnerabilities
    • Assignment of risk and remediation priorities

While we will never have the luxury of a completely secure environment from all manners of attack methodologies, we can gain a measure of success in dealing with the ever-changing flow of vulnerabilities and attacks we face. The assurance is in having the means and tools to do so quickly, have sure answers to the state of our domain and to flex for the changing risks we will face in the future.

Download the latest research from IBM X-Force

More from Risk Management

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today