The Dept. of Know Live!: Daniel Miessler on what to consider when building an asset management program
You can’t secure something that you don’t know exists. That’s a fundamental truth behind security, but far too many organizations still don’t have a robust strategy or system in place for maintaining a comprehensive, real-time inventory of their assets.
Last week, I joined the final installment of The Dept. of Know Live! to chat with Kelly Shortridge and Bea Hughes about why we can’t ignore asset management’s role in security and how organizations can begin to improve their approach to it. Watch the conversation here, and catch up on a few of my top takeaways below.
1. There’s no point in pursuing perfection
As essential as asset management is, it’s important to remember that pursuing perfection is futile. Assets — and the information surrounding them — are constantly evolving, so having accurate inventory 100% of the time is unrealistic. Rather, I think of security programs as a series of questions that can help you arrive at an acceptable place. For example:
What are the scenarios that could close our doors tomorrow?
What do I have that’s exposed to the internet? What do I have that’s exposed to the internet and that has vulnerabilities?
What do I have that’s outdated? What do I have that’s at the end of its life?
If you don’t know the answers to those questions, it’s really hard to respond to incidents, and everything becomes a catastrophe. For example, an incident occurs, and you suddenly need to find every instance of a web app that uses Python — an operation that leaves everyone scrambling. However, if you have an asset management program in place, all you have to do is run a query because you’ve already asked and answered questions like those above.
2. Consider your audience when surfacing issues
Like Ellen Körbes discussed previously on The Dept. of Know Live!, you’ll get nowhere without thinking about your audience’s priorities and expectations. Consider what your messaging will be, as well as how you will control the flow and volume of information. If you know that you can only hold your development or engineering team’s attention for a short period of time, only communicate the issues that are most critical to the business. If you dump every single issue on the team’s plate, they’ll feel helpless and overwhelmed and will ultimately stop interacting with security.
Another way to do this is to create a dashboard that shows an employee the vulnerability context of their particular role. If you run the engineering team, you’ll log in and see all the vulnerabilities from your role down, while an individual developer sees only the vulnerabilities they have authority over.
3. You need buy-in from the top for asset management to work
Building a robust asset management program will require buy-in from executives and senior leadership, and securing that buy-in might come down to emotion rather than logic. The hope is that you have enough people reviewing risk who have felt the pain of scrambling to patch vulnerabilities without a confident grasp on the scope of impact, and who are willing to put something in place to avoid that pain in the future. If you can point to a specific incident and show how it took four eight-hour days to find all instances of a vulnerability instead of 30 seconds to run a query, that’s one way to make that pain more tangible.
4. Asset management could become a key factor in cyber insurance
In the future, I believe cyber insurance will be one incentive to invest in asset management. I see it becoming a baseline that auditors and insurers will look to when they are assessing organizational maturity and stability. If you don’t have dedicated asset owners or a list of everything that’s facing the internet, that could signal to insurance companies that you should pay more because you have a higher chance of being compromised than organizations that have a handle on their asset management.
To sum it up
The more you know about your assets, the better your security posture will be. It’s easy to overlook the importance of asset management, until an incident happens and you can’t confidently respond to it because you’re unsure which assets have potentially been impacted. Without that knowledge, it’s impossible to create a security program that’s proactive, not reactive.
Watch our full conversation on demand, and catch up on all previous episodes here. All five installments of The Dept. of Know Live! will remain available for on-demand viewing, so you can go back and listen to your favorite insights again.