“Identifying what’s on your network is a basic information security best practice that, unfortunately, remains difficult for many organizations. If you don’t know what you are protecting, it’s very difficult to apply the most effective controls. And it’s even more difficult to recover effectively if you are exploited.”So, how do we apply this in real life? I’m glad you asked! Traditionally, organizations have relied on the change management process to alert the information security team of the provisioning of new networks and systems. Clearly, there needs to be some sort of process improvement here. A possible technical solution that I’ve seen work very well is leveraging your organization’s Vulnerability Management (VM) Program. As part of the VM program, the VM solution needs to scan the network. As part of that scan, a lot of key information is gained that can be leveraged by the CMDB. Information such as IP addresses, hostnames, operating systems and installed software is easily profiled during the vulnerability scan. A simple integration between the VM solution and the CMDB can automate the process of keeping the CMDB up-to-date. Of course, with great automation comes great responsibility. A properly deployed and tested program must first be place before this process can be automated. This brings us to the most important part. How do we justify making asset inventory a high priority? It’s not the sleek new technology that everyone wants to play with. It seems boring, but without this building block, even the best of marketing campaigns won’t be able to bail you out. First, each organization should have a framework for implementing security controls. The CIS Critical Security Controls are a great industry best practice to assess your security program against. If you have not yet done so, be sure to leverage the great work that has been done by the industry leaders at the Centre for Internet Security.
“...a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”Second, let’s look at one of the key costs of any IT department: software licensing. The CMDB should be able to tell the organization how many of what is being used so that the appropriate amount is spent on software licenses. I’ve seen a number of organizations successfully leverage their vulnerability scan data to identify the number of instances of installed software. This allowed them to match their findings against the number of licenses they were subscribed to. In each case, they were able to reduce the number of subscriptions and greatly reduce their software licensing costs. Third, over the last couple of years, there have been a record number of 0-day vulnerabilities identified with fancy logos that attract a lot of attention from executives. Security administrators often were caught flat on their heels and scrambled to get updated signatures and plug-ins from their vulnerability scanning vendors. Signature updates require the appropriate QA time frames, for which executives do not always have the patience. Having an up-to-date CMDB allows the security administrator to simply query the database for all of the known affected versions of the vulnerable software. This provides an instant list of the potential exposure of the organization. (We will leave alone the fact that Verizon's 2015 Data Breach Report says, "99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.") To summarize, it’s about time organizations started paying more attention to the quality of their asset inventory. Having an up-to-date repository of the assets on the network along with the installed software on those systems is a key foundational control for any information security program. It is so critical and it takes up not one, but the two top spots on the CIS Critical Security Controls. This year, make it a priority to provide your organization with an authoritative asset repository.