If you don’t have a reliable and authoritative repository of the devices connected to your network, their posture and the use of privileged accounts, it is difficult to believe that you really have any hope of managing them well to protect your organization’s sensitive information. If you are not managing IT security risk well, it will have an effect on all aspects of enterprise risk. This is why situational awareness needs to be a top enterprise focus.
The first category in the NIST Cybersecurity Framework is “Identify”. The first 5 CIS controls related to discovery, inventory and posture of endpoints, software and privileges.
The 20 CIS controls are the fundamental steps that every organization should work on to address the majority of cybersecurity exposure that an organization faces. Yet, many organizations fail to maintain a good inventory of assets, posture (software and configurations) and privileges.
There are many reasons why a central, easy to use inventory system is beneficial.
– You should know what business assets you are responsible for, as a fiscal responsibility.
– You should know what assets you have, especially when they connect to your network or access sensitive corporate information. Where are they? What software are they running? Are they compliant (patches, secure baseline configurations…)? What value is the data on these assets? What is their exposure?
– You should know who has access to sensitive information and have a regular review process. It is hard to review what you don’t know. Do people change roles and do their access rights change as their needs change?
– A central asset reporting tool should ingest information from diverse sources: inventory tools (software and hardware), spreadsheets, etc. When your team needs information, you no longer need to go to several different teams to ask for reports (which take time) and then need to stitch them together (which takes time). Usually, when you need this information, you need it quickly, in response to an audit or new vulnerability and exploit. You need to break down the barriers and silos to get to the view of the asset and privilege information quickly and in an actionable way.
– You have a single authoritative source to know what assets are out of compliance and the ability to prioritize your response quickly, to new vulnerabilities.
– Improve the privilege management and review process and better identify unnecessary access, abuse and audit.
Imagine if you had knowledge of all of this. You would know what you had, how it was used, where it was, who was using it, what software was running on it, if the asset was compliant or missing OS and third-party software patches. You would be able to identify where unapproved software was installed, and avoid large software audit fees. This kind of solution helps IT operations, the auditor, but also the CISO and incident response team.
So, the first thing we need from vendors in this market space is situational awareness. Granular and graded details on our assets, software and privileges. With the ability to aggregate, access and visualize this information across IT silos.
[pullquote]A successful solution must leverage inventories and information you already have, regardless if it is on-premises or in the cloud, to be a single, authoritative and comprehensive view to assets, exposures and privileges across the enterprise.[/pullquote]Diversity of data is important to consider. You may have desktop computers and servers, but you might also have mobile devices and IoT (and OT systems) connecting to your networks and under your management. Solutions need to take this into account and have the ability to pull in data from multiple sources, and also take into account of the reliability and quality of the data, as some data sources are less frequently updated and manual.
When it comes to vulnerability management, we need better situational awareness than most companies have. Vulnerability scanning over the network can be a lengthy and imperfect effort. It leaves a large gap between when a vulnerability is discovered, and when you receive detection patterns for your scanning solution, and when you scan (most companies scan monthly). Pen testing is often a quarterly or even annual event and it is not thorough, it looks for the ability to penetrate systems and ends there. Scanning applications for vulnerabilities is also a difficult and imperfect prospect. You may need static code review, dynamic application testing and real-time code review. For commercial software, wouldn’t it be useful to also validate that you are keeping up with patch versions?
Our vulnerability management programs are some combination of very expensive and very inefficient. If the CISO is hanging his hat on the reliability of infrequent, uncredentialed network scans, then he only sees a very foggy view of compliance and exposure.
The end goal might be to replace or augment the monthly vulnerability scanning with something more real-time and accurate. Imagine if you knew the posture of all of your assets, you knew the value of the data residing on these assets and you also had a robust way to compare your exposure against the constantly evolving threat landscape? If a new vulnerability is discovered, it is quickly assessed and you can compare it to your asset database and display a prioritized asset remediation list. You may even have a real-time view to quantifiable risk across your organization, even if many of your assets and services are in the cloud. You might be able to compare your overall posture with that of other organizations and competitors. Wouldn’t that be useful to track and report to the Board?
Situational awareness is Cybersecurity 101. It is basic. It is the starting point, not a nice to have feature. It is a must have. This is why NIST and CIS have them as a top priority. With good, granular and easy to access situational awareness, you will be able to improve your processes regardless of where your security program is on the maturity curve. It will help you improve your audit processes and achieve continuous compliance. It will help your change management processes. And, it will help your security team prioritize and respond to vulnerabilities and incidents better.
