As the 2019 calendar year winds down, I’ve spent some time reflecting on how the year has gone and quickly realized what a blur it’s been. We’ve seen new forms of advanced malware arise, expanding attack surfaces within our organizations, significant cyber events like the one targeting Norsk Hydro, and much more over the course of this year. As a result, we’ve also heard over and over again about the importance of asset visibility and how it’s the foundation of a solid cybersecurity program. I couldn’t agree with that more – and it would be a very difficult point to argue anyway!
I feel the timing of this post is very important for a couple reasons. First, we’ve seen that many organizations are still behind in applying asset management solutions at the end of 2019, and may be struggling to get budget for such an important initiative in 2020. And second, as I realized I hadn’t quite finished my Christmas list to Santa yet, I thought that many others may be in the same situation, and this may be an opportune time to add the things that we really, really want (and need) to our wish list.
But not so fast. We also want to make sure that we’re asking for the right solution, and not just any solution that can meet some basic checkboxes. Asking Santa for a “bat” could get you a baseball bat on Christmas morning, or you may end up dodging a flying mammal! Be descriptive about what you ask for and make sure that it meets your (business) needs, or else you may find yourself taking cover.
So, what exactly does an asset management solution need to have in order to meet your business requirements? There are asset management tools for IT, some for operational technology (OT), some that are inventory-only tools, some that provide only active monitoring, others that are only passive, and still yet there are hybrid solutions, oh my (that blur is coming back!). It’s important to understand your needs before putting Santa’s elves to work, so I’m hoping this article can help you to find those elements in an asset management solution that are aligned to the needs of your business.
Yes, it’s true there are many asset management solutions out there and many that claim they can solve all of your problems. That said, it is important to understand what your organizational requirements are, as well as long-term strategic goals and objectives.
Let’s start with 5 basic questions to ask yourself.
1. Do you have OT environments in your organization where a passive monitoring solution is needed?
Examples may be manufacturing systems, shipping logistics, power infrastructure, and even building automation systems. These systems include any network that may have sensitive assets whose physical operations could be disrupted by being queried with ping sweeps, scans, etc.
2. Do you need to do more than just build out a basic asset inventory list?
For example, organizations that must comply with internal or external standards and regulations, like NERC CIP, may need to also identify and document operating systems, firmware versions, installed software, installed patches, open ports, and other details.
3. Do you have planned or existing tools in your environment that an asset management solution will need to integrate with to maximize ROI for security investments?
The more data you can collect about the network and endpoints can likely help you get more value out of existing toolsets once they are integrated. Examples may include ticketing systems, such as ServiceNow, Security Information and Event Managers (SIEMs), or even firewalls and switches that can optionally enforce controls at a time when the organization is ready for that next step.
4. Do you need an asset management solution that can scale across your organization to include the business network, cloud assets, OT infrastructure, IoT devices, and any other disparate environments that may exist?
Having a scalable, platform-based solution that offers the necessary functionality for each target environment and can integrate with complementary solutions is a huge advantage. While a single solution can’t do everything, it should easily integrate with existing solutions to allow organizations to take a proactive approach to cybersecurity, while also getting better ROI on existing investments.
5. What other security initiatives are either currently underway or will begin soon?
Understanding other initiatives in play can be beneficial in many ways. It can help security stakeholders better prioritize activities (think dependencies and efficiencies). A comprehensive asset management solution can provide critical data for other cybersecurity initiatives, including network segmentation projects and selectively applying controls (either automatically or manually) when suspicious or potentially dangerous events have been observed on the network. This requires visibility first and foremost and leverages policies to apply controls when events have met (or not met) specific criteria. Integration is key for taking a proactive approach to cybersecurity and makes existing investments that much more valuable.
There are many factors that will determine the optimal type of asset management for your organization. Depending on any compliance requirements (internal or external), your organization may benefit from active monitoring, meaning communication of some sort to the endpoint, which will provide a deeper level of detail from the asset. In this case, there may be a need to selectively generate a list of applications and patches installed on the asset. Including active capabilities is also optimal when there are assets on the network that do not often communicate, which means a passive-only solution would have a hard time “observing” those assets until they do communicate (if they do).
The more information that can be attributed to an asset means more information can be fed to other supporting solutions to further their value. The key to active monitoring solutions is to ensure they are safe for the environment (i.e. non-disruptive), especially in OT, where it can be selectively applied to only those assets where it is needed.
Passive monitoring solutions, on the other hand, do not communicate directly with any assets, but rather just “listen” to network conversations through a mirrored port on a switch or a network tap. By parsing these network communications, assets and their associated details, such as the vendor, model, firmware version, etc., information can be gathered to automatically build out the asset inventory. Because these solutions monitor the network, rather than the assets, the network communications can also be baselined for easy identification of anomalous activities (vs. signature-only based solutions). These passive solutions are non-intrusive and fantastic for OT environments. In many OT environments, programmable logic controllers (PLCs), are at the heart of the environment and typically control physical things like valves, pumps, etc. They sometimes do not fare well with “external” communications and queries that could create disrupting latency or even topple one of these devices. Because of this, passive monitoring is typically ideal for these sensitive environments. Furthermore, passive monitoring solutions are relatively easy to implement and can bring immediate value upon deployment.
As you can see, there are significant benefits to both passive and active monitoring, but how do you choose what is right for your environment? Well, fortunately, you don’t have to choose one or the other anymore, since there are now hybrid solutions that bring the best of both worlds. A good hybrid solution can provide both passive monitoring to non-intrusively create an asset inventory and should also offer an option to selectively apply active monitoring, including what to apply it to and even what queries are sent to the selected assets. For those assets that can tolerate active queries, this is an ideal option, since you can selectively get data from an asset in order to meet business requirements.
While the passive/active/hybrid should be a relatively easy decision to make, other considerations to consider when deciding on the right asset management solution for your organization should include, at a minimum, the following:
- Coverage of the entire enterprise from cloud assets all the way down to the OT assets
- The ability to calculate and incorporate risk from both a security and operational perspective based on observed attributes, vulnerabilities, alerts, and other key factors
- A flexible and scalable architecture to reduce total cost of ownership (TCO)
- Optional virtualization capabilities to reduce hardware costs
- Single solution that eliminates the need to manage multiple vendors and train teams on multiple products
- Tight integrations with other solutions to improve efficiency by better leveraging existing security investments
It’s important to do your due diligence on such an important and foundational initiative as asset management solutions can quickly become shelf-ware if they don’t align to the needs of the business, are not intuitive, and just overwhelm the cyber warriors of our organizations with noise.
As we are all likely a bit more stressed this time of the year, my hopes are that this post has been informative and that it will help you find the right solution to add to your list for Santa. I wish you all a safe and prosperous holiday season and look forward to advancing cybersecurity in 2020!