What is cybersecurity asset management (CSAM)?
Cybersecurity asset management (CSAM) is the process created to continuously discover, inventory, monitor, manage and track an organization's assets to determine what those assets do and identify and automatically remediate any gaps in its cybersecurity protections.
CSAM is a subset of IT asset management (ITAM).
Why is cybersecurity asset management important?
CSAM aims to provide the complete, real-time visibility security operations (SecOps) teams need to optimize their resources and build and maintain a proactive, risk-based security program that better safeguards their organizations and assets from security threats. CSAM also enables SecOps teams to more quickly respond to security incidents.
CSAM is a critical component of key security industry frameworks, including NIST Cybersecurity Framework and Center for Internet Security Critical Security Controls.
If an asset -- be it physical, virtual or cloud-based -- connects to or interacts with other assets on an organization's network, it falls within the scope of CSAM. Examples of assets include the following:
- Traditional endpoints, such as desktops, laptops and mobile devices.
- Underlying network infrastructure, including cloud assets and instances.
- Internet of things (IoT) sensors.
- Virtual and hardware appliances.
- Operating systems.
- IP-connected operational technology (OT), including supervisory control and data acquisition systems, human-machine interfaces and programmable logic controllers.
- Physical infrastructure, such as office buildings and on-premises data centers.
Managing assets in today's enterprise environments is increasingly difficult. Consider the following challenges:
- Users -- employees, contractors, service providers, etc. -- are in a variety of locations using a variety of devices and services, including shadow IT.
- Fully virtualized assets often reside in public clouds.
- IT/OT convergence is increasing the number and types of devices connected to corporate networks, including IoT and OT devices, many of which have few security protections.
- Data and appliances are used and stored across multiple geographic regions.
- Virtual environments include services, microservices, virtual machines and containers, many of which can have short half-lives that can last as little as a few minutes. While not particularly critical from an ITAM standpoint, these virtual instances can cause security issues in a short time if they contain malware or have vulnerabilities to exploit.
- Unknown zones -- areas with little or no asset management or areas where traditional ITAM tools can't reach -- exist in every organization. This includes shadow IT devices and services. Visibility is key in CSAM -- as the old security adage goes, you can't secure what you can't see.
The number and types of assets connecting to networks today can reach into the hundreds of thousands. Even the most diligent SecOps team can't keep track of an environment of IT assets manually on a spreadsheet or with a database.
Because of these challenges, CSAM is becoming a popular option for SecOps teams.
How does cybersecurity asset management work?
CSAM uses a variety of tools and processes to discover which assets are on a network and then investigate which security controls each asset uses and whether each asset is properly secured. CSAM can include, but is not limited to, device discovery and inventory, vulnerability management, network and security monitoring, risk analysis and assessment, incident response and policy enforcement. CSAM can also help maintain regulatory compliance.
SecOps teams can achieve CSAM from existing tools, but because these tools are often siloed, it can be difficult to correlate their data. Many vendors today offer dedicated cybersecurity asset management platforms that aim to help with the task.
CSAM uses the following three-step cycle:
- Asset discovery and inventory. Tools scan the network and inventory each asset. The inventory includes details about the asset. For example, the inventory can include hardware or software version, manufacturer, software libraries, location, etc. -- as well as who has access to the asset, who owns it, internal policies and compliance regulations that apply to that asset, the risk level of the asset, software updates or patches for the asset, and more, depending on the organization's needs. CSAM also determines which security tools and policies are in place to protect the asset against internal and external security risks.
- Gap identification. Once the asset inventory is complete, CSAM identities gaps in security coverage and recommends measures to put in place to remediate the gaps.
- Automated response. CSAM uses automation techniques to fill gaps by deploying validated cybersecurity resources where needed. CSAM can also alert the SecOps teams of any necessary remediations that aren't automatically implemented.
After the cycle completes, it runs again. The process aims to mitigate all information security gaps given the available tools of an organization. CSAM tools can also inform SecOps teams of any remaining gaps, enabling teams to consider purchasing and deploying additional tools engineered to meet internal security policies and compliance regulations.
What are the benefits of cybersecurity asset management?
CSAM enables security teams to assess, manage and potentially even minimize their organizations' attack surface by offering the following benefits:
- A real-time view into the organization's security posture.
- Visibility across the entire network.
- The ability to rapidly assess assets and pinpoint security coverage gaps.
- A granular view of IT assets -- down to the application and service levels.
- Continuous asset discovery and identification.
- An understanding of which cybersecurity tools are active on the network and how they are used.
- A streamlined process to identify which tools offer the most protection and where to deploy them.
Beyond this, CSAM can also help with tasks such as asset catalogs, asset end of life, shadow IT discovery and patch management. CSAM tools might also integrate with ITAM, configuration management databases, IT service management and ticket management systems.
What's the difference between CSAM and ITAM?
Most chief information security officers today are familiar with the purpose of and need for ITAM tools. As mentioned, CSAM is a subset of ITAM. ITAM does the same discovering, inventorying, managing and tracking of assets but for different reasons than CSAM. ITAM is more concerned with business needs, such as software licensing, warranties and support contracts.
CSAM is designed with a singular focus: understanding not only what is on the network and where but what those assets do on the network, how they are currently protected and what additional protections they need.