A key challenge for CISOs and other security professionals is enabling effective cybersecurity asset management.
The more general IT asset management (ITAM) is the process of discovering, inventorying, managing and tracking a company's assets. Assets include hardware, software, data and devices. A subset of ITAM, cybersecurity asset management focuses on the discovery, inventory, management and tracking of assets for the purpose of protecting them.
Cybersecurity asset management is especially challenging for three main reasons:
- The number and types of assets in today's enterprise environments can be in the millions and are growing. Even the most diligent IT professionals can't keep track of such an environment on a spreadsheet or even with a database.
- In a virtual environment, entities include services, microservices, VMs and containers that have short half-lives. The average half-life of a container in some organizations can be measured in minutes, for example. From an inventory management perspective, tracking entities active for only a few minutes may not seem particularly important, but from a cybersecurity perspective, it's crucial. Even short-lived entities can wreak havoc if they're bearers of malicious code.
- Organizations have many unknown zones, meaning areas where there's little to no asset management or areas where traditional ITAM doesn't reach.
The first two issues can be largely solved by automation, which makes keeping track of a growing number of devices and services and their life spans easier. For the challenge of unknown zones, specialty asset management products and services are emerging to help companies, specifically in the areas of IoT, data, applications and microservices.
Getting started with cybersecurity asset management
In areas with little to no asset management coverage overall, a general-purpose IT service management (ITSM) or ITAM tool is needed. Established companies, such as Forescout, based in San Jose, Calif., in the cybersecurity space and ServiceNow, based in Santa Clara, Calif., in the ITSM space, provide relatively traditional ITSM asset discovery and management engines. (Forescout integrates into ServiceNow.) These types of products typically provide compliance and risk management, as well traditional autodiscovery and asset management.
The challenge for CISOs and cybersecurity is extending traditional tools into specific areas of the enterprise and deciding which additional asset management tools, if any, are needed.
For cybersecurity professionals seeking effective cybersecurity asset management, the best place to start is an overall assessment of the environment to determine any unknown zones. Key areas to focus on include the following:
- IoT devices, including smart facilities devices, such as the intelligence in cameras, printers, HVAC units and elevators;
- applications, including microservices and containers; and
When selecting products to fill those gaps, ensure one of the main selection criteria is integration with existing or planned ITAM products used for management, tracking, reporting and dashboarding.
Let's dig a little deeper into products for each potential unknown zone.
IoT asset management
A handful of products, both special purpose and with a more general cybersecurity focus, provide IoT asset management. Companies such as Israeli IoT cybersecurity firm Armis and Ordr, based in Santa Clara, Calif., focus on asset management for IoT. Both are built on a general-purpose, AI-enhanced discovery platform that may deliver unique capabilities not available on more traditional products, such as those from Forescout or other vendors offering ITSM products.
Armis is one of the best-known and best-capitalized vendors in the broad category of IoT-centric automatic discovery, inventory and threat assessment in terms of size, scope and backing. In early 2020, New York-based private equity firm Insight Partners acquired Armis for $1.1 billion. The company has continued to operate independently, focusing on enterprise IoT cybersecurity, as it has since it was founded in 2015. Armis isn't vertical industry-specific, nor is it exclusively focused on IoT.
Like Armis, Ordr focuses on IoT but also integrates into asset management systems, such as ServiceNow. Ordr stresses its low-overhead, automated discovery process and its ability to deliver automated reports on security vulnerabilities, active threat information, U.S. Food and Drug Administration and manufacturing recalls, other manufacturing recalls, and weak ciphers and certificates. The company also provides risk scores to help prioritize devices that need to be taken out of service, patched or quarantined.
Another player in this space is IoT/operational technology security company CyberX, based in Waltham, Mass., which was acquired by Microsoft in 2020. Although it's not clear where Microsoft will take this company, given the breadth of Microsoft's existing overall portfolio, the company is likely to focus the CyberX technology specifically for IoT.
Data, application and microservices asset management
For cybersecurity professionals focused on doing inventory and securing applications, microservices and APIs, NeuraLegion, an AI-powered application security testing vendor based in Tel Aviv, Israel, may be a fit. Unlike Armis and Ordr, which focus specifically on devices, NeuraLegion emphasizes software scanning. The product scans applications and APIs for security vulnerabilities and creates actionable reports to help teams better secure them.
The feature-functionality overlap between NeuraLegion and vendors like Armis and Ordr is minimal. Armis and Ordr likely overlap considerably but not totally. NeuraLegion effectively fills the gaps of Ordr or Armis by detecting microservices, software and application environments and mapping vulnerabilities. The company claims to integrate with most standard enterprise applications.
Like Armis and Ordr, Securiti, based in San Jose, Calif., focuses on asset discovery and vulnerability assessment. Unlike them, however, Securiti isn't specifically focused on IoT. Instead, it focuses on data asset classification and privacy management -- for example, issues surrounding who owns data, whether data is being managed according to policy and whether there are vulnerabilities.
Securiti would be a good choice if the primary driver is data inventory and management rather than devices or applications. Armis and Ordr, for example, operate at the device level, and NeuraLegion operates at the application and microservices layer.
Container discovery and asset management are important subsets of the data, applications and microservices area. Many application resource management tools include container autodiscovery and asset management components. Container orchestration services, such as Kubernetes, and container companies, such as Mirantis, based in Campbell, Calif., offer their own flavors of container discovery and asset management. Cloud providers, including Microsoft, AWS, IBM and Google, typically offer container asset management as part of their offerings -- with the catch that these only work in their own environments.
Checklist for cybersecurity-focused asset management
Follow this five-step cybersecurity asset management checklist to find out if your organization is protecting all its assets adequately:
- Perform a high-level assessment of the IT environment. Look for the gaps and areas of missing coverage.
- If you're lacking ITAM overall, consider deploying a general-purpose ITSM or cybersecurity-specific management tool first. It may have some gaps, but discovering and managing your infrastructure are good first steps.
- Consider IoT devices. Even if you're not running IoT-specific initiatives, you probably have IoT devices in your facilities -- such as cameras, HVAC units and printers -- that aren't discovered by traditional asset management but can represent vulnerabilities.
- Don't neglect ephemeral or virtual entities, including microservices, containers and data. Even if these devices have short half-lives, they can host attacks that can devastate an inadequately secured environment.
- Once you've identified the gaps, think in terms of effective integration. What should your asset management tools integrate into? Your ITSM tool? Your security orchestration, automation and response system? Other security operations center tools? Make integration capability a selection criterion as you assess products.