It was challenging enough in the days when it was ‘just’ about keeping track of a physical infrastructure, but now you’re trying to monitor the dynamic sprawl of virtual elements created as more and more corporate assets fall outside the traditional network perimeter. The number of apps on your network never stops growing and you’re dealing with servers that are continually spinning up and down as requirements shift.
And now, large-scale homeworking is in the mix, making it even harder to know what you’ve got. People aren’t necessarily using corporate assets, which opens up more possibilities for losing control of data. Plus, historically, asset management systems have been premise-based, so if employees never go into the office then some of those systems can’t run.
The sheer complexity of keeping up with today’s changes and upgrades is mind-blowing in its scale and pace. I think of it as a Sisyphean task – unrelentingly difficult and never ending.
The bottom line is, if you don’t know what you have, then you can’t protect it. And I’d go further than that: if you don’t know what’s on your network, you can’t see what’s lurking in your shadows, potentially waiting to do you harm.
You need to be able to manage the implications of having a device, so that you either keep its security updated or you have an alternative mitigating control in place. But, if you don’t know what normal looks like, you can’t have any confidence in what’s there, and it’s hard to see problematic or nefarious activity.
Take the 2020 SolarWinds attack, for example. It’s left many organisations wondering whether they’re affected and should be taking some action. The difficulty is, although IT professionals frequently use the SolarWinds software suite as a tool in their infrastructure management kitbag, it’s not always a formal tool, so wouldn’t feature on official registers. Plus, only one component of the SolarWinds suite was compromised, so some organisations will be worrying unnecessarily. But businesses need the clarity of knowing what they have on their network.
Good asset management has wider benefits, too. It helps in managing licenses and support costs and makes identifying end of life or legacy IT much easier.
Understanding what and where your assets are is only one part of the problem though. You also need to establish clear asset management objectives so you can measure your success. For example, how fast on average will you patch vulnerabilities? What percentage of your asset database will be up to date at any one time? How long will you accept having devices on your network that you don’t know or understand?
Answering these questions involves rigorously assessing your asset life cycle strategy. Here are the three steps I’d recommend:
Step1. Know what you have
It’s hard to do anything if you don’t know what ‘good’ looks like, so start by establishing a benchmark of what should be connected to your infrastructure. This database will also highlight what you shouldn’t expect to see. Ideally, you’ll update this dynamically whenever new devices are detected. Plus, it’s important that, within certain degrees of accuracy, you know where assets are, so put structures in place that assume a device isn’t part of your remit if it hasn’t been detected for a set period. These time scales will vary, depending on the importance of the asset. For example, our asset management system is set to know where the specialist laptops that we give to our domain administrators are at all times.
Step 2. Know what’s vulnerable
This stage is about assessing what state your assets are in and the risks you’re facing. It involves regularly scanning your asset database to identify the software versions in use and testing your devices for a known set of vulnerabilities before deciding how quickly these issues need to be fixed. Some you’ll be able to classify as ‘nice to fix’, others will be important to address in the next month, and some will need remediating immediately to avoid a significant problem.
Step 3. Resolve the risks
At this point, you move on to finding the right mechanism for resolving the issues you’ve identified, introducing a solid approach to patching so you can close vulnerabilities faster. As you set up this system, you’ll need to recognise that with every upgrade there’s a risk that the ‘fix’ will break what was previously working just fine. Your mechanism will involve deciding when to take the risk of ‘breaking’ something is offset by the benefits of the upgrade.
Effective asset management is more than getting a tool up and running. In many cases the tool is just the repository for information about your assets, and the old adage holds for this: if you put rubbish in, you’ll get rubbish out.
What you need as well as an asset management tool is a robust process to wrap around it. It’s the process that’ll determine how you’re going to keep the tool up to date, how you’re going to respond to changes, what level of inaccuracy you’re prepared to accept, and what the impact of your decisions will be on the business.
To find out more about how you can use asset management to act swiftly when a significant vulnerability comes to light, identifying the assets affected and the fastest fix, please get in touch with your account manager.
Or read our ‘Assume breach – Managing a dirty network’ paper to discover how asset management can play a key role in managing the risk of a breached network.
