Imagine a ruler over a small kingdom under siege from the neighboring kingdom. He has no idea what your kingdom produces, no idea how many soldiers, archers, pigs, farmers, blacksmiths and cobblers live in your kingdom, nor where they are. You don’t know whether or not you have walls and other defenses and, if you do, where they are.
It doesn’t sound like you’re a good king, does it?
What if I told you tech leadership in some multi-million and even billion dollar companies know less about their network and product infrastructure than our poor king does about his kingdom?
Asset Management
In last week’s article, we talked Crown Jewels Analysis, which, summarized, is the identification of the most valuable assets in your company, in this context with the intent of focusing defensive efforts on those assets. Crown Jewels Analysis requires at least a certain amount of asset management and can be seen as a practice and strategy underneath the wider umbrella of asset management.
This week, we’re going to take a step back again and look at asset management as a practice: what it is, why you should do it and how you should do it. Before we dive in, though, I want to say this: asset management is hard, and it’s a practice that you don’t put in a binary “we did it” or “we didn’t do it.” It’s a continual series of practices, processes, procedures and strategies that will have to grow as your startup does.
It’s very difficult. So difficult that, if you can nail down your asset management and intelligence practice, you’ll be ahead of some of the top companies in the tech game. I’ve worked with billion-dollar+ companies who do it horribly, so trust me here when I say this puts you ahead.
Asset Management: What is it?
From the UK’s National Cyber Security Center:
An asset is anything that helps you achieve your objectives. Asset management is about the policies and processes that help you account for each of your assets throughout their respective lifecycles.
From a cyber security perspective, the main focus [of asset management] tends to be on technology - the software, hardware and information that is central to a digital life. But it is just as important to consider other types of assets, including people, physical assets such as buildings and sites, and financial assets.
This is a great starting definition. Asset management is the cataloging of things that help you achieve your objective. As a startup or tech leader, this can be anything from cloud infrastructure like AWS S3 buckets, to codebases like an internal API, to Jim the HR rep and Jane the IT leader.
It doesn’t stop at cataloging, though. You don’t get to just build a spreadsheet with a list of a dozen IP addresses that are listed on your AWS console, upload it to Google Drive and never think about it again. Asset management is an ongoing practice, a collection of policies and procedures, that your company takes part in constantly and ideally consistently to keep track of what assets are associated with your company.
Asset management is the continual cataloging of technological and non-technological assets within your organization as well as changes in the state of those assets. An asset’s state describes the different, mutable properties of that asset. Let’s continue by example.
Let’s say your organization consists of an employee, Jane, with a laptop, as well as a cloud-based web server running your company’s web application product. You can begin your asset management practice by enumerating relevant properties related to these assets that can affect your cyber (and other) security risk posture. For an employee, you can track how long the employee has been with the company, what assets they have access to (which creates some interesting asset-to-asset mappings that are vital to the efficacy of an asset management program), their employee ID and whether or not they are still an employee at the company. That last property seems obvious, but you would be surprised how many companies don’t even know what employees have left the company, which leaves the employer open to quite a few vulnerabilities.
The laptop can be described by a multitude of relevant properties: what kind of laptop is it? What is its model number? What operating system is it running? What version of firmware is it running? What employee does it belong to now? Has it belonged to previous employees? What software is it running? What antivirus is running on the system? How long has it been since the last OS update?
Finally, the cloud-based web server. What operating system is the server running? Is it accessible to the public internet, or just over a VPN? What software is running on it? What software is your web application dependent on? When was the OS last updated? What about your dependencies? When was the last time you ran a web application penetration test or vulnerability scan against your web application?
The list of properties for each asset should be exhaustive and can be exhausting, and the hardest part is that the list will grow and each property needs to be updated constantly.
This is probably the worst sell in all of history, since I’ve told you exactly how hard this practice is before even telling you why. I’m not going to pretend like asset management is easy and beat you over the head with all the reasons you should do it; there’s a reason billion dollar companies ignore it or do it badly. Stick with me here, though, because I’m going to convince you that all that hard work is worth it.
Asset Management: The Why
At the end of last year, the cyber security world was in a panic. A critical software bug dubbed Log4Shell was on the lips of ever IT administrator, tech leader, cyber security analyst and infosec thought leader on the internet. This one was truly bad.
The bug was in a Java library responsible for logging. Without getting into the technical weeds of the vulnerability, essentially any software that allowed a user to take actions that predictably wrote to the log on the target system running the Log4J library could take the system over and do any manner of nefarious things.
From an asset management standpoint, this vulnerability was a nightmare. The library was present in tens of thousands of different software platforms, from Minecraft servers to enterprise software IDE’s like Eclipse. It’s difficult enough to get companies to do the bare minimum of asset management, like cataloging employee accesses and operating system versioning. Log4J required a company to know what software was running across their org and the long list of dependency chains that the software relied on.
Functionally, this was an impossible situation from an asset management standpoint. Log4J was often found deep in software dependency trees, a dependency of a dependency of a dependency of your software. It was a nightmare scenario, and orgs from the government to the private sector scrambled to respond.
What I’m asking you as a tech leader to do at your organization isn’t that complex. The goal is not to cover every single nightmare scenario the most pessimistic information security guru can think up. The goal is to reduce panic and increase certainty when faced with difficult cyber security questions and problems.
When faced with a possible security incident or a very public software vulnerability like Log4J, you need to start enumerating vital questions: Is my organization vulnerable? Has a hacker already breached our organization? What assets are vulnerable to this bug?
Asset management provides answers, or at least a path to reveal them, to many of these questions. You simply cannot adequately and efficiently secure a network full of assets that you don’t know exist or don’t understand. How could you possibly know if your organization is vulnerable to the Log4J vulnerability if you don’t know what web servers you’re running and how to access them? How could you know if your organization is vulnerable to an insider threat if you don’t know what employees have access to which assets?
Asset management is a critical component to risk management: you cannot properly enumerate risks to your organization without understanding where those risks can arise. That’s why the king in the opening metaphor is doomed to fail: you can’t defend a village when you don’t know what defenses you have or where your critical assets are.
I hope I’ve sold you on the importance of asset management. If you have questions on why this practice is so important to your organization, feel free to reach out, either on Twitter, LinkedIn or EMail.
Let’s talk about the do’s and don’t’s of asset management.
Asset Management in Practice
Asset management can get incredibly granular in theory. Let’s take our laptop example from the paragraphs above. What properties could you gather about a laptop?
Operating system version
Screen size
Number of USB ports
Firmware version
Bluetooth capability
IP Address
MAC Address
Color
There are endless properties that you could gather about a given laptop, but let’s use the ones listed above as an example. It’s important to remember that the purpose of asset management is to supply important information to tech and security leadership to inform security practices. Of the above properties, several are relevant to an organization’s security practice:
Operating system version - This information is vital to determine out of date operating systems that might be vulnerable to attack.
Firmware version - This is a piece of information that is important to determine possible vulnerabilities on the laptop. Operating system version information is likely more important from a practical perspective, but this is still a vital piece of information to gather.
Bluetooth capability - This may seem unimportant, but Bluetooth can be a valuable attack vector for a hacker that is willing to take the risk of being in close proximity to their target.
IP and MAC address - These are vital data points in an asset management program, especially in an organization that has a central point of logging security information such as a SIEM or SOC. These addresses will help identify assets and tie them to web and other traffic that could be indicators of compromise.
You’ll notice that the list of useful and relevant pieces of information is shorter than the first list. The color of the laptop, number of USB ports and screen size are not relevant pieces of information for a security program. Cataloging them will waste time and effort for a security organization and will just serve as a distraction.
You’ll also notice that many of these properties are mutable. You’re not likely to remove a laptop’s Bluetooth hardware, but the IP address of a given device can change many times over the course of a day, firmware can be updated and an operating system version that is secure one day might be insecure the next. What this means is that the act of cataloging these properties is ongoing: every time you run an update on a device, you have to record the new version of the operating system and, ideally, the date the device was updated. Ditto for the software on the PC: every time a piece of software is added, removed or updated, you should probably have some record of this.
Now, this doesn’t have to be a team of folks plugging data into an Excel doc that tracks every piece of software on every laptop in your org. That would be completely unscalable. There are tons of automated software tools for asset management, as well as asset management features built into popular antivirus/EDR tools that will handle much of this problem for you. For the smaller startup, though, with a smaller footprint and fewer assets, anything is better than nothing. Just having a running list of devices and employees that enumerates mission critical properties related to those devices is a great start.
In Conclusion
This article is not meant to be a standalone article that tells you all you need to know about the theory and practice of asset management. It’s a difficult subject, especially for a resource-strapped startup.
I believe strongly in the power of asset management and intelligence to help secure your startup. Drop me a message and let’s talk about securing your startup and giving your tech leadership peace of mind.