November 24 2020
“What you don’t know can’t hurt you” – it’s an old saying and somewhat of a strange one. Of course what you don’t know about can hurt you, especially if it’s an unseen oncoming vehicle, for example, or if you work in cybersecurity.
If you work in cybersecurity, the saying does not apply and will ultimately get you into trouble at some point. Nobody expects you to know everything, but they expect you to know what assets you have on your corporate networks and plugged into your IT infrastructure. It’s the first thing to look for when speaking to an organisation for the first time.
Generally speaking, the more that an organisation can tell you about their inventory of PCs, tablets, smartphones, servers and wireless access points, the better they are at cybersecurity. It may surprise you to discover that many organisations don’t have a firm handle on their asset inventory.
This is shocking in itself because asset discovery is a foundational IT security measure, and it’s impossible to defend your IT infrastructure unless you have an up-to-date list of what you are defending. When you learn that most companies don’t maintain an active list of their assets, it’s not at all surprising that so many get breached.
If you don’t know what internet facing assets you have, or are unsure where your data is, or who has access to it, then you are going to be vulnerable as you don’t have a clear picture of network.
The single most effective cybersecurity action an organisation can make is to assign a dedicated person to estate discovery, and maintain an ongoing ‘as close to real-time ’ list of the company assets connected to their IT infrastructure.
If your organisation does not have a handle on the basics like asset inventory, whatever security tools you have in place are for show and a breach is just a matter of time. Alarm bells should be ringing!
Of course, organisations may find it tough to keep a handle on the number of PCs, BYOD hardware, servers, load balancers, firewalls and storage devices that connect to their networks, but when an unknown device is used to exfiltrate something valuable from your network, not knowing about that device just won’t cut it as an excuse.
The breach is going to be your fault
If you are unlucky enough to get breached and have the investigators discover that you have no accurate asset inventory, the breach was your fault, and that’s a concept even the C level will understand.
Now that we have established that estate discovery is a fundamental piece of your IT security, and that without it you will almost certainly get the blame for breaches, let’s look at what you can do right now.
Immediately eliminate your blind spots – Let’s be honest, while you might know which PCs and employee mobile devices you have connected to your networks, everything else (from random BYOD endpoints and IoT devices, to unauthorised SaaS applications, file sharing, and cloud storage) is a potential blind spot. Your first step is to immediately eliminate all of those blind spots, and you should view them as black holes full of security, legal and compliance risk that need to be plugged.
If you do not have the right tools, get them – For sure your IT asset management tools let you detect things like servers, firewalls, load balancers and network storage, but what you really need is a tool that will give you visibility over every part of your network; and ideally one that conforms to estate discovery best practice. Your solution needs to be able to scan your network address ranges and analyse traffic in order to identify unknown assets. You then need to drill down into those assets and pull out granular information about the network connections, permissions, and usage — and be able to tag the asset for future tracking.
Manage your assets – You should be actively managing (meaning tracking and keeping an inventory of) your hardware and software assets. Only authorised hardware can be given access to your networks and only authorised software can be installed onto your endpoints. You need to know which employees can use your hardware or software, and which users should not be accessing it. Estate discovery can help you accomplish this.
Hire or appoint a dedicated asset controller – This should go without saying, but you absolutely need to appoint somebody to assume responsibility for maintaining an accurate inventory of your assets, if you ever hope to get a handle on them in any way. This is the single most effective action that you can make in order to improve your overall cybersecurity posture: appointing a dedicated asset controller will yield a significant return on investment compared to almost anything else.
Consider bringing in the professionals – There is so much complexity to network topology, only so much time in your busy IT team’s schedule, and so many different tools on the market, that it can be difficult for organisations to know which steps to take first and how to make them.
If this is the case for your organisation, your best bet is to bring in the professionals. At Secarma a substantial part of our work is helping clients to understand exactly what they are defending and they often call us to assist their existing teams, helping them bring their asset management processes in line with best practice.
Whichever route you take to discovering all of the assets connected to your networks, you absolutely need to start right now if you haven’t done so already.
Estate discovery is such a fundamental tenet of IT security, that it must be prioritised and actively managed if you ever hope to properly secure your networks. After all, an attack surface typically only ever expands.
To find out more about Secarma’s Estate Discovery service and how it can help your organisation please contact us.