As a security manager you can only protect systems that you know about. Asset Management is the art and science of keeping track of all the devices connected to your network so that you can protect them.

You can’t protect what you don’t track

One of the developments in cybersecurity thinking in recent years has been the realisation that Operational Technology (OT) is just as important as Information Technology (IT).

Operational Technology refers to industrial control systems, intelligent devices and other systems that deliver automated industrial operations – with a focus on the physical processes and devices.  Think manufacturing systems in a cake factory or centrifuges processing radioactive ore in a nuclear facility. OT systems are often networked in order to provide remote monitoring and real time management.

Information Technology refers to computer systems that process information – the desktops, servers and mobile devices we all use every day to write emails and balance budget spreadsheets.

From a cybersecurity perspective, OT systems are just as vital as IT systems but perhaps are a little later to the party for mainstream organisations.  Since the Stuxnet malware was used to target the OT systems which ran part of Iran’s nuclear programme, CISO and security managers have started to worry about the myriad of industrial control systems across their business which were previously ignored by the IT and security teams.  Even for pure knowledge based businesses that do not have factories, the OT systems which control lifts and air conditioning systems could be vulnerable to attack resulting in significant disruption and physical damage to offices and equipment.

What is Cybersecurity Asset Management?

Cybersecurity Asset Management (CAM) provides the processes and policies that manage the life of your enterprises assets both IT and OT, from creation / procurement through to disposal – keeping them secure all the time to prevent their compromise by threat actors.

An effective cybersecurity asset management program ensures that:

1. Assets are created or procured in a managed way, following an agreed process
2. Rogue assets are quickly spotted and brought under management for their own protection
3. All assets remain secure throughout their operational life
4. End of life assets are decommissioned safely to ensure no data leaks out of the organisation

The scope of the CAM program should include physical and virtual systems as well as cloud-based assets such as S3 buckets and serverless databases.  Assets is often a synonym for a server or network device, but it can also refer to datasets on those devices.

How to Implement Cybersecurity Asset Management

An effective cybersecurity asset management program will need to include the following steps

Get to know your estate

Asset management is a bit like being a shepherd – the first step is to count the number of sheep in your flock, only then will you be able to tell if one goes missing or if an interloper sneaks into the sheepfold.  So the first step to establish a CAM program is to inventory your network in order to identify every device connected to it.  Usually this makes use of some form of scanning tool but physical inspection may also be required (for example if some devices have been security hardened and they do not respond to network scans).

Once the initial asset inventory has been compiled, it is vital that it is regularly maintained both to track authorised changes (via your Change Management process) but also to identify rogue or unexpected assets that appear on the network.  For cloud environments, obtaining access to the master subscriptions that your organisation maintains with the cloud hosting companies can be a simple and effective way to check for new asset creation – as they will show up on the invoice.

Find the owners

For every asset identified in your inventory, locate the owner of that system and identify who is responsible for vulnerability management and maintenance of the asset.  This will both ensure vulnerabilities are being addressed and ensure maintenance can be scheduled with the owner’s permission.

With input from the owners, assets can then be categorised or ranked to identify their importance to the organisation.  Knowing the criticality of the asset allows you to prioritise resources and schedule vulnerability remediation to protect the most valuable assets first.

Maintain your asset register

Having created your asset list, it is important to keep it up to date as it is needed by other important processes. For example, if you use vulnerability scans to help ensure all your systems are patched and up to date you also need to be confident that your scans are including every system on the network and not missing some out by accident. So effective vulnerability scanning requires an up-to-date asset list of systems to scan.

The two key tools for keeping the asset register are to date are:  running regular discover scans (using NMAP or a similar tool) to spot devices joining or leaving the network and by linking into your Change Management process in order to spot the commissioning and decommissioning of systems.

Actively maintain your asset register not only makes it much easier to spot shadow IT systems created by your business but also to promptly spot the arrival of malicious devices onto your network so they can be isolated and removed.

Safe and Effective Disposal

When an asset reaches its end-of-life, it must be decommissioned and disposed of safely in order to ensure no residual data remains on the asset and leaks out of the organisation.

Keeping assets around that have served their purpose or reached their end of life can become a vector of attack or vulnerability if the no longer receive vendor support or stop being regularly used which reduces the likelihood of someone spotting abnormal behaviour.

Assets need to be cleansed before their leave your organisation – having their data and configuration wiped so as not to leak any information that could be useful to a threat actor.  If it is not possible to wipe the device, then physical destruction may be the only secure means of disposal.

Security Managers know that you cannot secure what you cannot see, and a Cybersecurity Asset Management program is the way you can bring visibility to all the assets under your protection and monitor them through their entire operational life.