This is the second in a three-part blog series by Enterprise Management Associates for Axonius discussing how vulnerability management can be expanded and simplified by using a cybersecurity asset management solution. In Part 1, we looked at how cybersecurity asset management can simplify vulnerability management. Part 2 of the series focuses on how a cybersecurity asset management solution improves an organization’s vulnerability management program.
__________Cybersecurity asset management tools don’t simply produce a catalog of assets. Instead, as the name suggests, they provide the detail and context around assets, thereby allowing for enterprises to manage assets, not just account for assets. These solutions produce an asset inventory that includes important details about the assets, including their security state, configurations, and how they map to associated assets in the enterprise’s technology landscape.
A comprehensive cybersecurity asset management tool will generate data around users, devices, and systems (e.g., cloud and containers) used by the organization. It will look at the totality of assets seen in the environment, when they were seen, who/which devices accessed them, any software associated with devices or systems, hardware/software versions and patch levels, known vulnerabilities associated with software/hardware, network interfaces, and more.
Further, today’s advanced cybersecurity asset management tools give enterprise teams the ability to associate and enforce a company’s IT, audit, and security policies, as well as industry best practices and regulatory compliance.
Only this level of detail will affect vulnerability management — and therefore enterprise risk management— in a meaningful way.
4 Key Use Cases
As it relates to improving vulnerability management, there are numerous benefits of leveraging a cybersecurity asset management tool. Four main use cases are presented:
- With the asset data and associated vulnerability information it produces, a cybersecurity asset management tool allows enterprises to effectively prioritize patching based on criticality of assets and the vulnerabilities associated with them. These tools surface patching requirements and give security and tech teams the information they need to better manage patching programs. For instance, there are plenty of assets that can be relegated to a regular patching cycle and would not need special attention or manual intervention due to a perceived or enhanced threat or zero-day vulnerability. On the contrary, when a critical patch for a critical system is surfaced, a cybersecurity asset management tool provides the mechanism to initiate the process.
- A properly configured cybersecurity asset management solution will identify assets that have never been properly assessed for vulnerabilities, yet should be included as part of a vulnerability management program. For example, users can run queries to find unscanned assets, then tag them to be automatically scanned. Scans may also be expanded to include extended IP address ranges or specified device types, thereby ensuring regular assessments of these assets and reducing the risk of vulnerabilities.
- A cybersecurity asset management solution will include vulnerability information from vendors or third-party sources, such as the National Vulnerability Database, Common Vulnerability Scoring System, and Shodan. This data is correlated to enterprise assets and allows users to quickly and easily pinpoint which assets need remediation. Cybersecurity asset management users could then run a query for known vulnerabilities against specified devices, installed software, or OSs. The resulting list of vulnerable devices could then be prioritized for patching or remediation or, where possible, additional controls could be applied directly within the cybersecurity asset management tool’s enforcement or action center.
- A cybersecurity asset management solution will also give the enterprise visibility into often overlooked but critical assets: cloud-based applications and workloads used in DevOps. While there are numerous examples of application management and security solutions, often these assessments are not conducted at the production level. Infrastructure differences between development, testing, and production or configuration differences between environments can lead to security issues and unintended vulnerabilities in the live system.
Risk Assessment in the Era of Cloud
In this era of rapid cloud adoption and workload migration, an asset inventory and/or risk assessment is often overlooked as part of the enterprise cloud migration project. While there’s sometimes an initial assessment, it’s usually incomplete, and more assets and helper applications are excluded as part of this assessment. A cybersecurity asset management solution will identify all of the joined workloads and applications required to make a more accurate and comprehensive risk assessment of migrated workloads.
In an on-premises installation, many business-critical workloads reside on isolated network segments. When migrating those workloads to the cloud, often the connections and other assets necessary for the workload to function properly are overlooked or misconfigured, opening them to severe system/application vulnerabilities, whereas the network segment isolation mitigated the vulnerability as a compensating control.
Once assets have been discovered, cataloged, and assessed, cybersecurity asset management solutions can be used to automatically and continuously monitor and assess changes in asset configurations, and additional assets can be added to the various enterprise environments.
Applications are especially susceptible to being lost in asset assessment since the very nature of the application requires it to be updated and revised. Often, these applications may be initially reviewed (or never reviewed at all), but are not reviewed when revised. A cybersecurity asset management solution can set automated policies for application assets, constantly reviewing against a set of security standards, and enforce updates or changes when the application does not comply.