If You’re Not Doing Continuous Asset Management You’re Not Doing Security

attack surface

April 25, 2018

The more a company can tell me about their assets the better their security is, and the more comprehensive and real-time the inventory is, the more mature they are. This has been true for me over 15 years of consulting across hundreds of organizations.

Click here to listen to the audio version of this essay.

But just try—either as an internal employee or as a consultant—to get a dedicated resource hired to create an asset management system and keep it updated. Most companies will look at you like you asked for the walls to be repainted in invisible paint. The look on their faces will basically say:

Look, I don’t know where you came from, but around here we don’t have money to throw at silly administrative tasks.

That’s what that look means, and it’s ridiculous given what we do spend money on.

Companies pay hundreds of thousands a year to keep snacks in the break rooms. They pay to send people to training and conferences that usually have very few tangible benefits. And we dump millions into marketing campaigns that we can’t tie to sales results.

But pay 100K a year to have a list of what we’re actually defending? Nope. Too expensive. Wasteful, really.

Asset management is arguably the most important component of a security program, but I know of virtually zero companies that have a single person dedicated to it.

People keep asking the wrong questions about breaches. Stop asking if they were compliant with Alphabet123 regulation. Or BSIMM. Or whether their security team had CISSPs. It’s irrelevant.

Instead, let’s start asking which of these companies had a list of assets that was more than 60% comprehensive and had been updated within 30 days. My guess would be that over 99% of companies who’ve suffered a major incident or breach in the last five years did not have such a list of their systems, their data, and their vendors.

I’d love to hear from anyone in the industry who thinks otherwise.

For most companies, the single best thing they could do for their security program is to hire a dedicated person to maintain a near-realtime list of company assets.

And while we’re poking bears, let’s ask another question: what value is being compliant with an information security regulation if you can pass while having zero idea whatsoever where your data is and what systems you have? How is that even possible?

It’s like an auto manufacturer passing a crash safety test without providing a car.

Forget everything you know about information security. Dump it in the toilet. All the regulations. All the scanning tools. All the vulnerability management. All the auditing. Let’s call those the nice-to-haves.

The measure of a security team is what they say when you ask them:

  1. What’s currently facing the internet?

  2. How many total systems do you have?

  3. Where is your data?

  4. How many vendors do you have?

  5. Which vendors have what kind of your data?

If they look at you like you just claimed to be a poached egg, they are not doing real security. If they don’t know what they’re defending they’re little more than an expensive and broken machine that burns the business’s money.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

This doesn’t mean they don’t know security, or that they don’t have a solid security team. It’s a trap many great teams fall into.

They’re the teacher who doesn’t have a student count on a dangerous field trip, the deployed commander who lost his units, and the parent who has no idea what their kids are doing.

They are—in a word—lost. And failure is imminent.

I’m not claiming that this is easy, or that I’ve always done it perfectly in the past. I’m as guilty as anyone of not taking this seriously enough.

If we want to make a real difference in security, let’s get the entire industry to use a single metric: the accuracy and freshness of the Asset & Data Inventory. And perhaps we use something like this.

  • A: 90% accuracy, or 1 week old

  • B: 80% accuracy, or 1 month old

  • C: 70% accuracy, or 2 months old

  • D: 60% accuracy, or 3 months old

  • F: 50% (or less) accuracy, or 1 year old

Now put in every security leader’s deck that the goal is to get to 95% accuracy with daily/weekly updates within 6 months. And the cost is simply hiring 1-3 people who are dedicated to this task.

That would reduce breaches, and it would cost infinitely less than the dumpster fire of products we constantly purchase and deploy for millions of dollars a year.

If you’re not willing to pay one or more people to do asset management full-time, you’re not going to fail—you have failed already.

If you agree with this, and have been witness to this open wound for years as I have, please do your absolute best to spread this metric to as many people who will listen.

It is one of the few brightly illuminated paths to getting us out of this mess.

Hire ? Full-time ? Dedicated Resources ? For Asset Management.

Notes

  1. Of course I’m not really advocating the pausing of other important controls or efforts. But I am saying that this should become the priority for new efforts, and that you likely could pay for it with money being spent ineffectively elsewhere.

  2. If anyone’s interested, I’m looking for data on companies that have been breached and whether or not they were doing asset management. Probably pretty hard to find, but I’m going to try.

  3. I’m struck by the similarity between this challenge and something Jeremiah Grossman said to me recently. He wanted to know if most AppSec companies were fighting to find the one last bug, when everyone already agreed on the other 1,000 or whatever. I think it’s the same with Asset Management and Shadow IT; the latter is definitely a problem, and we wish it didn’t exist, but we’d be in amazing shape if we just handled risk for things that were easily knowable.