A less talked about facet of a CISO’s job is making tough calls and sometimes the toughest call that you can make is admitting that you have a problem – you don’t have an accurate count of your IT assets. At Balbix, we talk to dozens of CISOs every week and we invariably hear a variation of this comment:
- We don’t know how many assets we have
- I think we are only seeing about 70% of our asset inventory
- We have somewhere between 3K to 30K assets
This is an unfortunate reality for a lot of organizations with mature security programs. This also explains the fact that while it is true that often organizations are hacked because a machine wasn’t patched, it is also true that many times, security teams DO properly patch other systems, just NOT the one that was hacked. And it follows that the exploited system would’ve been patched if they knew it existed.
4 reasons you’re not aware of IT assets:
1. Technology Sprawl
Blind spots appear progressively over time as an organization grows, matures, and adopts new technologies, adds new people, makes acquisitions, and embraces new processes. Cloud computing, mobility, IoT and other aspects of digital transformation have been a major contributing factor in recent years.
2. Whose job is it, anyway?
Enterprise security teams don’t often control all assets, which makes the task of understanding your assets and gathering insights about them even more difficult.
3. Legacy point products
Traditional inventory tools typically only track managed assets. Non-traditional assets like IoT are either left undiscovered or partially tracked by a motley collection of specialized tools, one for each asset category.
4. Not a human-scale problem
We know that the best human experts can put together an accurate picture of the type and category of a device on your network by manually looking at a broad variety of data sources. But with a medium or large enterprise having thousands or tens of thousands of assets, keeping track of everything requires not just automation, but the use of AI to automatically identify, categorize, and determine the business criticality of each asset.
So what?
Not having visibility into your asset inventory is a HUGE challenge and it has many repercussions. If you don’t even know that a particular asset or set of assets exist, how can you monitor them for security vulnerabilities? This is especially true for intermittently attached assets, that are only seen when connected to the corporate network, which bring a risk of detecting critical vulnerabilities, policy violations, or malware infections too late.
Without a comprehensive inventory, you cannot answer questions like:
- What type of devices are on the network?
- Where does the sensitive data reside?
- Who has access to the sensitive data?
- How many devices are utilizing a particular current security control?
- What is the OS and distribution of devices on the network?
- What is the number and type of approved applications on workstations?
- Number and type of assets that are up to date on OS patches?
- Number of assets up to date on application patches?
Okay, what next?
Now that we have established that an outdated inventory is not particularly useful and applying manual effort to keep inventory updated is time and resource intensive, what are some of the capabilities you need to remedy that? Here are 4 quick tips:
#1. Enterprise security teams don’t often control all assets, which makes the task of understanding all your inventory and gathering insights into assets even more challenging. In order to control your environment, you need to stay current with a continuously up to date inventory.
#2. Your IT environment today has a multitude of IT assets of different types deployed on-premises or in cloud environments. Traditional tools typically only discover corporate owned and managed assets and unmanaged assets like BYOs, IoT, third party etc. are left undiscovered. Look for a tool that eliminates blind spots with broad asset coverage and categorization.
#3. It is not just enough to see and inventory all the assets that are plugged into your environment. You also need to understand their value to your business and accurately assess their breach risk, so achieve visibility into your comprehensive breach risk.
#4. If you needed to quickly list all your enterprise assets susceptible to Wannacry, how long would it take your team to do it? In order to counter that, you need a tool that enables you to increase team efficiency by finding information and answers quickly.
Making the inaccurate, accurate with Balbix
Balbix allows enterprises to rapidly see existing and newly added assets in your inventory through automatic discovery and continuous updates, in real time. The Balbix platform:
- Automatically discovers, analyzes, and categorizes your inventory: all your devices, and
applications — managed and unmanaged. IoTs, infrastructure, on-prem and in the cloud, fixed and mobile, and their relationship with users - Provides comprehensive monitoring across 100+ attack vectors such as unpatched software, phishing, use of weak, stolen, missing passwords, lack of encryption, misconfigurations etc.
- Prioritizes actions that you need to take to reduce your risk by calculating true business risk for each asset using a 5-dimensional risk assessment model that considers business criticality, vulnerabilities, active threats, exposure due to usage and existing compensating controls
- Offers natural language search that allows you to craft complex queries combining multiple asset criteria. Automated and searchable inventory data makes it easy to find and manage all IT assets and removes the need for manual tracking. Accurate categorization coupled with the powerful natural language search makes the information you’re looking for easy to find.
As a progressive, modern CISO, you’re making tough calls every day. Here is a call that would not be tough. Take action to get visibility into your asset inventory. Contact Balbix and let us show you what you are not seeing.