The National Cyber Security Centre’s (NCSC) recent guidance on Cyber Asset Management
Craig Roberts – CTO, EMEA, Noetic
Cyber Asset Management is a foundational cornerstone to any organization’s cybersecurity strategy. Without knowing what you have, and its current security state, it is a real challenge for security teams to establish appropriate security controls and to be sure that they have a clear understanding of what they are trying to defend.
Good cyber asset management is a key cybersecurity goal, but the reality is that it is difficult for many reasons:
- Ownership – Traditionally, IT Asset Management (ITAM) has been the domain of the IT organization, but the information they collect and maintain is not optimized for cybersecurity use cases.
- Technology innovation and adoption – The way we buy and deploy technology has changed. With the growth of cloud services and SaaS applications, traditional IT procurement processes can be bypassed, leading to the growth of ‘Shadow IT’ outside of regular security controls.
- Complex digital infrastructure – There are many IT management and security tools that have a partial view of assets, but only from their own perspective. This information is siloed and historically it has been the domain of manual monthly spreadsheets to drive any form of holistic insights.
We can see a good example of the cyber asset management challenge from the recently published Committee on Homeland Security report ‘Federal Cybersecurity, America’s Data Still at Risk.’ This report, published in August, found that seven of the eight key agencies had ‘failed to maintain accurate and comprehensive technology asset inventories.’ The US Department of Transport had no record of over 14,000 of its IT assets.
Earlier in the summer, the UK’s National Cyber Security Centre (NCSC) published new guidance on what good asset management looks like from a cybersecurity perspective. This guidance is intended for organizations of all sizes and although it is primarily written for UK companies, its guidance is applicable to a wider audience.
As the NCSC notes in its introduction, “It’s far easier to protect things you know about” – cyber asset management gives you the necessary building blocks for a successful cybersecurity program and their guidance is an important addition to the information available, I will focus on a few of the areas covered in this guidance.
What is an asset?
The NCSC defines an asset as ‘anything that can be used to produce value for your organization.’ It goes on to sub-divide these into 2 categories:
- Assets that must be configured to achieve security outcomes
- Assets that may be impacted as the result of a cyber incident
What is important here is not to associate an asset as simply a laptop, workstation, or server. We often see the word ‘entity’ being used instead of ‘asset’ as it conveys this broader sense. As the NCSC guidance describes, an asset can be a machine, but it can also be a network, a virtual machine, a container, a mobile device, a code repository, or a person. It is important to have a wide definition of what an asset, along with their relationships to ensure that you are getting the visibility you need.
Why is Cyber Asset Management critical to your security program?
As the NCSC covers in more detail, Cyber Asset Management provides ‘authoritative and accurate information about your assets that enable both day-to-day operations and efficient decision making when you need them most.’
Common cybersecurity use cases that rely on this certainty include:
- Risk Management. Managing risk requires an accurate understanding of what is out there. Lack of visibility into assets means that controls could be missing and there is not a clear view of security and risk posture.
- Vulnerability and Patch Management. A very common use case that we see with our customers. Vulnerability scanners are good at providing information on known vulnerabilities, but they do not give you the context and prioritization that cyber asset management can provide.
- Incident Response. Understanding the criticality of an asset, and the potential ‘blast radius’ that it could create if compromised, helps the IR team with the triage and response process.
The NSCS guidance provides many more use cases, including security monitoring, identity and access management, as well as non-cybersecurity use cases.
In my second blog on the NCSC guidance, I will look at what should be prioritized in a pragmatic cyber asset management program, as well as the potential data sources that could feed into it.
In the meantime, if you are interested in finding out more about how Noetic helps security teams build out and manage their cyber asset inventory, you should check out this recent blog from our Chief Product Officer, Allen Rogers.