The NCSC guidance on cybersecurity asset management, part 2
In my first blog reviewing the NCSC’s recent guidance on asset management for cybersecurity, I looked at some of the main drivers for the adoption of a cyber asset management program, and the most common use cases. In this second one, we will look at what considerations you should include when building out your asset management program, and key data sources that can help provide cyber insights to find security coverage gaps.
Everyone’s environment is different, but these are intended to be general guidelines rather than technology-specific approaches. In future blogs we will look at how to optimize cyber asset management for specific use cases and security tools.
What to include in your approach to Cybersecurity Asset Management?
The NCSC provides a good list of cybersecurity considerations on what elements you need to consider when building an asset management system.
Key elements to include are:
- Asset Discovery – Ideally needs to be automated and continuous, to ensure new assets are added and out of date information updated, aged out or removed.
- Accuracy & Completeness – Similar to the earlier point, the accuracy and completeness of the system will depend on the quality and variety of perspectives of where your asset data is sourced from. After a decade in cybersecurity operations, I am still yet to meet a client who has a single perfect source to find out what a device or asset is, it is always built from a manual federated view. This should be automated a much as possible to democratize the enterprise’s data.
- Comprehensive Visibility – you need to ensure that everything is in scope – cloud services, IoT, containers, legacy infrastructure – by building a map of all assets, software, vulnerabilities, processes, people, and controls, it will be much easier to find potential security gaps.
- Automation – The velocity of digital change in modern businesses requires automation to keep on top of the daily or hourly changes to security posture. Automation can also aid in the remediation of non-compliant assets by returning them back to a pragmatically secure state.
What data sources can add value?
The NCSC says that ‘A combination of active and passive data sources should be considered, to ensure comprehensive visibility across your environment.’
Active sources could include host-based agents or network scanning tools, which can supply detailed information but are less likely to detect new assets.
Passive data sources might include network sources like DNS and DHCP logs.
Good quality data sources for building a comprehensive cyber asset inventory could include endpoint security and device management tools, vulnerability scanners, identity and access management (IAM) systems, cloud platforms and more. Modern API aggregation techniques and wider use of industry standards such as the OpenAPI specification also helps us in our ability to access information from different systems.
Other potential data sources suggested by the NCSC include procurement records – which could be particularly effective at finding traditional hardware assets, as SaaS applications and cloud services can often bypass traditional procurement processes.
Also, for many customers, we have found it necessary to have a manual entry process for specific datasets where no API-level integration is possible. This can be as simple as taking a spreadsheet, whilst not ideal, it is yet another perspective in our quest.
You may find that you have a primary set of data sources that are good at finding new assets, and then a secondary set which can provide additional enrichment into their security posture. This is also where automation is incredibly valuable in searching these secondary sources for relevant vulnerability, threat, and ownership information to supply a more detailed picture of your potential attack surface.
How can Noetic help?
At Noetic, we are building a continuous cyber asset management and controls platform to help security teams to understand and inventory all managed and unmanaged assets in their organizations. We provide out-of-the-box connectors to a wide range of security and IT management tools to meet common use cases, such as endpoint security coverage gaps, cloud and container configuration, and prioritizing vulnerability and patch management.
If you’re interested in finding out how on how the Noetic platform can help you to run an effective cyber asset management program, I’d encourage to you to reach out to us to schedule a demo here.