Cyber security asset management (CSAM) is a methodology for protecting your company’s digital property. CSAM follows a philosophy of continuous and holistic protection, consisting of practices such as:
- Discovering assets
- Identifying vulnerabilities
- Minimizing “shadow IT”
CSAM helps cover gaps in other teams, such as infrastructure and DevOps, with the possibility of removing silos and centralizing information for general usage.
The benefits of properly implementing this methodology go far beyond reducing cost or ensuring efficiency. It ensures that businesses stay afloat, protecting data and end users. More importantly, it ensures that clients remain confident in the capabilities of the business to keep their information secure so that nothing is leaked, lost, or stolen.
Summary of key CSAM concepts
These key concepts will help you better understand cybersecurity asset management.
|Asset discovery||Finding all cyber assets, services, containers, and serverless technologies (such as databases, storage, APIs, etc.) as well as any SaaS products. As long as these are accessible, online, or registered, it is possible to create a unified inventory for use inside the CSAM pipeline.|
|Management and handling||Having better visibility and control of the asset inventory means knowing what is running inside the infrastructure, in which segment, who owns it, and its purpose.|
|Patching and upgrades||Keeping up to date with patches and upgrades is a core necessity for every asset. However, a system to do this should be tested first in a purpose-built environment to prevent business continuity from being disrupted.|
|Shadow IT||This term refers to when employees add assets to the infrastructure, install software, add resources to current assets, or perform any other activity that is not controlled by the IT department.|
|Identification of services||During asset discovery, finding some running services on the host is possible. The information here includes versions, types of service, and potential vulnerabilities.|
|Vulnerability identification||Identifying, assessing, and correlating vulnerabilities can be accomplished through scanners that identify assets and services.|
|Obsolescence and disposal||When an asset has become obsolete, it becomes a priority for removal due to the number of vulnerabilities that can build up as time goes on. Disposal means removing the device and destroying all data on it to prevent the leakage of private information.|
Understanding cyber security asset management
Cybersecurity asset management consists of identifying, classifying, and managing the assets inside the business infrastructure. The core goal is to understand what assets exist inside the infrastructure, how they are used, their value, and how to better protect them.
Some of the core concepts of cybersecurity asset management are seemingly simple but can become more complex when there are many types of assets, services, providers, and budgets to consider. In some instances, limitations (e.g., budget or available resources) or blockers (like compliance requirements) may require additional considerations because they may not fall into the conventional methodology used with the rest of the assets.
When considering how to begin this process, it’s essential to evaluate whether tools are available for the functions discussed below. For example, Paladin Cloud is a cloud security platform that provides continuous compliance over your cloud assets to enhance an organization’s security posture. The platform provides a full asset inventory, while verifying security controls are providing intended protection. Prebuilt and custom security policies provide automated compliance checks to identify vulnerabilities and misconfigurations of cloud resources.
If new tools are required, there are different paths to take. Some tools are open source, which means there is no direct cost for deployment or installation, but there is still a labor cost associated with the configuration and operation of these tools that can add up over time. Another option is to buy something that provides support and has integrations with existing tools, ensuring that data is not thrown into silos where it serves no purpose other than storage.
Alternatively, integrations could be built to get the data and information from other platforms (such as databases, applications, etc.) into a single location, making it easier to handle and to meet compliance requirements.
The list below describes the core components of cybersecurity asset management, with key steps for each.
- Identifying all types of cyber assets running in multi/hybrid cloud environments.
- Identifying services and platforms used by the business.
- Identifying vulnerabilities and misconfigurations affecting items in inventory, such as cyber assets and cloud services.
- Creating an inventory of assets that is constantly updated. This should be done at different times throughout the day or week and during downtime periods to avoid clogging networks that have low bandwidth or creating excess resource consumption.
- Patching and updating assets.
- Detecting obsolete assets that can no longer be updated.
One additional item to consider is shadow IT, one of the most complicated subjects to handle in rapidly growing environments, where business requirements cannot be met due to time, resources, or processes. While it can represent a considerable attack surface, it is possible to considerably reduce the surface and prevent its growth through CSAM and the steps mentioned below.
Helping close the gap between IT and business requirements also brings ownership, management, and proper handling of all assets that belong to the business.
Seeing cyber security asset management (CSAM) in action
An example use case can help us visualize CSAM better.
Imagine a company, Vandelay Enterprises, that imports and exports art. It is seeing growth in its business, which requires more infrastructure and potentially new software to handle the volume.
There is a small IT team available that currently holds all known information about the infrastructure, assets, and software in different locations, making it difficult to coordinate requirements and changes.
There are some concerns that have been brought up by management regarding how some of the IT requirements are being handled within the remote offices:
- Some of the offices do not have an IT department or someone from IT to assist them. This, in turn, means that contractors have to be brought in constantly for some of the more technical work.
- In other instances, when the budget does not allow it, some of the members are doing IT work without informing anyone in the IT department.
- Users are bringing devices from home that they use for daily operations and are handling sensitive information, none of which are monitored.
To solve this issue, an initial discovery is performed with software dedicated to identifying assets inside a set group of subnets. This will begin populating a list of assets to create a unified inventory by location. This software allows for proper identification and assessment of all cyber assets, going deeper into the configurations, finding potential issues in IAM or unused/unassigned storage, unrecognized SaaS platforms, or APIs that may have easily exploitable vulnerabilities.
With this information on hand, it is possible to identify assets that are not authorized to be in the network and find new assets that may not have been previously inventoried. This may include software that has no licenses and critical vulnerabilities that have not been attended to.
A policy can be established for new assets and to prevent unidentified assets from obtaining an IP address on the network.
Additionally, suppose the IT department has established a new policy for updating all company assets. This is done first in a test environment, then rolled over to a select group of employees; once it has been confirmed that no issues will arise, then the updates are pushed globally. Assets that have reached either the end of their life or support are to be identified and evaluated and a project established to eventually remove them after a proper replacement is in place, consolidating into newer assets to save resources whenever possible.
The core of cybersecurity asset management is understanding what is inside your infrastructure, what it contains, who owns it, and what it needs.
While there are different routes to achieve this, the first task is to determine what type of environment the business is working with. Is it all remote and on the cloud, or is it implemented through platforms and services? Are there offices? If so, one or many? Or is there potentially a hybrid setup?
Whatever the situation, the important items remain the same: identifying the cyber assets (physical, virtual, or containers) and cloud assets such as compute, networking, and storage services. Anything that can be connected to your environment can reach or be reached through the Internet, so it must be identified and added during the discovery.
If assets are missed because they were unreachable at the time, offline, in a different network that was not scanned, or for other reasons, it is essential to keep scanning and discovering assets inside the company infrastructure. To better handle this, discovery should be performed in segments during times when workload on the assets does not interrupt business continuity. This should be agreed upon by all the involved parties before taking action.
The information obtained from the initial scans will be useful to identify the assets that are to be properly tagged and added to the inventory. This allows for further discovery to be performed, such as running services and software, potential vulnerabilities or missing patches or updates, required software per company policy, and the like.
Once this information is set up, this allows for prioritization of tasks and automation, such as the automated update of a host or the installation of software as soon as it is not seen on a host. This is a key component for compliance and other cybersecurity needs, with visibility on the network and an understanding of what next steps can be undertaken.
In addition to the challenge of reducing the attack surface for shadow IT, it is also important to address the issue of its existence in the first place. Shadow IT is created from the perceived need by employees, who take it under their wing to create assets, install software, or implement changes that are not monitored, sanctioned, or known by the established IT department. Through constant discovery, it is feasible to catch and prevent further increases in the volume of shadow IT activity and to help align and integrate to the current pipeline and close the gap.
We mentioned previously that automation was possible for updating an OS, installing missing software, or patching vulnerabilities. While this is important, since other items derive from these actions (which may hinder operations), it is critical to speak with the stakeholders of such devices or services to agree on whether, when, and how it will be done.
Additionally, this reduces the needed number of hours per action. The saved resources from effective automation, can be used for other items that may require immediate attention or may be critical to business continuity.
The scope of management also includes addressing the fact that missing, rogue, or unknown assets are now visible to you. This helps bring order to a network that may have outgrown IT capabilities and is now being handled by users who are part of shadow IT.
This helps with assessing and identifying other missing components inside the environment, such as containers, storage, compute assets, routing rules, permissions, or other components that may be not properly identified, unmanaged, or missing from current inventories.
More broadly, getting to understand the assets inside the environment helps put everything into perspective, including what may need to be prioritized for upgrading or disposal or what may need to have additional security measures implemented.
Cyber Asset Attack Surface Management (CAASM)
Define your cyber attack surface & identify/visualize your multi-cloud asset inventory
Verify your security controls are protecting your cyber assets, identify coverage gaps
Extend your security posture by monitoring for vulnerabilities & misconfigurations
Comprehending cybersecurity asset management necessitates understanding the following key concepts:
- Discovery: Even when we have some understanding of our multi/hybrid cloud infrastructure, we must continue to identify anything on it and determine whether or not it is authorized.
- Management: All the tasks necessary to meet the requirements of the assets in our environment.
Implementing the concept of ongoing discovery and then adopting needed management practices enables you to start building up the maturity of your security posture. This will also help you achieve success on audits and meet compliance requirements.
As change occurs, there must be modifications to these processes and tools. They must be flexible enough to be adaptable to these changes. Always consider this if the business continues to grow rapidly because the last thing you want is for these tools to become a hindrance.
Monitoring multi-cloud environments to identify and visualize cyber assets and services as well as to ensure that all proper security controls have been implemented can easily be achieved through Paladin Cloud’s platform. The product is designed to extend your security posture by providing a full asset inventory of your cloud services while continuously monitoring your assets to identify potential vulnerabilities and misconfigurations.
During this process, it is also possible to understand if the proper business policies are being followed. You can also find rogue cyber assets that may have been created and left on without notice, are unused, or have improperly configured running services.