MeriTalk recently spoke with Bobby McLernon, Vice President of Federal Sales, Axonius, on the importance of cybersecurity asset management, current asset visibility challenges, and lessons learned from public-private sector collaboration.
MeriTalk: What does cybersecurity asset management involve?
McLernon: To address security issues, Federal agencies must identify gaps, and to do that they need a comprehensive and reliable inventory of assets. Therefore, cybersecurity asset management involves obtaining and continually updating an accurate inventory of all IT assets, discovering security gaps related to the asset’s presence or configuration, and enforcing security requirements to rapidly address the identified gaps.
MeriTalk: What are some potential repercussions of poor asset management?
McLernon: There are two categories of repercussions: increased risk and increased operational burden.
Poor asset management threatens the entire agency – insufficient practices increase the risk of stolen sensitive data and disruption of business operations. Cyber-attacks often occur through overlooked assets. With proper asset management, these risks can be efficiently and consistently mitigated.
In terms of operational burden, Federal agencies must produce inventories related to asset management due to legislative and compliance requirements, but they’re currently struggling to find an accurate and automated method to do so. Thus, poor asset management can lead to wasted effort, dollars, and time, while producing an inaccurate inventory.
MeriTalk: Why don’t some agencies have asset management solutions in place already?
McLernon: When it comes to cybersecurity, we’re often attracted to exciting-sounding disciplines and technologies such as threat hunting, red-teaming, or machine learning for anomaly detection. It’s difficult for agencies to take a step back and build the foundation for their security programs, even though asset management solutions will strengthen efforts for spotting intrusions and fighting malware.
Another challenge is the lack of effective tooling. Asset management was not a recognized vertical in the IT world until just a couple years ago. Keeping track of IT resources is often a manual, error-prone process that consumes much time and yields few benefits. For asset management to deliver its full potential, it needs to be automated and easy to implement within a reasonable budget. As the IT world has expanded with operational technology and the Internet of Things (IoT), the need has really come to the table for agencies to prioritize ramping their IT infrastructure and tools.
MeriTalk: Why should agencies prioritize asset management now?
McLernon: The onset of COVID-19 has highlighted the need to solve some of the most fundamental challenges that relate to cybersecurity: understanding what assets are in our environments, where the gaps exist, and how to quickly address those gaps. With the rapid shift to telework, a lot of people aren’t able to access their key assets because many assets had to stay on-premise. These employees need to procure assets on their own, but they also need the appropriate software to work in a remote environment – they may not have the proper security on those assets or they may be missing the ability to engage in specific or classified networks.
It’s more important than ever for the government to arm their people with the assets they need, to enable the Federal workforce. The key word is “management;” agencies need to be able to manage their assets, even in a remote setting. This will become especially necessary with reclaiming assets once people can return to the workplace. The return to in-person work will bring a fleet of devices with questionable security status, neglected updates, and known vulnerabilities, to agency networks. Knowing everything you’ve got in your environment is critical for enabling secure assets and managing inventory – to reclaim assets that were bought with private dollars and to get new government-issued assets back in the hands of the user.
MeriTalk: How would you recommend an agency approach cybersecurity asset management if they haven’t already done so?
McLernon: The good news is that most agencies already have many IT and security systems that know a portion of the organization’s assets. These include: identity and systems management tools, vulnerability scanning tools, passive and active network monitoring solutions, and cloud orchestration technologies.
The challenge of asset management is that these systems typically exist as data silos, requiring cumbersome efforts to get a unified, actionable view on asset details across multiple systems. Agencies can advance their asset management program by extracting useful configuration and other state data out of these systems. The next step is to clean the data to find useful information across the multiple data sources. As you can imagine, achieving this involves a lot of automation and know-how.
MeriTalk: How would you define successful asset management?
McLernon: Successful asset management means a security professional can answer six essential questions about every asset. Is the asset “known” and managed? Where is it? What is it? Is the core software up to date? What additional software is installed? Does it adhere to my security policy?
To get there, we recommend the following: correlating and querying vast amounts of data from disparate sources, knowing which assets are unmanaged, knowing which managed assets are missing agents, discovering new devices automatically, quickly understanding context and detail, and developing consistency in communication and issue resolution.
MeriTalk: Given the rapid transformation of IT infrastructure, what are the recent asset visibility challenges and asset management trends impacting cybersecurity professionals?
McLernon: Axonius partnered with Enterprise Strategy Group to conduct a research survey of 200 IT and cybersecurity professionals from private and public-sector organizations in North America. We found that migration to the public cloud and an increase in the number of end-user devices and IoT projects, all contribute to a lack of visibility.
The study reveals 52 percent of virtual machines now reside in the cloud, running in multiple cloud environments, making it increasingly more challenging for organizations to manage them effectively. A typical employee uses more than four devices each week to conduct work. This creates a device visibility gap, with 73 percent of organizations citing lack of inventory and activity visibility. Lastly, 81 percent of respondents feel that IoT devices will outnumber all other devices within 3 years, but less than half are confident in their IoT visibility strategy.
To regain the visibility needed to combat these challenges, security and IT teams are returning to a focus on the fundamentals like investing in a credible inventory and automating asset management. Comprehensive IT asset inventories take over two weeks of effort, requiring 89 person-hours of labor. On average, they happen 19 times per year, demanding the involvement of multiple teams and people. Thus, 85 percent of organizations plan to increase investment in asset management to help overcome these issues – especially given that roughly 90 percent expect the time freed up from asset-related tasks to improve threat hunting and incident investigation.
MeriTalk: Agencies are constantly looking to future-proof their strategies. What do you see as the future of cybersecurity? What will be the biggest cybersecurity asset management challenge in the next five years?
McLernon: Data center consolidation is well underway – one key focus for most agencies and businesses today is moving their applications and tools to the cloud. There are two main challenges that come along with the rapid rate of Federal cloud migration: first, creating cloud compliance that parallels security compliance and second, finding the right people to do so.
The cloud is still a bit immature in terms of public sector migration, and the cloud engineering industry itself is also fairly immature. With government asset counts between three to five per person, there’s a large constituency and total asset inventory. From an asset management perspective, it’s going to be very beneficial for agencies to have tools reside in the cloud as a virtual appliance that will be light, agentless, and larger-scaled. In order to meet DoD requirements, we need to look for resiliency and scalability for cloud-based solutions.
MeriTalk: What are the security implications of BYOD policies and the rise of IoT devices?
McLernon: While bring-your-own-device (BYOD) trends began more than 15 years ago, private and public sector organizations alike are still grappling with evolving BYOD policies, especially with a typical employee now using more than four devices each week. As a result, organizations believe they are blind to about 40 percent of end-user-devices.
And these numbers are from pre-pandemic days. We often say that it’s no longer BYOD, but instead bring-your-office-home, since employees are now forced to use whatever devices they have to get their work done. IoT continues to play an increasing role in the workplace, with more than half of organizations reporting active IoT projects. Yet, 77 percent report an IoT visibility gap. With a wide array of IoT device types, gaining the visibility and control needed is challenging, and 58 percent report that the diversity in device types is among their biggest management challenges.
MeriTalk: What lessons can the private sector share with the public sector?
McLernon: There are massive architectures within the government, so the private sector could most certainly benefit by learning from the scale of Federal IT infrastructure. On the other hand, the public sector can learn how to develop better efficiency. The private industry is for profit – companies use fewer tools to achieve the same compliance and meet the same security measures because they hope to create a profit margin, or a plateau of profitability. If the public sector can make this shift to fewer tools for the same compliance, operations and budgets can be streamlined for improved results.
MeriTalk: What didn’t we ask that you would like to discuss?
McLernon: Zero trust is a very critical aspect of security. The best cybersecurity approach is to examine everything. By establishing the state of current infrastructure, and understanding the gaps and how to fix them, we can ease the struggle of security compliance. For asset management to be fully understood and made effective across organizations, zero trust models are key.