| Listen on Google Podcasts | Listen on Mave | Listen on Yandex Music |
Ruslan Rakhmetov, Security Vision
With the development of digital technologies and IT penetration in all areas of business, the corresponding number of information resources and computing devices also increases, and management and cyber specialists inevitably face difficulties in managing and maintaining a large disparate fleet of IT systems. Complexities and gaps in IT systems management are also a tangible cyber risk: a coherent cyber defence system cannot be built without a clear vision and understanding of which elements of the IT infrastructure are to be protected, and the diversity of operating systems, business applications, data types and defences only exacerbates the cyber resilience issue. In order to assess and prioritise vulnerabilities, promptly identify current cyber threats, and respond to cyber incidents in a timely and high-quality manner, it is necessary to build an integrated information asset management system. NIST SP 1800-5, ‘IT Asset Management,’ is dedicated to this task and provides the characteristics of an effective IT asset management software solution (ITAM, IT Asset Management), as well as lists the cyber risks of a missing or incomplete asset inventory process.
So, to solve the problem of centralised asset management, the authors of the NIST SP 1800-5 document offer a number of practical steps and tools for building an IT Asset Management system, and also provides the result of the assessment of cyber risks of incorrect information asset inventory process and missing or incomplete centralised IT Asset Management system.
The strategic cyber risks of incorrectly built IT asset management process are:
1. Negative impact on service delivery due to possible lack of employee access to IT assets;
2. The cost of implementing a centralised IT asset management system, the desire to use a single system across the entire company and all systems to reduce overheads;
3. Spending budget in relation to cybersecurity technology investments;
4. Projected cost reductions and operational efficiencies as a result of new cybersecurity investments;
5. Legislative compliance in terms of scrutinising and operationalising IT assets;
6. Reputational and image risks;
7. Risks of inaction or wrong steps.
The tactical cyber risks of a misaligned IT asset management process are:
1. Lack of a converged (unified) vision of IT assets and centralised reporting on them;
2. Lack of knowledge about the location of IT assets;
3. Lack of configuration controls for IT assets;
4. Ineffective patch management;
5. Lack of software vulnerability management;
6. Lack of an overall picture of corporate asset performance;
7. Lack of a converged repository of IT assets.
For centralised IT asset management, NIST SP 1800-5 recommends the use of ITAM (IT Asset Management) class systems, which are an evolution of CMDB (Configuration Management Database) systems to address the following:
1. Initial populating of the repository with IT asset information;
2. Automated enrichment and keeping IT asset information up to date;
3. Integration with systems containing up-to-date information on IT assets; 3;
4. Integration with antimalware systems to assist in responding to IS incidents.
These activities are performed throughout the IT asset lifecycle, which consists of the following steps:
1. Development of an IT asset lifecycle strategy;
2. Planning the utilisation of the IT asset;
3. Developing an architecture and usage model;
4. Procurement, implementation;
5. Operation;
6. Support;
7. Implementation of changes;
8. Decommissioning.
Recall also that CMDB systems are designed to store, process, and keep up-to-date information about assets and their relationships. Software (e.g., OS, software, files) and hardware (e.g., servers, PCs, network devices) assets are called CIs (Configuration Items) in CMDB terminology and may contain the following information:
- business owner of the asset;
- the risk owner of the asset;
- IT custodian for the asset;
- IT Security custodian;
- asset user;
- the business role/function performed by the asset;
- technical role/function performed by the asset;
- an asset-dependent business process;
- criticality, cost, value of the asset;
- requirements and level of information security (integrity, confidentiality, availability) of information processed by the asset;
- location (address, premises, rack number, etc.);
- configuration (FQDN name, OS version, installed software, VLAN, IP address, MAC address, amount of RAM, etc.).
The main challenges of the asset management process include initial populating, enriching and keeping information up to date, automating the process, and integrating with a variety of systems that contain valuable IT asset information. Some asset management solutions additionally support the acquisition of up-to-date data on new assets on the company's network, as well as interacting with security systems to respond to the unauthorised appearance of a new device on the network (the result of the response can be either scanning of the new device or its temporary isolation).
From a cybersecurity perspective, the use of ITAM systems brings the following benefits:
1. Correct selection and application of basic defence measures;
2. Continuous monitoring and reporting on the status of IT assets stored in a single repository;
3. Application of anomaly detection mechanisms (e.g., deviations in network traffic or from established baseline configuration parameters);
4. Providing context and data enrichment to identify IS anomalies and events through analytics and reporting mechanisms.
The NIST SP 1800-5 document provides three functional levels of a typical ITAM system, from the lowest third level (Tier 3) to the highest first level (Tier 1):
1. The Tier 3 level includes all controlled corporate assets (PCs, servers, portable devices, network equipment).
2. Tier 2 contains data about the location of assets, software and hardware installed on them. This tier performs the data collection task of identifying and documenting the software and system configurations of each IT asset and transmitting this information to the next tier for storage.
3. The Tier 1 level contains processed and enriched IT asset data to address the tasks of long-term storage of this information, analysing the collected data, visualising and reporting the results of the analysis to employees and managers. This tier also establishes rules governing device usage (list of allowed/prohibited software, available network protocols, allow/deny network rules) that are further enforced at the Tier 2 level in the form of installing updates, uninstalling software, and changing network configuration.
NIST publication SP 1800-5 outlines the characteristics of an effective ITAM (IT Asset Management) software solution:
- Complementation of a company's existing asset accounting systems, NWIs, and network solutions;
- API integration with security systems (firewalls, intrusion detection systems, access and credential management systems);
- Providing information and control of physical and virtual assets connected to the company's network;
- automatically detecting and alerting on attempts by unauthorised devices to access the network;
- providing the ability to identify and control hardware and software that is authorised to connect to the company network;
- enforcing restricted software usage policies;
- auditing and monitoring changes in asset health;
- integration with audit log storage and analysis systems;
- recording and tracking IT asset attributes.
Finally, NIST SP 1800-5 provides a detailed description on setting up a lab bench to implement an ITAM system in which Tier 1 runs Splunk; Tier 2 runs IDS (Bro, Snort), OpenVAS scanner, WSUS server, AssetCentral and BelManage CMDB systems, and Puppet Enterprise configuration control system; Tier 3 runs Active Directory and Email servers, VPN server, and PKI certification centre.
