Cyber asset management: Tutorial & Best Practices

Creating an accurate and comprehensive inventory of assets is challenging for any enterprise, but it is helpful for operations teams and indispensable for security organizations. Security teams cannot scope the attack surface and understand the enterprise’s technical landscape without an accurate and comprehensive inventory to apply information security measures effectively.

Cybersecurity asset management (CSAM) is the practice that identifies, catalogs, and manages both tangible and intangible computing assets. CSAM includes hardware and software and is not limited to on-premises assets—it includes public and private cloud environments, application programming interfaces (APIs), and services such as SaaS or proprietary code repositories. From this perspective, it sounds like a CMDB (configuration management database). However, they are functionally quite different. CMDB tracks hardware and software assets to streamline IT operational processes like incident and problem management. CSAM tracks asset characteristics to assign risk value and prioritize assets for remediation. Effective asset management scopes the attack surface and enhances vulnerability detection and risk mitigation with additional context for prioritization and ownership assignment. Since IT asset management is not designed for security use cases, it cannot provide a comprehensive view of all assets or serve as an input for assessment of the relative risk of vulnerability findings.

Security teams can utilize IT asset management as a starting point. Still, they need a broader data set incorporating extended asset categories, including security and compliance attributes used for risk prioritization, to identify unmanaged assets and gaps in security tool coverage. For instance, CSAM must determine if an asset is Internet-facing and if it plays a part in processing sensitive data.  According to Gartner, CSAM is not a source of record but rather an aggregator of data from existing sources.

Ideally, CSAM involves security and operational teams jointly curating an asset inventory and annotating it with business- or security-relevant labels automatically based on the characteristics of the asset being deployed. This curated inventory interchanges information with the enterprise’s CMDB. CSAM doesn't replace IT asset management, but since it ingests data, it is reliant on the quality of data of the system of record. Through bidirectional integration and cooperation between ops and security, CSAM can help improve the accuracy and relevance of IT asset management information.

This article discusses best practices in Cyber asset management. You can expect to learn how and why CSAM is a cornerstone of a robust cybersecurity framework. This knowledge will empower your organization to address security vulnerabilities reactively and proactively—whether it’s to apply an emergency fix (Log4j, anyone?) or track asset information before the next security event.

Summary of key cyber asset management best practices

Security teams often leave asset management to ops teams because the ops team is typically tasked with maintaining a single source of truth for enterprise assets and because enterprise asset management often doesn't provide high-fidelity data to guide vulnerability management programs and prioritization assessment. It is a broader program that helps an organization understand which machines and web applications are present and helps maintain an otherwise unavailable level of awareness.

Overview of cyber asset management

The core of a comprehensive asset inventory comprises configuration management databases (CMDBs), asset management (AM) databases, and application catalogs.  Different categories of assets - applications, network devices, endpoints, SaaS, IoT, cloud services, VMs, code repositories, and more are tracked in these asset inventories. Together, these tools are used to establish and maintain systems of records for operations and IT asset managers as well as enterprise architects and GRC teams. Operations teams are typically mandated to maintain an up-to-date catalog and inventory of all IT assets.

Because asset inventory and management systems are designed to address IT use cases, security teams increasingly utilize CSAM to enhance their visibility into exposed assets and evaluate the relative potential of risks by integrating CMDBs and AM databases with external attack surface management (EASM). EASM further enhances the picture, providing visibility into exposed assets and potential security issues. Logic says the organization could easily track and identify edge-connected devices or public-facing services. Still, cloud services and distributed IT teams sometimes do not rely on a single, centralized system for provisioning—especially for BYOD, IoT, or vendor-managed appliances.

The diagram below illustrates an automated asset inventory method. When an information system connects to the network, it can be entered into the asset inventory by ingesting, aggregating, and normalizing asset data and attributes. Instead of a human searching manually for a record of what the system should do, the automation examines the system itself, which provides a more accurate result much more quickly.

In the modern distributed IT environment, the inventory is unlikely to be a single database—it would be a conceptual information warehouse of data pulled from multiple continuously maintained record sources. Information about hardware, software inventory, ownership, data classifications, hosted applications, and connectivity is usually stored in various locations, as the maintainers of this information use other tools to record it. Collecting this information into a single database would involve unnecessary time and effort, and it would likely result in a system complete with data - and likely duplicative data.

{{banner1="/banners"}}

Best practices in cyber asset management

Identify unmanaged assets

Effective asset management includes assets that are not under the enterprise’s direct control. For instance, enterprises have limited control of SaaS platforms or BYOD systems; however, these assets cannot be ignored because they still connect to the organization’s network or host its data and services. If these uncontrolled assets connect to the network for data interchange or access to services, they can be captured by an effective asset management system that continuously scans for new connections.

Alongside the issue of unmanaged devices, enterprises may find that new technologies require new skill sets for secure deployment. Serverless computing frameworks, containers, and microservices are relatively new, but those accustomed to working in a virtual server landscape understand that these code-based constructs are assets. That said, assigning and tracking ownership requires determining which are ephemeral and which are stable, as well as deciding whether an ephemeral asset should be included in the CSAM.

Utilize asset identification tools integrated into operational and security ecosystems

Asset identification tools and platforms cannot stand alone, being hand-fed data and returning information without integration with other operational and security tools. Automation in asset management needs continuously updated input from discovery and identification systems. These tools should enable the identification of all assets and should populate scanners, management systems, and trouble-tracking systems. They should cater to both operational management requirements and the specific needs of cybersecurity, including data classification labels and functional tags to provide context.

Asset identification is commonly myopic: Assets, when found, are viewed individually, not as part of the whole for the application or service that they support. While it is necessary to consider each one, it is often possible to miss considering assets as part of the whole. Application visualization integrates security and business risk within an assessment, helping you understand the entire application infrastructure and its business value. This can be made easier by using Silk, which offers asset labels and custom rules for prioritizing business value.

{{banner2="/banners"}}

Enrich asset inventory with security and business profiles

The asset inventory must also accept input sources for comprehensive security and the business profiles of each asset. The information should come from a system of record for the assets’ vulnerability to potential threats. The information can be overall risk profiles or the factors that make up the risk profile: exposure level, data sensitivity, and importance to business operations. Including asset risk profiles allows the security team to prioritize activities based on environmental threats.

Additionally, understanding the asset’s role and impact on operations aligns protective measures with business significance. For example, imagine the impact of remediation planning with information about:

• Stakeholders responsible for remediation steps
• Business ownership for the asset
• Integration of security consoles with ticketing tools
• Remediation guidance specific to the asset

Silk can seamlessly integrate information that would otherwise require hunting through several knowledge bases or directories.

Include non-computing assets in the inventory

An inclusive approach to CSAM includes cataloging non-computing assets, such as intellectual property and essential data assets. These assets should be accorded the same consideration as physical computing devices and software systems, with their risk considered in the context of the asset’s value to the business and labeled with those considerations in mind.

Storing and managing such assets in platforms like GitHub or AWS S3 buckets introduces unique security challenges, such as ensuring that the enterprise verifies encryption, exposure, and ownership. The hosting provider does the implementation of the storage and management tools in these cases; however, the responsibility to ensure their correct application still lies within the enterprise that owns them.

{{banner3="/banners"}}

Map network connections, data flows, and services to assets

Detailed mapping of network connections, data flows, and services to each asset provides a comprehensive understanding of its value, role, and importance. Mapping can allow the discovery of undocumented evolutions in the asset’s use, such as integrations that grew organically but were not planned when the asset was first characterized.

While some amount of growth and change should be expected in an environment, undocumented changes and connections can add risk to a system that is otherwise not particularly an issue. When these changes are discovered, they should trigger a revisit of the risk profile for the asset and the assets that it touches. Cyber asset management is not meant to prohibit the evolution of an organization’s processing environment but rather to give a clearer picture of the impact of change.

Establish commissioning and decommissioning requirements

Security requirements must be implemented when assets are created or retired. When new assets are added to the organization’s portfolio, security measures that are appropriate to its risk profile should be installed. Implementing an appropriate initial security configuration lowers the risk of introducing vulnerabilities by deploying the new assets. Decommissioning assets requires secure deletion of data and a plan for secure disposal. Regular auditing of commissioning and decommissioning processes maintains compliance with security protocols and can identify potential gaps.

Consider asset management systems an extension of security systems

Asset management systems are not often run directly by the security team, but they serve as extensions of security. The asset information forms the basis of the organization’s automated and manual technical security management. Alongside that, they store comprehensive information about assets: technical specifications, locations, usage, access patterns, and vulnerabilities.

These asset management systems should be regarded as hybrid systems straddling the operational and security domains. Integrating asset management systems with other security tools enhances their effectiveness, such as utilizing asset information in vulnerability scanning systems or integrating asset management data with identity management systems to fine-tune access controls.

{{banner4="/banners"}}

Final thoughts

Cyber asset management goes beyond asset inventory. It provides a more layered view of the organization’s technical landscape, enhancing visibility into potential vulnerabilities and exposed assets. To do this, CSAM requires a significant investment of labor and expertise in its implementation, ensuring that it knows enough about the environment to identify connected unmanaged assets such as BYOD systems and serverless computing frameworks. CSAM does not try to supplant current systems of record; instead, it supplements their content and improves their function with data aggregation and enrichment.

Additionally, CSAM can and should include not only computing assets but also non-computing assets like intellectual property and critical data assets, in contrast to IT asset management systems like CMDBs. Mapping network connections, data flows, and services to these assets reveals potentially undocumented and overlooked risks related to an expanded attack surface. When identified, those risks are included in the overall prioritization of security risk and business impact.

Cyber asset management should be viewed as an important extension of an organization’s security framework, not simply an operational necessity. Integrating CSAM with other security tools, such as vulnerability scanning and identity management systems, increases its effectiveness and increases the likelihood that investment in this technology will support programs focused on proactively identifying and managing IT security risks.