Security asset management should be buttoned down. It isn’t.

I’ve been writing recently about security hygiene and posture management.  In January, I declared that security hygiene and posture management would become a priority in 2022.  Earlier this month, I wrote about attack surface management challenges.

Why focus on security hygiene and posture management?  Because every IT widget represents a potential entry point for cyber-adversaries.  Oh, and the bad guys go looking for these open doors using automated scanning tools, software exploits, social engineering scams, or anything else that works. 

Security asset management is one of the sub-disciplines of security hygiene and posture management.  To be clear, security asset management seeks to discover, categorize, and analyze all assets from a security perspective. This means understanding things like asset locations, owners, configurations, vulnerabilities, and so on and then figuring out which ones pose the biggest risks.  These assets could be on internal networks, in data centers, or deployed on cloud networks.  Heck, they could even be walking around.  Employee credentials can be especially valuable to cyber-criminals.    

Alas, ESG research indicates that security asset management is broken and needs attention at many organizations.  Yup, firms don’t know much if anything about their internal and internet-facing assets, leaving them quite exposed.  Even when they know something about these assets, 52% of organizations admit they find it difficult to prioritize the actions that can have the biggest impact on risk reduction. Not good.

Why are things this bad?  Our research uncovers several issues:

• Nearly one-third (32%) of organizations utilize 10 or more data sources to track and inventory their assets for security purposes. There is a correlation to organizational size here as well—the bigger the organization, the more data sources used.  What types of data sources?  IT asset management systems (59%), endpoint security systems (50%), cloud posture management systems (46%), network scanners (39%), and many others.  More data sources mean that organizations are piecing together an asset inventory by amalgamating data tidbits, a process prone to inaccuracies and lots of overhead.
• Not surprisingly, gluing all this data together takes time. Nearly half (48%) of organizations claim that doing a full security asset inventory takes more than 80 hours to complete.  Furthermore, 35% of organizations conduct these security asset inventories on a quarterly basis or less frequently.  Performing a security asset inventory is so time consuming that most organizations can only get to it periodically.  Meanwhile, assets are coming, going, and changing and security may have no idea.  Yikes!
• Which assets make it most difficult to maintain a timely and accurate inventory? Security professionals point to things like maintaining software configurations (34%), monitoring cloud-based workloads/applications (30%), tracking user accounts (30%), understanding which users have access to which systems (28%), maintaining workstations (27%), and so on.  Lots of diversity here, no wonder it takes lots of time and data to try and figure these things out.
• With all this complexity and operations overhead, security asset management is fraught with challenges. Security pros point to issues like coordinating security asset inventory tasks across different teams in the organization (44%), sorting through conflicting data (40%), dealing with thousands of frequently changing assets (39%), and a dependence on manual processes (33%).

What could be done to improve security asset management?  The security professionals surveyed suggest things like automating processes, integrating technologies, and establishing the right key performance indicators (KPIs) and metrics, and improving their ability to assign risk scores to vulnerable assets.  In other words, sound security asset management practices require people, process, and technology improvements.   

I do see some promising innovation for security asset management that may help organizations in all areas.  Vendors like Axonius, Balbix, JupiterOne, and Sevco use API connections to collect and consolidate data from different tools, analyze the data to calculate risk scores, identify high-risk assets, and make remediation suggestions.  In this way, these technologies could help improve staff productivity, enable process automation, and organize/analyze the mountains of asset data.  Given today’s security asset management chaos, I expect a lot of technology uptick here.