During my presentation at RSA Conference 2018 this year, I discussed what I refer to as the “Heisenberg Uncertainty Principle of Asset Management,” which states that it’s impossible to maintain an asset inventory list in a constantly evolving environment. Think of it this way: Your IT infrastructure is probably a lot like a giant jelly bean jar that people are constantly grabbing handfuls from while someone is also helpfully refilling it. Now imagine being responsible for threat hunting, when your job is to find out if there’s any “bad actor” green jelly beans in the jar. You can pick up the jar and look at all sides of it, you can shake it to try to get an idea of what’s not against the glass, and you can even put the jar on the ground and slowly roll it around to see if you can find any of these bad actor green jelly beans. Leveraging all these techniques, how confident can you be that there aren’t any green jelly beans in the jar?
Now apply this problem to other security tasks such as vulnerability management, configuration management, and log aggregation/auditing to round out a few of the basic CIS controls. Asset management is critical to everything we do as security professionals, and we’re failing at many of these tasks because we don’t have the data we need to do them well. We are effectively building critical security processes on a foundation of sand.
For this reason, I’m introducing the Asset Intelligence Model (AIM) to ground us in a better methodology for performing asset management that follows two key concepts:
■ Anchor your asset definition to business function, not individual systems or workloads. Containerization and serverless computing have fragmented the concept of an asset to a workload level. As the concept of an asset moves further away from something tangible or even persistent, we need to group workloads by business function. Incidentally, the output of this AIM also provides you with an input that is ready for data-centric segmentation with Zero Trust.
■ Create a federated asset inventory using queryable infrastructure. The idea here is that there are many sources of asset intelligence throughout your organization. In developing an understanding of how software is developed and deployed within your organization, you will come to understand sources of intelligence beyond simple endpoint tools that you can use to build and maintain your asset inventory. While doing so, you should be automating the ability to query for this information on demand, creating a queryable infrastructure that is the fabric of a real-time CMDB.
The biggest vulnerability in any organization is its asset management, and because we’re doing it wrong, it is negatively impacting multiple processes within our organizations. If you have questions or are interested in contributing to this research, please feel free to reach out. I’m expecting to have a report incorporating practical examples of how to implement this publishing in June, so stay tuned!