One would be surprised at the number of companies that claim to perform vulnerability management, but lack proper asset management. Asset management sounds like a very basic concept that many would assume has already been implemented at most enterprises. But vulnerability management cannot be performed without asset management. Let’s take a look at why.
Without asset management your vulnerability management program cannot identify rogue devices. My definition of rogue device is: Any server on your network that does not have an identified owner. Your asset management program is essential in determining who owns what asset. Keep in mind that when identifying rogue devices, you typically integrate network-based scanners with your asset management data. This requires direct access your asset management data via scripts and applications. Make sure you can acquire asset management data in CSV, XML, web services, or even via direct database access.
Risk assessment is another key aspect of asset management that directly impacts SCAP. Each asset should be assessed for risk (preferably matching the CIA model for risk). By risk-assessing a device you can more accurately measure vulnerability severity using CVSS Environmental scoring. With CVSS Environmental scoring, the same vulnerability would have a unique severity rating per server depending on the server risk rating. I have a lot more to say regarding risk ratings, but I’ll save that for another blog post. The point I want you to take from today’s post is that the risk rating should be located within your asset management system.
And finally, the most important reason for asset management is… accountability! Without accountability, how do you know who is responsible for remediating the vulnerabilities for a particular application or system? Even more pressing, without documented accountability within your asset management system, how would you automate assignment of vulnerability remediation tasks? Identifying “who is supposed to fix what” never seems to make it onto the list of features to be delivered by vendor’s vulnerability scanning software. The information security industry’s lack of focus on identifying remediation ownership is one of my biggest pet peeves.
I realize that if you don’t have asset management in place, it’s a daunting task to implement. In fact, if it takes less than six months to implement, then you may be doing it incorrectly. Implementing asset management is not a technical challenge; the challenging part of deploying asset management has to do with the information technology processes required. You’ll have to find a way to integrate asset management into the server build process, the decommissioning process, the software delivery process, etc. If you are only deploying asset management software without deploying IT process change, you are doing it wrong.
So who owns this asset management system within your environment? The easy and correct answer is, “anybody but the information security department.” Think of it this way: the business owns the policy that states asset management must occur. Information technology owns the process that enables the business to properly track assets. If the information security department owned asset management, all that would be left for information security to own would be the asset management software itself. Therein lies the fallacy: we don’t need information security to become the custodian of some random piece of software. Information security should give guidance on changes to asset management that will boost information security. A great example of this is device and application risk ratings. Information security should be creating the policies that determine how a device is risk-rated.
In conclusion, if you are performing vulnerability management without proper asset management:
- You are not identifying rogue devices
- You are not accurately measuring the severity of vulnerabilities, which should take the device risk scoring into account (CVSS Environmental)
- You are not able to automatically determine who should remediate identified vulnerabilities (accountability)
If you are not doing this today, maybe your time would be better spent implementing asset management?
Recent Comments