I have been in the security business for a very long time, both in the physical and logical realm. In my previous roles and in my current role with Consortium Networks, I often ask our membership about their top five security concerns. Invariably visibility, or lack thereof, is in those top concerns.
Let me first clarify what I’m talking about. Visibility to the CEO or board is generally something very different than visibility for the SOC manager. A CEO may want to know how the company’s security posture compares to peer companies. However, in this instance, I’m talking solely about the visibility of assets in your environment.
You have probably heard the adage “You can’t protect what you can’t see.” The CIS Top 20 security controls lists “Inventory of Authorized and Unauthorized Devices” as the number one control. Although I do not believe this list is prioritized, I think this is one of the most essential controls. So, what are some strategies and tools we can employ to achieve maximum visibility?
First off, obtaining visibility should be the cornerstone of your overall information security strategy. As the title of this article states, there is no security without visibility. So, understanding the assets in your environment is paramount. You must ensure you have the right tools in your environment, which provide real-time asset inventory or authorized devices. Furthermore, these tools must provide alerts whenever unauthorized devices pop up on your network. I have been involved in audits that we have identified substantial shadow IT infrastructures with direct (unsecured) connections to production networks.
The Risk of Network Security Without Visibility
I often ask members, “How many endpoints do you have in your environment?” After an investigation, the truth is usually 20 to 30 percent more than what the member thought they had. Situations like these put the entire enterprise at a significant risk.
So, what do you need to address this challenge:
- Senior leadership buy-in
- Enforceable policy
- A security strategy that includes asset management
- The right tools
- The right people
We’ll assume that you have the senior leadership buy-in to take the necessary steps required to secure your environment (which would include asset management).
The first logical step is the creation of enforceable policy detailing what types of assets are allowed/not allowed, asset tracking, how they are cataloged and the process for adding and removing/disposing of assets.
Strategy – Asset management should be a key component of your overall information security strategy. Without a clear understanding of what devices (endpoints, servers, printers, etc.) are authorized to connect to the network, it is impossible to devise an effective security strategy. Effective asset management will facilitate hardware and software management, license compliance, regulatory compliance, as well as security. Therefore, it must be part of the overall security strategy.
Tools – There are many tools that claim to map, categorize, catalog, track, alert on assets. One of the most significant benefits of membership to the Consortium is the ability to cut through the vendor noise and identify what is working for your peers and what is not. I have my opinion on tools that I think do the best job (and on those that I believe do not), but you can use our portal and review what the users are saying about the tools they use. This should help you make a more informed spending decision.
People – Finally, you must build the right team. The pool of information security talent is shallow, and we all struggle with it. Having the right team members, with the correct skills, in the right numbers, is crucial to every security program. Attracting good talent is one issue, retaining that talent is another. Obviously, we must compensate appropriately. But also, we must provide other incentives to grow and keep our talent. Providing training, certifications, excellent working conditions, meaningful work, etc. will help retain the great talent you worked so hard to obtain.
Building your security strategy must begin with merely knowing what is on your network. The explosion of IoT devices, BYOD, remote workers, contractors, etc. make this a daunting, but an important task. However, cybersecurity best practice and regulatory compliance demand that we have a firm grasp of assets in our environments.
There are a number of tools that help automate the discovery of assets in an environment. These solutions range in price, complexity, and effectiveness. The Consortium Networks was developed to help you navigate through the maze of products and make the best spending decision for your organization. Reach out to us at firstname.lastname@example.org for more information.