In the first installment of this blog series on automated asset inventorying, we met Max, the CISO of a large manufacturer whose InfoSec team lost full visibility of the company’s hardware and software.
Dangerous blind spots appeared progressively over time as Max’s company adopted more and more digital transformation technologies, such as cloud computing, mobility, IoT, and virtualization.
Eventually, Max and his team became alarmed at the inability of their legacy on-premises security products to account for the new cloud instances, virtualized environments, mobile endpoints and other assets outside of the traditional, tightly-controlled network perimeter.
They were concerned that this lack of visibility could lead to an increase in employee use of unapproved personal devices and unauthorized software, as well as to data breaches.
They also worried about approved mobile IT assets that could only be seen when connected to the corporate network. There was a risk of detecting critical vulnerabilities, policy violations, or malware infections too late on these intermittently attached devices.
After all, Max knew very well that it’s no coincidence that the top two in the Center for Internet Security’s 20 Critical Security Controls focus on having a complete inventory of authorized and unauthorized devices and software. This is the foundation for enterprise security.
Max also knew about next-generation security initiatives, such as Google’s BeyondCorp, that shift the protection focus away from the traditional network perimeter and instead point it towards end users and devices.
At first, Max and his team tried to plug the capability holes by piling on-premises point solutions onto their existing enterprise security systems, but that didn’t solve the problem. Rather, it created new difficulties, including:
- Higher costs for security software and hardware deployment and maintenance
- Increased complexity for security systems management, requiring the hiring of additional full-time InfoSec staff
- Interoperability problems among the heterogeneous point products
Only after switching course and adopting a cloud-based, automated asset inventory system were Max and his team able to get a comprehensive and continuously updated view of all IT assets in their new perimeter-less environment.
Last week, we explained how Max’s company regained broad and wide visibility across their entire IT environment. In this post, we’ll address how they also achieved deep, granular views into each asset, with constant and automated data updates.
Deep visibility into assets
It’s not enough to have a complete list of IT assets if the data collected for each one is minimal.
An InfoSec team needs deep visibility into IT assets, including their hardware specs, installed software, network connections, approved users, installed patches, and open vulnerabilities.
This type of profound discovery gives organizations a 360-degree view of each asset, encompassing both its IT and security data.
To compile such detailed profiles, automated inventory solutions must aggregate and consolidate data collected using various methods and processes, such as authenticated scans and asset-based agents.
Here’s a sampling of IT asset data an InfoSec team should have access to in seconds after querying their inventory system:
- Hardware type, such as a laptop, server or printer
- Hardware manufacturer and model name/number
- Total RAM and CPU count
- Operating system and specific version
- All installed software, including applications, drivers, utilities and plug-ins, and their respective versions
- Virtualized environment details
- Asset name and IP address
- Geographic location
- Services, file systems and registry details
- Approved users and a record of their log-ins
- Network interfaces
- Open ports
- Installed patches
- Existing vulnerabilities
- IT policy compliance settings
Continuously and automatically updated
Of course, having a list of assets that’s comprehensive both horizontally and vertically is of limited value if the data isn’t continuously updated.
New vulnerabilities are disclosed every day, and old ones can become more dangerous from one moment to the next if, for example, they’re included in automated exploit kits.
Meanwhile, an employee’s laptop can quickly go from secure to compromised if the user falls victim to a phishing email attack, gets infected with malware, or installs unapproved software.
You need to flag these instances as soon as possible, so you can take whatever action is necessary to protect your organization from a potential breach or compliance violation.
For example, in a recent study on the practice of continuous monitoring, SANS Institute stated that critical vulnerabilities should ideally get remedied in one day or less.
The reason? The risk of a breach reaches moderate levels at the one-week mark, and becomes high when a vulnerability remains in a critical system for a month or longer, according to the study.
Here again an integrated cloud-based platform for automated inventory management edges out a heterogeneous smorgasbord of point products, each focused narrowly on a specific type of IT asset.
The cloud option collects a complete set of IT and security data, providing a holistic view of each asset. It keeps these detailed snapshots in its central repository, and updates them around-the-clock via scanners and agents.
Because the asset inventory system is hosted and maintained by the vendor, customers can scale their usage as much as required without worrying about provisioning hardware and deploying software on premises.
Organizations can query this scalable, global and extensive inventory and obtain answers and a clear picture of their security and compliance posture in seconds.
Next week, we’ll close out this blog series with a discussion of two other important elements in automated IT asset inventorying: asset criticality rankings; and dashboarding and reporting.
Start a free trial of Qualys AssetView, the cloud-based asset inventory service that provides visibility and actionable data on global IT assets within your organization.