Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Most organizations have dozens of cybersecurity asset management products in use. Which is good for security teams, especially because some commercial
offerings can help consolidate all this data in one, convenient system of record. However, teams should expect to do some necessary custom development work and invest time/resources to get everything working as planned. There is no one correct way
to build and maintain an asset inventory.
This piece outlines the best methods and what’s needed for comprehensive cybersecurity asset management system, along with descriptions of different tools and categories.
Many security teams have adopted a centralized asset management system (CAM). When high-tech organizations do not have CAMs and critical vulnerabilities occur, there is a scramble to determine which systems are affected, because asset data is spread across
multiple systems and even spreadsheets.
Asset management is a challenge nearly all departments across all business verticals face. Each group has different needs and requirements from an asset management solution:
Using a single asset management system doesn’t make a lot of sense for most organizations. However, that hasn’t stopped organizations from trying, and when that happens, we usually see the effort centered around an IT service management (ITSM)
Most large organizations have multiple asset management solutions to satisfy a wide range of needs for different parties. This works and is ideal for the security team, especially now that newer asset management tools can combine and deduplicate
the data from many of these asset management solutions.
The following categories are related to cybersecurity asset management in some way, and all can be useful, depending on the use case: Many of these have “management” in the name; although, security teams don’t typically manage assets—
they just need information related to the assets.
Consider identifying the risk related to certain assets. This use case often requires combining data from:
A whole class of risk management tools exist to combine the data above, along with threat intelligence to give a more accurate score. These tools assign an accurate risk score to each issue and asset. Risk management tools aren’t designed to replace
an asset management tool, but their data is incredibly valuable. Most asset management tools can integrate with risk management tools, and we highly recommend taking advantage of these integrations.
Some additional cybersecurity asset management use cases include:
READ: How to Improve Your Vulnerability Management Program
Cybersecurity Asset Management Success Factors vary. Four key factors are explained below:
1. Visibility Tools:
Teams need a visibility tool that can, ideally, pull information from multiple sources on a regular basis. While some of these tools also offer the ability to automate changes to systems, the key need is visibility, so read-only access to other asset
management systems is sufficient for the core security use case here.
2. Access to data at several levels:
3. Access to critical data sources:
Full responsibility infrastructure
Shared responsibility infrastructure
4. Strong business unit relationships:
Collaboration between business units is necessary to obtain and maintain the data to make asset management systems work. Often, there are alternative ways to obtain the same data, but it typically involves more time and work than simply asking another
department for a read-only account to their system.
Some organizations push everyone to standardize onto a single asset management/ITSM/change management platform. This might work out for parts of IT, but usually does not for security teams. The challenge for security is that it needs as much data as possible
in a short timeframe, but it doesn’t have access to extended development resources. Monolithic offerings typically disappoint when faced with these constraints. Security teams should go after purpose-built security asset management tools instead.
Keep in mind that even with a cybersecurity asset management tool in place:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.