This article is the third of a four part series by AJ Witt of ITAM Review written in collaboration with ServiceNow’s Ryan Wood-Taylor & Peter Beruk. The series outlines how a strategic ITAM practice will deliver enhanced business value through creation of strategic stakeholder relationships.
to be followed by;
The full article series is also available as a whitepaper, downloadable here (no registration required)
IT Security is constantly in the news. High-profile cyber-attacks such as those that befell Maersk & Equifax have had a huge impact. Maersk had limited IT capability for two weeks following the NotPetya worldwide attack. A vulnerability in open source software resulted in C-Suite retirements at Equifax and those same executives having to explain themselves to Congress. The breach impacted over 145 million customers worldwide and to date Equifax have spent $1.35bn on remediation. To put that in perspective, that’s equivalent to their total three-year net income from 2015 to 2018. All because of what Congress saw as an “entirely preventable” attack.
Unsurprisingly, this means that cyber security, alongside privacy, is very high on the C-Suite priority list – and no longer something for just your CIO or CISO (Chief Information Security Officer) to worry about. As we will see in this article, IT Asset Managers & IT Security professionals are “fellow travellers” with many of the same challenges and opportunities. By working together, each can deliver their own programmes whilst radically improving the safety and manageability of their IT estates.
How do IT Security & ITAM responsibilities and motivations overlap? In this section we’ll explore three key commonalities – Discovery & Inventory, Risk Management, & Audit-Readiness.
The introduction to the recent NIST reference framework for an IT Asset Management system states:
“IT asset management (ITAM) is foundational to an effective cybersecurity strategy and is prominently featured in the SANS Critical Security Controls and NIST Framework for Improving Critical Infrastructure Cybersecurity”
(Sidenote: NIST is the US National Institute of Standards & Technology with a wide-ranging remit including standards for US commercial & governmental computing. The NIST framework for Critical Infrastructure Cybersecurity is a reference framework implemented by many IT Security teams worldwide.)
The starting point comes from the cybersecurity mantra “you can’t secure what you don’t know about”. This is what brought Equifax to its knees – firstly not everyone received the notification regarding the Apache Struts vulnerability, and secondly network intrusion detection systems were misconfigured. For more on this see Rich Gibbons’ deep dive into the ITAM perspective of the Equifax breach.
This should sound familiar to ITAM managers – accurate and comprehensive discovery and inventory data is also foundational to our activities. Without accurate data we can’t make informed decisions on future license purchases, or we may have previously unknown non-compliance positions uncovered in a software license audit. The ITAM perspective on inventory and discovery may be subtly different to IT Security’s. We tend to collect very rich data – hardware, software, patch levels, and usage. ITAM teams may also have more historical data, and have data for assets that are not network-connected. IT Security teams tend to operate in the moment, with their focus on current risks such as zero-day vulnerabilities.
It isn’t just about discovery and inventory though; ITAM & Security have much more in common. Both functions seek to protect their organisations from risk, even if the risks they manage differ. Whilst ITAM focus broadly on long-term financial impacts surrounding the use of IT assets, as noted above IT Security is working more in the here-and-now to defend against the daily risk of cyber-attack. However, you’ll still find a common vocabulary and approach if you speak to your IT Security team about risk management. You will find many partnership opportunities are presented in contributing to and managing your organisation’s Risk Register.
Both functions also work with an expectation of being subjected to audit. For IT Security, much effort is expended on ensuring an organisation is compliant with requirements such as Sarbanes-Oxley (SOX), the Payment Card Industry PCI-DSS requirements, and other regulations such as HIPAA. These are annual audit requirements for many organisations. That’s before we get to the privacy requirements of the GDPR and upcoming privacy regulations such as the California Consumer Privacy Act (CCPA). For ITAM, the audit risk is external and primarily from software publishers, though anecdotally, I am hearing internal audit starting to increase the pace of internal reviews on inventory accuracy.
This results in both teams operating from a state of preparedness – ready for that next large-scale cyber-attack, a software license audit from a publisher, or internal or external audit. Getting to that level of readiness can, and should be, a shared journey. ITAM is essential to audit readiness for PCI-DSS because companies processing payment cards must have full hardware, software, and user visibility of their CDE (card data environment).
Having identified this common ground, how do we go about building a strong relationship with our IT Security teams? There are a number of practical approaches that will ensure that ITAM & IT Security motivations and objectives are aligned.
Discovery and Inventory is challenging for both teams. Getting a full picture of an estate takes time and can be a constant battle, particularly for ITAM teams who may not have the leverage to collect ITAM information on every device throughout the estate. For this reason, I would argue a common approach to this challenge is worth exploring. The NIST framework recommends that a single version of the truth – a central asset register – is populated from multiple sources of asset data. With the right normalisation and reconciliation activity it becomes possible to build a rich, multi-faceted view of an asset throughout its lifecycle. This has the potential to eliminate blind-spots and provide certainty about your assets.
Whilst each team may require a different view of an asset – for example, an ITAM team will be interested in the precise SKU for software, whereas IT Security might just be focused on its patch level – a single, centralised asset register can provide that. If you’re struggling as an ITAM manager to get your ITAM-specific agents deployed across your network – particularly in sensitive areas such as Industrial Controls or your CDE – your IT Security team might have a stronger mandate to make that happen. Everyone then benefits from that single, golden, version of the truth. This asset register is available to other IT Management disciplines such as Incident, Change and Configuration Management, and so on.
Cyber-attacks are a fact of life – it’s not a case of if, but when. Data gathered by multiple toolsets can precisely identify which assets are vulnerable and susceptible to attack by referencing threat databases such as the National Vulnerability Database –NVD. In turn, this can inform your company’s mitigation strategy for those devices – do you turn them off, can you patch them, etc. Whilst security updates may be provided regardless of support & maintenance status – Microsoft recently patched a critical vulnerability in Windows XP for example – the ITAM team is probably the only repository of information as to the support status of an asset or software application. With the growth in hardware/firmware vulnerabilities such as Meltdown and Spectre, information regarding the physical properties and warranty status of an asset has become important to IT Security teams. Once again, this is information that ITAM teams routinely collect and manage.
So far, this article has focused on the here-and-now aspects of ITAM & IT Security co-operation. However, there are also areas of long-term, strategic collaboration to explore. One such area is software lifecycle management.
Historically, perpetually-licensed software saw a pattern of major releases being granted long-term support rights. For example, Microsoft’s standard support lifecycle was “5 plus 5” – 5 years of mainstream support followed by 5 years of security updates. Knowing the maturity of your software assets in relation to the software lifecycle is vital. For example, if you’re running Windows 7, it is important to know that extended (security patch) support for that OS ends in January 2020.
Software Support is no longer just about being able to call someone because something has broken, or as a way of enabling entitlement to new releases. More critical is that the support status of your software estate is critical to IT Security. Standards such as PCI-DSS mandate that software running in certain parts of your estate is still in support, and that you have an active support contract in place. This immediately makes lifecycle management a shared responsibility between ITAM & IT Security. From an ITAM perspective you can enlist IT Security requirements around this to bolster discussions on software maintenance renewals. In turn, particularly for mature or legacy software, this may help you address potential license non-compliances or to modernise your estate.
In general, keeping your estate on current-release software is desirable. Users benefit from new features, IT Operations benefits from improvements in deployment, project teams can future-proof their systems, and IT Security are able to ensure that the organisation is well-placed to mitigate the risks from new and future threats.
The IT security threat landscape and attack surface is changing and changing rapidly. Two areas of potential co-operation to address this will be Internet-of-Things (IoT) & Third-Party Risk Management.
Software is becoming ever closer to customers as IoT devices proliferate. We’ve already seen issues raised around privacy and security of automotive systems. This presents questions around who is responsible for patching the software in company products. In the automotive industry will we see safety recalls due to faulty software? Are companies responsible for keeping an inventory of their software and hardware devices? Does that responsibility extend to a smart toothbrush that connects to a company database via Bluetooth? These are the sorts of questions that keep IT Security professionals awake at night, and ones that ITAM can answer for them.
A number of recent high-profile security breaches have been traced to vulnerabilities in third party service providers. For example, Ticketmaster was breached because third-party code providing live chat functionality to their payment page was compromised. A similar vulnerability was exploited at British Airways. These breaches have highlighted the importance of discovering and inventorying all software, regardless of the source, running in your environment. This can be a joint effort between ITAM & IT Security – for example by analysing open source software running on your network and determining its quality. Very much an emerging area of collaboration that will in time improve the security of an organisation’s software estate.
This article has explored how IT Security & IT Asset Management can work together to deliver shared goals. Building a shared, rich, single version of the truth about the IT infrastructure enables the organisation to maintain audit-readiness, manage risk, and ensure compliance with regulatory and legal requirements. These goals increasingly protect customers and products from threats, putting IT Security & Asset Management at the forefront of value creation and delivery for the organisation.