Security Guide: Building Strong Foundation for Cybersecurity Program and Privacy Standards with ITAM

The journey into a regulated world is a daunting one. With high-profile data breaches on the rise and millions of consumers’ data exposed, organizations have a heightened responsibility to keep sensitive information secure.

This article shows users how IT asset management can help you navigate the changing threat landscape, strengthen your security posture and enhance your current security stack. Strengthen your security posture, enhance your security stack and reduce the time taken to gain complete visibility into your IT environment.

Takeaways:

• What the cybersecurity standards are, and how they are valuable.
• Why IT asset management is foundational to cybersecurity programs.
• How to build a strong foundation for cybersecurity programs today.

Content Summary

Supporting Cybersecurity & Privacy Standards with ITAM
Why We Need Standards
Assessing Cybersecurity Risk with Frameworks
Building Blocks
Value to the Business
ITAM is Foundational to Cybersecurity
Building a Strong Foundation for Cybersecurity Programs
ITAM Fuels Security
Conclusion

Supporting Cybersecurity & Privacy Standards with ITAM

The journey into a regulated world is a daunting one. With high-profile data breaches on the rise and millions of consumers’ data exposed, organizations have a heightened responsibility to keep sensitive information secure.

Cybersecurity is now a priority across the entire business, from the board-level down as companies increasingly rely on operating models that require data sharing.

With company valuations, reputations, and potential lawsuits hanging in the balance, organizations must fortify their security posture and align their policies around data handling to cybersecurity best practices and frameworks.

According to Gartner “By 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually”.

Regulations for managing this risk differ from organization to organization. But no matter which requirements you must adhere to, or the standards you plan on adopting, every journey starts with the same question: Where are we now, and where do we need to get to?

To answer this question, organizations are turning to cybersecurity frameworks (like the NIST Cybersecurity Framework and ISO27001). Yet, the practical application of these guidelines isn’t always clear.

Since IT landscapes are so extensive (and require the ability to scale for growth), no one product or platform delivers complete cybersecurity protection. There is no such thing as being completely secure (unless you disconnect every system you have from a network and don’t have users and programs). Your intent here is to raise the bar high enough to make you an undesirable target to threat actors, by making it too hard for an attack to be worth it.

So how can IT asset management help you navigate the changing threat landscape, strengthen your security posture and enhance your current security stack?

IT professionals would benefit from first understanding the following:

• What the cybersecurity standards are, and how they are valuable
• Why IT asset management is foundational to cybersecurity programs
• How to build a strong foundation for cybersecurity programs today.

Why We Need Standards

Data, in all its forms, is like the blood that flows through the corporate body, essentially in everything we do. Losing it always causes some degree of harm – and in certain cases,
can be fatal.

Take, for example, a business experiencing downtime and related data loss. They must first pinpoint the source of the issue, “heal” it (i.e. remediate), and figure out how to deal with any downstream effects.

Unfortunately, today, these “wounds” are all too easy to come by. For while hardware failure is the leading cause of data loss and/or downtime for businesses, precipitating factors can be as small as an employee opening an infected email, or as significant as a natural disaster.

Let’s consider the implications (both operational & financial) of downtime & subsequent data loss.

Businesses of all sizes create and manage large volumes of electronic information, some of which are vital to the continued operation of the business. The impact of data loss or corruption from hardware failure, human error, data breach or malware could be significant – so a plan for data backup and restoration of electronic information is essential.

The financial impact of a security breach can be hard to quantify, as it includes both direct expenses (such as recovery labor and equipment replacement) and indirect costs like a lost business opportunity.

To address these risks, organizations will have to implement solutions based upon a blend of technologies and processes that meet their particular goals – be that active management or ‘checks and balances’. With so many areas of risk, how are we to discern what to address and implement?

Assessing Cybersecurity Risk with Frameworks

Many organizations find that they must adhere to a mixture of state, industry-specific, and international cybersecurity regulations. This presents a considerable challenge, particularly for those trading globally, and security frameworks can help guide on how best to comply.

What are cybersecurity frameworks and who is using them?

Essentially, these frameworks (of which there are many) are guidelines designed to reduce risk and enhance cybersecurity by improving the management of cybersecurity risk to organizational objectives.

“84% of US organizations leverage a security framework, and 44% use more
than one”. – According to Dimensional Research, Trends in Security Framework Adoption Survey

What is the business impact of a cybersecurity framework?

Ideally, organizations using a framework will be able to measure and assign values to their risk along with the cost and benefits of steps taken to reduce risk to acceptable levels. The better an organization can measure IT risk, costs, and benefits of cybersecurity strategies and steps, the more rational, effective, and valuable its cybersecurity approach and investments will be.

What does this mean practically speaking? By leveraging cybersecurity frameworks, organizations will be able to:

• Align investment to impact
• Reduce the highest-priority areas of risk
• Achieve a balance between protecting systems and staying compliant, while focusing resources on the core business.

This is true for all types of organizations, regardless of their size, industry, longevity or business objectives, because the frameworks are built with a maturity model. This helps businesses build their programs in a manner that is appropriate to their needs, without having to suddenly embrace a whole new set of processes and change. For instance, The Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense, not only lays out easily identifiable stages but also builds in organizational maturity for the depth of adoption in each area.

Building Blocks

Like any business-led process, cybersecurity planning is built upon a set of fundamental elements that are consistent across all the global standards. Whether you’re following the CIS, NIST Cybersecurity Framework, ISO 27001, COBIT, PCI, Cyber Essentials or many others, the principles are largely the same (though often worded very differently).

At a high level, standards will guide organizations to:

• Identify: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistently with their relative importance to organizational objectives and the organization’s risk strategy.
• Protect: Once you have a clear view of your assets, you need to take steps to protect them from malicious activity and depending on the standards you are adopting, this could be from the physical perimeter security of your buildings to having a dedicated cyber incident response team. But at the most basic level, your software should be up to date, users should be running at the lowest level of privileges to perform their function, endpoints should be hardened, antivirus in place, and automated vulnerability scanning should be running such as Snow Software’s Risk Monitor.
• Detect: Look for anomalous activity and the potential impact of events. The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures–ensure detection processes and procedures are maintained and tested.
• Respond: Response processes and procedures are executed and maintained, to ensure the response to detected cybersecurity incidents and response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies). Never forget the disclosure laws we are all bound by, analyze these outcomes to ensure effective response and to aid support recovery activities. Perform mitigation activities to prevent the expansion of an event, mitigate its effects, and resolve the incident.
• Recover: Recovery processes and procedures are executed and maintained to ensure the restoration of systems or assets affected by cybersecurity incidents. Almost without fail, your organization will already have a disaster recovery or business continuity plan in place – make sure it’s tested.

Value to the Business

As organizations increasingly rely on information, cybersecurity and the protection of sensitive data has moved from a best practice to a business driver. As such, businesses must prioritize cybersecurity activities just as they would other business activities – and the frameworks guide how to do this in a manner that is appropriate for your organization.

Every organization will adopt different elements of a given cybersecurity framework, in alignment with their size, place in critical infrastructure, and security maturity.

By following these guidelines, risk can be significantly reduced, and organizations can effectively prioritize investment and resources.

Across the board, however, there’s one critical place every organization must begin: IT Asset Management.

ITAM is Foundational to Cybersecurity

You can’t secure what you don’t know about

The classic foundation of cybersecurity is: “You can’t protect what you don’t see”, however, full visibility into the IT landscape can often be daunting. The sheer number of vulnerabilities, systems, and users to assess and secure is overwhelming – and often not comprehensive. This is where IT asset management comes into play.

The foundation of a solid security posture is twofold:

• Understand what needs protecting
• Implement an automated process for identifying unknown assets and their place within (or not) your IT landscape.

Failure to have a clear, unobstructed view of all risks is a sure path to failure (not if, but when).

Just look at Equifax and Carphone Warehouse, where a failure to fix known vulnerabilities on web-facing systems exposed personal data for millions of consumers. While they did attempt to protect assets and fix known issues, without a clear view of ALL systems needing patching, they simply missed some – easily done without having an effective inventory tool in place.

This brings us back to the core requirements around Identify and why it is the first element in any effective cybersecurity program. Something ITAM practices are perfectly placed to support!

It is imperative that automated inventory scanning is carried out with a high level of frequency (at least daily), so that visibility of assets entering the network can be swiftly identified, with an understanding of all the software and usage behaviors of applications. Only once the asset has been identified can we begin the process of protecting it and understand the risks that are present within it.

Snow Software has been named a Leader in the Gartner Magic Quadrant for Software Asset Management Tools for two consecutive years. To us, it’s not a great leap for the ITAM / SAM communities to understand how their traditional information sets map to chief requirements of the security teams:

• A complete and accurate list of installed application and operating systems
• End of life and end of support information relating to applications
• A complete list of all computing devices – servers, desktops, virtualized systems, laptops, cloud-based systems, and mobile devices
• Blacklist/whitelist capabilities
• A complete view of hardware, software, user and usage.

ITAM and SAM teams were borne out of a need to use automated technologies to dramatically reduce the time taken to gain complete visibility; eliminating the spreadsheet-based methodologies of years gone by. Technology usage information is now readily collated in a form that can help the security teams close the door on risk in a much shorter time frame.

And yet, we can do even more.

Building a Strong Foundation for Cybersecurity Programs

Using Automation to Identify Vulnerable Applications

To increase the speed of insights into the risk landscape, automation is key.

Snow now can automatically map currently installed applications and map to the de-facto standard for known vulnerabilities, the NIST NVD – which dramatically reduces the time to insight. The NIST is the US governmental National Institute for Standards and Technology, a part of the Department of US Commerce, and its National Vulnerability Database is one of the largest and most complete repositories of known vulnerabilities in existence.

But that’s not enough – organizations need both insights and actionable paths to remediation. To that end, Snow’s Risk Monitor identifies who is vulnerable and on what device, however, it’s not just limited to users. We are also able to identify where system accounts are accessing vulnerable applications (be it middleware or any program running background tasks such as backup agents or antivirus).

Specifically, Snow’s Risk Monitor has advanced filters and visuals that enable users to walk through the risk landscape within their organization. Additionally, Risk Monitor can model the risks that exist by many contributing factors and exploitability metrics, all married up to the Common Vulnerability Scoring System (CVSS) and criticality associated with each application. To eliminate any false positives, we compare vulnerabilities in the NVD to currently installed build versions of the software; the part we mask for Software Asset Management when we normalize the data.

With the full scope of visibility, organizations can take a proactive approach to find and fix vulnerabilities within their environment – enabling the Protect step within security frameworks.

ITAM Fuels Security

With the above capabilities in mind, it’s no surprise that the information landscape available to the ITAM / SAM teams can be invaluable to infosec teams. Despite being different disciplines, with a different set of outcomes to deliver, we’re already walking many of the same paths: We all need to know what we have, where it is, and who is using it.

There is, however, one fundamental difference. SAM functions typically look at historical data (to prevent audits and help balance application usage vs. entitlements), while infosec teams are more interested in the present and near-term future. Yet the latter often spends an inordinate amount of time trying to establish a baseline for risk, and as the SAM community knows, jockeying spreadsheets and disparate tooling means that it’s out of date the moment it’s completed.

By sharing ITAM data with infosec, organizations speed this process, improve security posture, and streamline further processes improvement

Conclusion

The potential ripple effects of losing data can be felt many years after a breach occurs, personally damaging for the user, and the breached organization.

But there’s hope. The tools and capabilities to mitigate these risks are readily available (indeed, the tools available from Snow could have saved the day for the likes of Equifax and the vulnerability exploit that exposed sensitive details for millions of customers worldwide). Whether or not your organization is considered critical infrastructures, such as a school, hospital, financial services or a university research faculty, cybersecurity has now become a board-level agenda item and a top priority that organizations are having to prioritize. ITAM is a critical part of it.

Source: Snow Software