Driving ACM governance with Discovery Controls
Previously I blogged about components that become key controls for an effective Asset and Configuration Management (ACM) program with the Information Security group being one of the core consumers of this capability.
A first step in that journey was an integrated discovery capability. Discovery solutions need to go across the enterprise and find out what exists, report back accurately, flag exceptions requiring attention and redo the process all over again. Discovery systems run almost daily within the enterprise and is a key control to ensure IT Asset Management governance.
Today no single tool capability can do all the discovery of assets entirely by themselves. Certain tools are more focused and do a better job on the network side -e.g. Solar Winds and/or Ixia versus others that target virtual servers, applications and databases. As a result there may be multiple tools in use within the organization. Depending on how IT is structured and existing portfolios, these tools may be deployed across technical/ functional domains. E.g. all network management domain by one or two discovery tools or Network management for a single business unit. Large organizations often have a great opportunity to leverage disparate discovery feeds into the Asset Management discovery workflow. However due to organizational complexity and priorities, this is often not the case.
Integrating discovery tools into one single feed can provide a huge benefit to Information Security practitioners within the entity. Apart from a single window view, this capability will allow to adjust for scan schedules. For example having one tool run for a few hours and let the other one carry on where the first one left off. Another could be to standardize overlaps in information through a reconciliation engine and create a single integrated view of the asset that is generated from all the intelligence generated from the different discovery tools.
Most discovery tools run on a pre-defined schedule. The process itself is push based from a central discovery server collecting device information from scans or agents on clients pushing information back to the server. Most tools lack a real-time capability to alert based on asset configuration changes. Having a single window into multiple tools can help to separate schedules such that multiple scans can be applied on a single asset. This will still not attain real-time, enhance network utilization efficiency, but significantly improve outcomes from scans done by a single tool.
For discovery feeds to make sense to ACM and Info-security stakeholders, they must pass through a reconciliation engine. Either one built in the tool or a rules engine based outside the discovery system. Then there is the question of action. Missing fields is a common problem - e.g. not retrieving server name but the server location or obtaining the server IP address but not the MAC address. In our fast paced virtualized instances' world, where machines spin up and down every few minutes, the problem is more acute due to lack of information input during instance creation.
Organizational Asset maintenance policies and standards should clearly state what should be the next step to remediate the issue of missing information. However even before this step, the discovery system should be configured to flag issues. What will be those key Configuration Items (CI's) per asset type that need to be monitored. E.g. - having a server OS version information missing may be acceptable, but not a server location attribute.
Asset data quality can become a key partner to information security by offloading the monitoring of discovery and flagging of exceptions. This will enable cyber security teams to focus on the areas that need more attention- e.g. a changed IP address for a server which did not come in through a formal change management request may indicate an unauthorized change request that requires further investigation.
ACM can provide enormous value to Cyber security programs in large entities. However all ACM components need to work together to return that return on investment. The Discovery policy, process and tools are key steps to enable ACM effectiveness.