A New Appreciation for Continuous Asset Monitoring

Does asset monitoring really have to be continuous? In a recent RSA blog post titled, “Security GRC Fundamentals: Creating and Utilizing a Business Context,” the case was made that without the business context provided by accurate inventory and the prioritization of information systems and data, all the intelligence in the world about threats and vulnerabilities has no relevance. This argument was further advanced in RSA’s post, “Security GRC Fundamentals: Monitoring Assets,” on the evidence that nearly half of confirmed data breaches involved assets or data the organization did not fully know about.

To bring a taste of quantification to the table, consider an example based on the following assumptions about a simple IT infrastructure:

• A midsize enterprise has 1,000 users.
• Each user has between one and three devices that connect to the enterprise infrastructure (e.g. some combination of a computer, smartphone, and tablet).
• Users have installed between 25 and 100 applications per device, including the device’s system software.
• There are between zero and three changes made to every application each month (e.g. patches, updates, configuration changes, installations, or de-installations).

Keep things simple by ignoring any additional complexities, such as users coming and going; devices getting lost, stolen, or upgraded; or users accessing different networks from the enterprise infrastructure. In just one month, how many ways has this one subset of the organization’s IT infrastructure potentially changed?

A simple Monte Carlo model provides the somewhat shocking answer. There is a 90 percent chance that more than 50,000 changes were made to this simple environment and a 10 percent likelihood that there were more than 480,000 changes. The median value is about 250,000 total changes, which means there are a quarter-million ways this portion of the organization’s assets may have changed between the first and last day of any given month. And this is for just 1,000 users—imagine the magnitude of these changes in a much larger, more complex IT environment.

One response to this realization might be to lock everything down and implement strict provisioning of systems with only standard configurations, no administrative ability to add or change software, and strict controls to ensure only pre-vetted and authorized applications are able to run. In many ways, this response sounds like the Aberdeen Group blog’s DSD Top 4, which may be effective in certain types of command-and-control cultures. However, in other types of enterprises and cultures, those kinds of restrictions and costs would be viewed as a nonstarter.

Another response would be to move toward continuous asset monitoring to avoid having an information gap of between 50,000 and nearly 500,000 changes per month in the endpoint infrastructure of a 1,000-user environment. It is also important to consider that intelligence is only relevant when it is in context, bad things are highly likely to happen when intelligence and context are lacking, and context goes out-of-date much more quickly than organizations may have thought in the past.

Taking these factors into account and applying them to their own business should give IT leaders, security teams, and business leaders a new appreciation for the value of continuous asset monitoring.

The post A New Appreciation for Continuous Asset Monitoring appeared first on Speaking of Security - The RSA Blog and Podcast.