“You can’t secure what you can’t see” is a common refrain in cybersecurity circles. It’s echoed in multiple Federal IT mandates, including the zero trust strategy and the event logging memo from the Office of Management and Budget. Gaining comprehensive visibility across agency networks, devices, applications, and identities is no mean feat in today’s diverse and ever-changing IT environments.
An accurate, complete, and up-to-date inventory of agency devices is the place to start, notes Tom Kennedy, vice president of Axonius Federal Systems, who sat down with MeriTalk for a three-part discussion of cyber asset inventories. This first part explores the role that cyber asset inventories play in establishing a zero trust approach to cybersecurity. Part two will examine Federal government requirements for reliable asset inventories and their many benefits. Part three will address the emerging need for cyber asset attack surface management and how agencies can best meet that need.
MeriTalk: We all know the Federal zero trust strategy requires a complete inventory of every device that agencies either operate or authorize for government use by the end of 2024. Based on your experience, how hard is it to do this?
Tom Kennedy: We have dozens of customer conversations every week where that inventory is universally recognized as a pain point. The good news is the asset and user data is all there. The challenge is that it’s fragmented all over the organization, so it’s hard to get a holistic view.
I remember a tweet five years ago where a CISO relayed that he asked his five key lieutenants, “How many devices do we have in this particular group?” And he got five dramatically different answers. It’s such a simple question. Why is this such a complicated answer? It’s because the data is fragmented all over the enterprise, and it’s really hard to stitch it all together. It’s usually a person in a cubicle who is manually tracking device counts from multiple tools and trying to correlate them in a spreadsheet.
MeriTalk: One tool might format data differently than another tool. You’re trying to put them all together. That seems prone to error.
Kennedy: Prone to error and a huge, huge lift. You have to normalize all those fields and then correlate them. There’s a lot of complexity in that. Some companies have built professional service organizations around doing that work for government agencies. They have data engineers that figure out the integration work effectively on a small scale.
MeriTalk: What would reduce this complexity and manual pain?
Kennedy: Automation. That’s the heart of it. That’s what digital transformation is all about: automating manual tasks to transform your business. What if you could grab all of the asset and user data and correlate it, automatically? Axonius fetches data from multiple, disparate, fragmented tools and then correlates it into one comprehensive cyber asset inventory.
MeriTalk: Is there ever any confusion about what exactly constitutes a device? Is that part of the problem?
Kennedy: Yes. The IT landscape has gotten so much more complex. It used to be you just had a workstation, and then it evolved to laptops, and then mobile computing. Then all the different data center assets, cloud computing, cloud instances, SaaS apps, and IoT devices. Those are all IT assets. So many things have an IP address.
I equate the level of complexity to a slow boil. Maybe you didn’t really feel the intensity of the heat because it built up over time. Here’s how crazy it’s getting, even personally: I have a wife and two kids, and we have 47 devices registered on our home Wi-Fi. Now imagine the spread across the entire IRS or Department of the Air Force.
MeriTalk: When we think of devices, we typically think of laptops, workstations, servers, printers, storage devices, etc. Do some devices typically escape detection?
Kennedy: Yes, and it’s also important to ask: Why does it matter? Why is it important to capture tech and have an inventory? We typically talk about three big reasons to explain why it matters. First, most security tools are deployed through an agent, which lets us know that the tools are working and lets you push updates. If a device is supposed to have an agent on it, and it doesn’t, it’s missing critical patches and causes vulnerability. The only way that you learn where an agent is missing is by correlating with other tools, and then stitching the data together.
The second reason is concern over whether cloud instances are covered. Many government agencies are excited about giving their users capabilities to spin up cloud instances quickly. They like the elasticity of cloud. But think about implementing security protocols across an environment that’s not static. Almost every government agency uses cloud security scanner software to scan for vulnerabilities and malicious behavior. But there are limitations to how often you can do those scans, which create gaps where cloud instances might be spun up and down. You need a tool that can uncover those gaps so you have full confidence across your cloud assets.
The third reason for an inventory is shadow IT. A device that is not registered with the network is not getting the security pushes. This is always a big issue for our Federal clients. Sometimes as much as 10 to 20 percent of their device population is not properly managed. Or maybe there’s a technical issue where the network access control is not picking a device up. The only way you can identify that is by pulling data from multiple security tools and then correlating the data to flush out the gaps.
MeriTalk: Zero trust requires visibility into devices but also applications and workloads. Is it accurate to say that visibility into devices needs to come first?
Kennedy: The short answer is yes. That said, the capability most commonly associated with zero trust is identity management. You’re focused on the right credential for the right person. But how do you know if it’s the right device? If it’s a managed or a non-managed device? This is why we talk about cyber asset management as a foundational step of zero trust. You need to understand your authorized devices and assets and make sure that they’re all fully up to security compliance. That’s equally as important as identity management.
MeriTalk: We talk a lot about how you can’t secure what you can’t see. What should agencies look for in a solution that identifies assets and their vulnerabilities?
Kennedy: This is top of mind for a lot of Federal agencies. The Defense Innovation Unit did a big study around cyber asset inventory management. We were awarded a prototype to demonstrate the functionality around that issue.
The first thing to look for is completeness. Most solutions only give you partial visibility. It’s critical to be able to pull from multiple tools and then correlate all that information together to give you complete visibility. Without it, you’re only looking at pieces of the puzzle, and you still can’t see some vulnerabilities. And you want to eliminate the manual labor of correlating different pieces together. Correlation and data extraction should be automated.
Interoperability is also important. Integrators will build custom solutions between two security tools. But that’s not really scalable. What happens if one of those security tools gets swapped out with something else? You have to redo the work. So, the ability to be interoperable with every potential source is extremely important. It future proofs your approach.
You have to think about now and the future. You might pull from six or seven security tools today, but what will it look like three years from now? You might have two or three more security tools in play, and you might have IoT devices that you want to pull in. The most important part is the ability to efficiently correlate complex user and device information into a single source of truth.
MeriTalk: Interoperability is a form of future proofing because it ensures the tools I’m using today can integrate with tools into the future. What else should agencies consider when they’re thinking about future proofing?
Kennedy: The Department of Homeland Security is one of our biggest clients, and they talk a lot about how we create adapters for their different tools, and our ability to scale that functionality. We went from supporting 100 adapters to 500 adapters in a year or two. Part of future proofing is preparing to scale to 10,000. We don’t know what the future holds, but having a systematic process to create new adapters quickly is part of a future-proof analysis.
MeriTalk: What makes Axonius’s approach to asset and vulnerability visibility different from other providers?
Kennedy: We differentiate in two key ways. The first is through our approach to creating these purpose-built adapters, connecting into any security tool or operational technology tool out there. It is a huge differentiator. Some companies might be able to connect into a couple or can custom develop them. But we have a pretty awesome and efficient process. We’re up to 520 adapters today and we can scale that immensely.
The second part is correlation. How effectively can you dedupe, normalize, and aggregate the data and then correlate it into a single system of record? That’s where the true secret sauce of the software comes in. We have the best correlation engine on the market.