Asset Management - Done Differently
A good friend of mine has a favourite quote.
You can't manage what you can't measure.
He works in business operations and, over his career, has saved businesses millions by asking simple questions like...
Is it proportionate to use an armoured truck - with escort - to deliver a laptop? What is the risk you're mitigating?
And making comments like...
Making that gap 1mm smaller will save you 15 million sheets of printing each year.
His technique is simple and effective. Look for the gaps and fearlessly ask the fundamental questions.
In cybersecurity, we have an often overlooked foundation, asset management.
The central idea holds - if you don't know what devices connect to your network, how can they be secured? Are they patched and configured correctly?
When asking about asset management, I often get one of three answers:
- Finance has an excel spreadsheet of laptops and phones handed out to staff. It's part of the fixed asset register.
- We pay a company to collect the information once each year, and they produce a report.
- We use a Mobile Device Management system (MDM) to monitor and manage phones and laptops.
Each approach works...
But will only ever provide a partial view.
- Does that person still have the laptop, or was it swapped for some reason? Was the spreadsheet updated?
The last time the finance team wants to be made aware of a change is when they have an auditor wishing to validate the fixed asset register.
I have an old iPhone 4 sitting on my shelf. It was a company phone that hadn't quite been registered correctly. It fell through the cracks and was easier to “never be seen again” than put on the asset register.
- The annual audit often provides excellent, high-quality data… once yearly. But is it accurate the next day? The next week? Anything's possible.
- Mobile device managers often provide the highest quality of current data - continually monitoring laptops and phones for their configuration. However - they only monitor laptops and phones - and what they expect to see. No switches. No network devices. No servers. No storage devices.
That exposes the major flaw with most asset-tracking approaches - you only see what you're expecting to see. If a device isn't expected, it won't be recorded.
There is an alternative - network discovery. This technique listens to network traffic to understand which devices are talking. And then, it actively scans using industry-standard discovery protocols to discover what devices are connected to the network.
This provides a current view of what is really connected to your network - even the devices you weren't expecting.
Last week while doing an asset discovery and audit, I found a Nintendo Switch games console on the same network as control systems for a large solar array. I didn't expect to see either.
If a games console is permitted to connect to that network, what else could be? 😬
This is a gap.
So following my friend's technique - it is time to start asking the fundamental questions.
Is this a breakdown in:
- Enforcement of network access?
Network asset discovery helps highlight the gaps in your knowledge and expectation. However, it isn't a panacea.
Data quality can suffer on large and rapidly changing networks. So, in addition to asking the fundamental questions, there needs to be someone curating and cleaning the data to make it useful.
And as for last week's discovery - was there really a solar array and Nintendo Switch on the same network?
Unfortunately - yes...
So now it's time to schedule a call to discuss policies, architecture, detection and enforcement.