If you are not involved in asset management, you do not have information security.
Hi, Habr! I present to you the translation of the article “ If You’re Not Doing Continuous Asset Management, You Are Not Doing Security ” by Daniel Miessler.
The more a company can talk about its assets, the better it is for them to deal with security. The more comprehensive and operational inventory is implemented, the higher the level of maturity of the organization in the protection of information. I have been convinced of this for 15 years, advising hundreds of corporate clients.
But just try as a full-time employee or consultant to get an individual hired to create and maintain an asset management system. In most cases, they will look at you as if you are asking to paint the walls with invisible paint. The expressions of their faces will say: “Listen, I don’t know where you are from, but here we don’t have extra money to throw around on silly administrative tasks.”
That's what their views mean, and this is ridiculous, considering what money is spent on. Companies bear the cost of cookies in offices, send people to useless trainings with conferences, and pour millions into marketing campaigns, the results of which cannot be tied to sales. But to spend money on having a list of what we are really protecting? Nope Too expensive. Waste of pure water.
')
Asset management is perhaps the most important component of a security program, but I know about zero companies that have a dedicated employee for this.
People keep asking unnecessary questions about violations. Stop asking about certificates of conformity, regulations or diplomas. It does not matter. Instead, let's ask which of these companies had a list of assets, with coverage of more than 60% and relevance less than 30 days. I think more than 99% of companies faced with a serious incident or leak in the last five years did not have such a list of their systems, data and manufacturers. I would love to hear from someone that I am mistaken.
For most companies, the best thing they can do for their security program is to hire an individual to maintain the company's inventory in near real-time mode.
And since we are playing with fire here, let's ask one more question: what is the cost of compliance with the requirements of regulators in the field of information protection, if it can be obtained without having a clue where your data is, and what systems do you have? How is that even possible? It’s as if the automaker has passed a crash test without providing a car.
Forget everything you knew about information security. Flush it down the toilet. All regulations, security scanners, vulnerability management and audits. Let's call it "not-bad-be-have . "
The maturity index of the security team is their answers to the questions:
If they look at you like a ram at a new gate, they are not engaged in real security. If they do not know what they are protecting, it’s just an expensive and broken car burning company money.
They are a teacher who does not count students on a dangerous journey, a military commander who has lost his combat units, and a parent who does not know what their child is doing. In a word, they are lost . And the fiasco is inevitable. This does not mean that they do not know security, or they do not have a well-coordinated team. This is a trap that many great teams fall into.
If we want to know the real level of security, let's use a single metric for the entire industry: "Accuracy and relevance of asset inventory . " You can start with something like this:
Now set a goal for each security team leader to achieve 95% accuracy with daily / weekly updates for 6 months. And the price will be just a salary of 1-3 people hired to perform this task. This will reduce security breaches and cost much less than the dump of products that we buy and deploy every year.
I am not saying that this is easy, or that I have always done it excellently before. I, like many others, have not always taken this seriously enough. But if you don’t want to pay one or more people to do full-time asset management, you’re not on your way to failure — you’ve already failed. Of course, I do not urge to abandon the remaining important protection measures. But I say that this should be a priority for improving security, and you can pay for it with money that is inefficiently spent on other things.
Original author: Daniel Miessler
Daniel Miessler is an information security specialist and writer born, raised and living in northern California:
The more a company can talk about its assets, the better it is for them to deal with security. The more comprehensive and operational inventory is implemented, the higher the level of maturity of the organization in the protection of information. I have been convinced of this for 15 years, advising hundreds of corporate clients.
But just try as a full-time employee or consultant to get an individual hired to create and maintain an asset management system. In most cases, they will look at you as if you are asking to paint the walls with invisible paint. The expressions of their faces will say: “Listen, I don’t know where you are from, but here we don’t have extra money to throw around on silly administrative tasks.”
That's what their views mean, and this is ridiculous, considering what money is spent on. Companies bear the cost of cookies in offices, send people to useless trainings with conferences, and pour millions into marketing campaigns, the results of which cannot be tied to sales. But to spend money on having a list of what we are really protecting? Nope Too expensive. Waste of pure water.
')
Asset management is perhaps the most important component of a security program, but I know about zero companies that have a dedicated employee for this.
People keep asking unnecessary questions about violations. Stop asking about certificates of conformity, regulations or diplomas. It does not matter. Instead, let's ask which of these companies had a list of assets, with coverage of more than 60% and relevance less than 30 days. I think more than 99% of companies faced with a serious incident or leak in the last five years did not have such a list of their systems, data and manufacturers. I would love to hear from someone that I am mistaken.
For most companies, the best thing they can do for their security program is to hire an individual to maintain the company's inventory in near real-time mode.
And since we are playing with fire here, let's ask one more question: what is the cost of compliance with the requirements of regulators in the field of information protection, if it can be obtained without having a clue where your data is, and what systems do you have? How is that even possible? It’s as if the automaker has passed a crash test without providing a car.
Forget everything you knew about information security. Flush it down the toilet. All regulations, security scanners, vulnerability management and audits. Let's call it "not-bad-be-have . "
The maturity index of the security team is their answers to the questions:
- What is now available from the Internet?
- How many systems do you have?
- Where is your data?
- How many manufacturers equipment do you use?
- What kind of data on which equipment manufacturers are processed?
If they look at you like a ram at a new gate, they are not engaged in real security. If they do not know what they are protecting, it’s just an expensive and broken car burning company money.
They are a teacher who does not count students on a dangerous journey, a military commander who has lost his combat units, and a parent who does not know what their child is doing. In a word, they are lost . And the fiasco is inevitable. This does not mean that they do not know security, or they do not have a well-coordinated team. This is a trap that many great teams fall into.
If we want to know the real level of security, let's use a single metric for the entire industry: "Accuracy and relevance of asset inventory . " You can start with something like this:
- A: 90% accuracy, or 1 week old
- B: 80% accuracy, or 1 month old
- C: 70% accuracy, or 2 months old
- D: 60% accuracy, or 3 months old
- E: 50% (or less) accuracy, or 1 year old
Now set a goal for each security team leader to achieve 95% accuracy with daily / weekly updates for 6 months. And the price will be just a salary of 1-3 people hired to perform this task. This will reduce security breaches and cost much less than the dump of products that we buy and deploy every year.
I am not saying that this is easy, or that I have always done it excellently before. I, like many others, have not always taken this seriously enough. But if you don’t want to pay one or more people to do full-time asset management, you’re not on your way to failure — you’ve already failed. Of course, I do not urge to abandon the remaining important protection measures. But I say that this should be a priority for improving security, and you can pay for it with money that is inefficiently spent on other things.
Original author: Daniel Miessler
about the author
Daniel Miessler is an information security specialist and writer born, raised and living in northern California:
My main intellectual passion in life comes down to the following:
- The study of interesting principles of world order: their identification, description and documentation.
- Solving real problems using structured knowledge.
- Sharing and discussing with others both the models themselves and their applicability to changing the world.
In other words, I like to find patterns in things, create models of how the world works, discuss, share and use this information to improve life in one way or another.
Source: https://habr.com/ru/post/359377/
All Articles