In this final installment of Enterprise Asset Management metrics, we're going to connect these with the business, specifically in terms that the business understands.
Let's recap what we're working with:
% of active vs inactive systems
% of managed vs unmanaged systems
% of known vs rogue devices
Ultimately, we're deal with a matter of management or control. If we can manage it, we can manage the risk. These metrics all serve the underlying purpose of maximizing management and minimizing risk,
The traditional and dare I say legacy approach to procurement is to say something like "We need $1M for a network access control system that also means we're going to have to replace all of our network equipment for compatibility" and then you launch into the vendor presentation. The typical executive's eyes are going to go vacant quite quickly!
Instead try something like this: "How much exposure are you, the business, willing to tolerate from unauthorized devices operating on the network?" Their answer may be a resounding none, until they hear that there is a $1M price tag for a completely automated system. They'll likely ask for an alternative proposal. So then you can offer five-day tolerance for $250K. Now there is a clear business decision which can be made.
Assuming they choose the second option, you have a working budget without even needing to explain the tool being used. You might choose to invest in a new asset/patch management tool, a vulnerability management service, and even some training for your staff. What started out as an ask to fix one issue, became a win across multiple areas!
In our next post, we're going to discuss Software Asset Management.
Now that we have practical set of metrics, how to we obtain them?
% of active vs inactive systems
% of managed vs unmanaged systems
% of known vs rogue devices
For an SMB/SME, there are a few options which, when combined, will provide you with a highly accurate snapshot of your organization.
Starting with user systems, the following tools have valuable data, to be combined to form your basic asset register.
Active Directory - Everything about domain-joined systems is found somewhere in here.
Asset/Application Management - Ideally you need a tool that synchronizes automatically with Active Directory both adding new domain-joined systems to management as well as removing recently removed domain-joined systems from management.
AuditingLog Management - A good tool can identify active vs inactive systems, by collecting network-wide data and by taking cues from Active Directory.
Endpoint Security - You wouldn't dream of running a system without some sort of managed endpoint security would you? So you should have very high coverage here. Extra points if you automatically synchronize with Active Directory.
Network Management - A unified network system i.e. a single pane of glass for all switches, firewalls, and wireless is ideal and would allow you to passively monitor everything.
Vulnerability Management - Scanner(s) are a great way to actively discover what is on your network and explicitly beyond what is expected to be found.
Now let's consider unmanaged systems. Since we have already established that unmanaged systems aren't in Active Directory, you're going to need to leverage your non-AD capabilities such as Network and Vulnerability Management. These two also help with known vs rogue devices. You have probably noted a trend.
For best results:
Use a combination of active (AD-aware, network scanner) and passive (network management) tools. Leveraging multiple sources for your asset information reduces the risk of a single tool providing inaccurate or incomplete information.
The appropriate choice of tools provides value beyond their immediate purpose. For example your asset management tool might provide information about network assets and your network management tool might provide information about your systems.
In Part 3, the rubber meets the road where we fully connect the technology dots to the business.
To kick things off, let's start with a fundamental aspect of cybersecurity, Enterprise Asset Management. We'll keep it simple by initially focusing on our local networks.
How many devices do you have in your organization? Is 100 a good number? Probably not if you're only a five person office. If you have a 100 person office, that number starts to make more sense. But if you have a 1000 person office, 100 managed systems is a little short. If you don't know what's connected to your network, how can you expect to manage and secure them?
For argument's sake, you operate a Windows Active Directory environment, and all user systems are domain-joined so that they can access shared resources. In general terms domain-joined systems are manageable and non-domain systems are not. A managed system has central policies and settings applied, and carry less risk from rogue applications or misuse. Business people understand risk: less risk is good, and more risk is bad.
So the number of domain-joined systems makes sense as a metric, but do you have well-executed asset management practices? When a system is rebuilt or replaced, are the old computer accounts explicitly removed? Tracking the number of active domain-joined systems starts to make more sense. Now you need to define a threshold for what qualifies as active. Allowing for time off work, let's say that systems are expected to be used at least once every two weeks. Of course, you'll want a procedure to handle someone on extended leave. Perhaps just booting the system or performing a wake-on-LAN call will suffice. Up until now we've been focused on user systems, but don't forget that you need to count your servers as well. If you're an SMB/SME you can probably consolidate the numbers but if you're large enough to have separate IT server and desktop teams, it might make more sense to retain separate accounting.
So now we have some metrics that are starting to be useful:
# of managed systems
# of active systems
% of active / managed systems
But wait, do you see the blind spot? What about unmanaged systems? Having 100% active systems is great but if you have unmanaged / unknown devices in your environment, that's bad right? Of course, computers aren't the only things we have on our networks. We can expect to see network devices such as switches, routers, firewalls, wireless access points, security cameras, and even devices from third parties. Let's generalize and group these into a single category of known devices. If you've been following along, you know that the next logical item is the number of unknown devices, which I'll affectionally refer to as rogue devices.
# of known devices
# of rogue devices
Let's distill these and consider how each of these metrics directly corresponds to a clear risk factor. Keep in mind that these can be applied to an entire organization or to individual business units.
% of active vs inactive systems - Minimize inactive to reduce risk
% of managed vs unmanaged systems - Minimize unmanaged to reduce risk
% of known vs rogue devices - Minimize rogue to reduce risk
The last part of this initial puzzle is to establish a comfort threshold or risk appetite for these. I like 5% as a threshold because even in larger Caribbean environments, the list of offenders is manageable. For example, in a 1,000 device environment, tracking down 50 rogue systems is quite achievable in a short period of time. In specialized environments, such as the industrial SCADA/OT/ICS part of a power plant, that risk appetite is going to be much lower, even nil.
TIP: For larger organizations, regularly sharing and comparing the metrics of different business units can help encourage cooperation and support!
Now how and where do we get this data? That's the proverbial million dollar question which we'll discuss in Part 2!.
Security starts with visibility. Great, I see some trending data but is that good or bad?
You can't manage what you can't measure. Is what we are doing effective? Is what we're doing even useful?
We've all heard these nuggets of wisdom before. And yet with the ever increasing pace of change, complexity, and demands of daily life, it's easy to get stuck in the weeds and neglect metrics and reporting.
Without good metrics, how do we know if we're doing a good job? Without good metrics, how do we justify our time and investment in a product or service? How can we demonstrate that we need more resources such as budget or staff? Worst of all, without meaningful metrics, how do our businesses understand and recognize the value cybersecurity?
So what metrics should we report? The number of blocked network threats is always good eye candy, and so is the number of rejected emails. Do any of these matter to the business? Maybe, if the blocked network traffic negatively impacted a business function. The same goes for blocking emails. These might be more useful to performance management than cybersecurity; so what to do?
Follow our #MetricsMonday series, where we explore cybersecurity metrics with the aim to develop a set of meaningful metrics that directly map to cybersecurity and most importantly, to business outcomes.
As the saying goes, sharing is caring but first, some background. Most of our infrastructure has been in the cloud for close to ten years i.e. email, security and management consoles, etc. Early on, our endpoints were domain-joined but that proved cumbersome for us as we spent the majority of our time off-LAN, working remotely or were at customer sites. As cybersecurity service providers we lead by example and make a point of using the same technologies and tools that recommend for our customers.
Our core endpoint security consists of several tools and layers. We’ll start from the foundation and work our way up the stack:
Trapezoid FIVE– If you can’t trust the hardware, how can you trust the software? Firmware is everywhere, from your laptop to IoT device to datacenters to the cloud. It is even part of the NIST Cybersecurity Framework. Using Trapezoid FIVE, we monitor the BIOS integrity of our systems for unauthorized changes.
OpenDNS Umbrella, specifically the Roaming Client provides security management and reporting from the endpoint, network, and web perspectives. Our systems benefit from the same Community Threat Intelligence feeds that we provide for our customers.
CylancePROTECT– All modules are fully enabled and enforced. File security is set to Auto Quarantine with Execution Control. Files are examined pre-execution. Memory Violations are terminated. The CylancePROTECT services and applications are protected against tampering. The Application Control module is enabled and prevents creating or even saving an unauthorized application (Portable Executable or PE) file let alone running it. ScriptControl is fully enabled and will block unauthorized ActiveScript, PowerShell scripts, or MS Office Macros from running. Objectively, fully locking down scripts was the hardest aspect but critical for the prevention of file-less malware. Lastly, the Device Control module allows the usage of only authorized devices.
CylanceOPTICS – The OPTICS endpoint detection and response (EDR) tool is deployed with a custom-developed ruleset that also aligns with the MITRE ATT&CK Framework.
OPSWAT MetaDefender Cloud– All web downloads are scanned with over 35 antimalware engines in the MetaDefender Cloud system.
HerdProtect– As CylancePROTECT only monitors Portable Executable (PE) files, we also regularly scan our endpoints with HerdProtect’s 68 independent antivirus scanners. This ensures an explicit check of data files such as MS Office, Adobe, and image files.
McAfee GetClean– We have a long relationship with McAfee and continue to work with the company, notably with the Joint Development Program. We use this tool to help provide McAfee with information on known clean system images and files.
DUO Beyond – Authentication to our local systems requires multifactor authentication using DUO. In addition to requiring MFA, we are also enabling usage of Yubikey Two Factor security keys wherever possible.
BitLocker – All local volumes are fully encrypted using Windows BitLocker.
Windows and application updates are installed within one month of release. Patch management is primarily monitored using Patch Manager Plus Cloud but also with DUO’s Device Health application.
RoboForm Everywheremanages my passwords. I’ve been using it for a very long time. LastPass is the other popular app for this. We never save passwords in browsers.
User accounts never have administrative rights – not now, not next November, never! Check out the latest BeyondTrust report on Microsoft vulnerabilities.
Device management is performed using several tools and layers subject to the individual device’s specifics. Cisco Meraki’s MDM system is the most common and the ability to manage our own systems as well as customers’ systems, firewalls, switches, and wireless devices simply more efficient.
Finally, our online presence, or our digital risk, is monitored using a combination of opensource tools like Google Alerts as well as private tools deep/dark web tools, including but not limited Digital Shadows and SpyCloud.
The commonly stated trade-offs for security are performance and convenience. As security is our business, it cannot be compromised for convenience. That said, if I really had to nitpick, the one area that might be considered inconvenient would be the authentication process with MFA. In reality the few extra seconds required to use the DUO app on our phones is truly trivial. Technology is constantly evolving and we’re always looking at ways to improve.
As for performance, we have long believed in making the right investments in computing devices up-front. We favor business-class computers, currently the HP Zbook Workstations. We also made the switch to solid-state drives (SSD) ten years ago and haven’t looked back. My current system is a five-year-old HP Zbook 14 G2 with dual SSD drives and 16GB RAM. It runs as well now as the day I purchased it. Only when I am simultaneously running several virtual systems do I long for more RAM. More recent models like the Zbook 15u support 32GB RAM. Over time that too will improve. The longevity is partially due to the choice of hardware (platform, RAM, SSD) and partially due to our carefully, curated security stack.
Bonus Tip: An easy way to improve the performance of a Windows system running on a standard hard disk is to use a USB key and enable ReadyBoost. This nifty feature has been around since Windows 7 and does a really good job improving performance. Note that you should format and dedicate this key to the computer and not use it for moving files around. A small, high-speed 16GB key is ideal and can be connected to a USB port somewhere on the back or side, where it will be out of the way and that you won’t be tempted to remove.
I hope you found this information useful. If you have any questions about the information provided, please do not hesitate to contact me.
Trust but Verify – You are the best weapon against cybercrime in all of its forms. Being highly skeptical of the latest email or social media post about miracle cures or sensationalized current events will go a long way. If you receive an email from work or a friend, particularly if you end up on a web page that is asking for your credentials, stop! Take a few minutes to verify that this is legitimate. Take a break while you give them a voice or video call.
Updates – As painful as it can be, updates really do serve a purpose. In addition to Windows or Mac updates, do remember to update Google Chrome, Firefox, and any other browsers you may use. If you have to use apps like Adobe Flash or Java, make sure you keep up with those as well. It is safest to perform the updates from within the application itself as opposed to searching for the updates online. There are many websites dedicated to distributing fake updates. In fact, this would be a great time to uninstall all those 3rd party tools that are bloating your system. If it isn’t installed, you don’t have to update it. Lastly, do remember to update your firmware in things like wireless routers, access points as well as the BIOS of your computers.
Change Default Passwords – If you use default passwords, you can’t claim to have been hacked! That would like leaving the front door open and claiming you were robbed.
Be a User, Not an Administrator - Keep your computer’s admin account separate from your everyday user account. It is all too easy to set up your user account as an administrator. Just don’t! Over the last five years, 88% of the Critical vulnerabilities published by Microsoft were mitigated by the removal of admin rights? Yes, you read that correctly - 88%! Removing admin rights does not mean that you can’t make changes to your own system. It just means that there will be an extra step to verify that you really want to make the change. I haven’t been an admin on my own computers in well over 10 years! Create a separate account used for tasks like installing applications. When a change is necessary, you’ll simply be prompted to enter the necessary username and password. Boy, do I have stories about admins making mistakes on their own systems…
OpenDNS – As most of you know, we have been advocates of the OpenDNS platform for a long time as a Managed Security Service Provider. As a home user, you too can benefit from tools for free. You simply have to change your computer to point at their DNS servers (208.26.222.222 and 208.67.220.220). Better yet, reconfigure your home router to do this so that all of your home devices benefit from the security. You don’t even have to sign up for anything! If you have young children in the household, you can also use their Family Shield servers which filter adult content as well. For those seeking a bit more control, you can subscribe to one of their paid plans. https://www.opendns.com/home-internet-security.
Web Of Trust – I have always liked a hybrid approach to security, mixing commercial and community-driven security tools. Web of Trust is a great browser add-on that helps keep your web surfing safe and away from malicious or suspicious web sites. It is a free add-on for Chrome, Firefox, and other browsers, even mobile platforms. https://mywot.com
AdBlock Plus – Not only are ads annoying but they often are harbor malicious content. This free browser add-on does a good job suppressing the ads found on many websites and can actually improve your Internet speeds. You may need to make exceptions for your reputable news sites if you are actively keeping up with current events. https://adblockplus.org/
Separate Your WiFi – Creating separate WiFi networks for work, home, and other devices is a really easy and fast way to reduce your risk. Most routers support four or more networks so you can keep things separate – particularly any non-computer devices like smart TVs, door, or security cameras. All those other devices are just computers hidden away in a different box and just as susceptible to being compromised as your computer. Did you ever hear about the clothing irons that were used to distribute malware and hack WiFi networks?
Separate Your Email Accounts – If you have been an Internet citizen for a while like me, you are likely to have that one email address that you’ve used for everything from email, to Geo Cities, My Space, AIM, Amazon, eBay, banking, Facebook, Twitter, Snapchat, and some newfangled thing called TikTok. By using a single address, you are at a greatly increased risk of having that email account compromised and losing access to all those linked systems. An easy to start reducing this risk is to create an email account for social media, newsletters, and promotions. Gmail, Outlook, Yahoo, and even AOL are good options for this and are free. You can later create a separate account for financial transactions. Oh and please don’t use the same password for each of these!
Multifactor Authentication – Without getting into a discussion of good passwords and password managers, most modern online services support some form of additional authentication factor. This might be a text message to your phone (my least favorite method and susceptible to SIM-jacking or SIM-swapping). A better option, if possible, would be to use an authenticator app such as Google or Microsoft Authenticator. This additional factor is further protected because, you are a good person, and good people secure their devices with passcodes or biometric security. Subliminal messages are fun! Once set up, these provide you with codes that you have to enter in addition to your password in order to access a resource. While not invulnerable to compromise, these do help and can also alert you to a hacker trying to use your credentials somewhere. Also, turn on and pay attention to the account alerting options prevalent in most services. If you see connections coming from another country at an unexpected time, you might want to be concerned!
Having spent the majority of the last ten years working remotely, I thought I would share a few personal wellness tips that have worked for me.
1. Take regular breaks and get away from the computer. Even if this means setting an hourly timer, get up and walk around for a few minutes, stretch, get some fresh air, or play with your pet.
2. Try your best to operate in a separate workspace, an office is ideal. If you can’t and have to work in a common area, consider putting everything away at the end of the workday. Resist the temptation to continuously be working.
3. Stay active. If you’re used to going to the gym or playing sport (like tennis for me!) don’t give up on fitness. The 7 Minute Workout is a great way to stay active and can easily be done indoors. It’s actually a great way to start the day. Yes, there is also a free app for it too!
4. Watch your caffeine intake. Most everyone knows I love my coffee but over time, I have learned to manage my intake and now limit myself to no more than four coffees a day, usually three. At some point my body is no longer going to tolerate it so by reducing my intake, I’m hopefully prolonging my enjoyment. I really don’t get diet-coffee i.e. decaffeinated!
5. Stay hydrated. My rule of thumb is to simply drink a glass of water every time I have a cup of coffee. Your mileage will vary but this is an easy process to counteract the dehydrating effects of coffee.
6. Give your eyes a break. Blink more and use eye drops. We have a tendency to blink less the longer we stare at a screen. I’m a fan of the Similasan Dry Eye Relief drops. They also have a Complete Eye Relief formula but have never used it.
7. Lastly, keep connected. Make a point of regularly speaking to your family, friends, colleagues, and peers. This means more than just email or text messages, try a video call. Social interaction is healthy.
Do you have tip you would like to share? Let us know!
