To kick things off, let's start with a fundamental aspect of cybersecurity, Enterprise Asset Management. We'll keep it simple by initially focusing on our local networks.
How many devices do you have in your organization? Is 100 a good number? Probably not if you're only a five person office. If you have a 100 person office, that number starts to make more sense. But if you have a 1000 person office, 100 managed systems is a little short. If you don't know what's connected to your network, how can you expect to manage and secure them?
For argument's sake, you operate a Windows Active Directory environment, and all user systems are domain-joined so that they can access shared resources. In general terms domain-joined systems are manageable and non-domain systems are not. A managed system has central policies and settings applied, and carry less risk from rogue applications or misuse. Business people understand risk: less risk is good, and more risk is bad.
So the number of domain-joined systems makes sense as a metric, but do you have well-executed asset management practices? When a system is rebuilt or replaced, are the old computer accounts explicitly removed? Tracking the number of active domain-joined systems starts to make more sense. Now you need to define a threshold for what qualifies as active. Allowing for time off work, let's say that systems are expected to be used at least once every two weeks. Of course, you'll want a procedure to handle someone on extended leave. Perhaps just booting the system or performing a wake-on-LAN call will suffice. Up until now we've been focused on user systems, but don't forget that you need to count your servers as well. If you're an SMB/SME you can probably consolidate the numbers but if you're large enough to have separate IT server and desktop teams, it might make more sense to retain separate accounting.
So now we have some metrics that are starting to be useful:
- # of managed systems
- # of active systems
- % of active / managed systems
But wait, do you see the blind spot? What about unmanaged systems? Having 100% active systems is great but if you have unmanaged / unknown devices in your environment, that's bad right? Of course, computers aren't the only things we have on our networks. We can expect to see network devices such as switches, routers, firewalls, wireless access points, security cameras, and even devices from third parties. Let's generalize and group these into a single category of known devices. If you've been following along, you know that the next logical item is the number of unknown devices, which I'll affectionally refer to as rogue devices.
- # of known devices
- # of rogue devices
Let's distill these and consider how each of these metrics directly corresponds to a clear risk factor. Keep in mind that these can be applied to an entire organization or to individual business units.
- % of active vs inactive systems - Minimize inactive to reduce risk
- % of managed vs unmanaged systems - Minimize unmanaged to reduce risk
- % of known vs rogue devices - Minimize rogue to reduce risk
The last part of this initial puzzle is to establish a comfort threshold or risk appetite for these. I like 5% as a threshold because even in larger Caribbean environments, the list of offenders is manageable. For example, in a 1,000 device environment, tracking down 50 rogue systems is quite achievable in a short period of time. In specialized environments, such as the industrial SCADA/OT/ICS part of a power plant, that risk appetite is going to be much lower, even nil.
TIP: For larger organizations, regularly sharing and comparing the metrics of different business units can help encourage cooperation and support!
Now how and where do we get this data? That's the proverbial million dollar question which we'll discuss in Part 2!.
Image Source: Adobe Firefly Generative AI
