This quarter, we’re focusing on cyber security from the inside out, examining how to protect against vulnerabilities from poor asset management.
If you want to secure your house, would you just lock the doors and forget about the open windows? Time and time again, organizations do just that with their cyber risk management, discovering too late that they have failed to protect assets that they were unaware existed.
External threats like data exfiltration often result from failures to focus on some of the building blocks of internal cyber hygiene. So this quarter, we’re focusing on cyber security from the inside out, examining how to protect against vulnerabilities from poor asset management.
Looking at our latest data, there is some good news to report: the overall incident volume we’ve seen in 2022 is currently on track to be significantly lower than in 2021. But even though incidents are down, severity and associated costs remain challenging – as does the false sense of security many organizations may be feeling right now. Beazley’s recent Risk & Resilience research revealed that although cyber remains the leading technology risk for business leaders, there is also a worrying degree of complacency around cyber risk management. Companies are not as well prepared as they would like to believe themselves to be. We see this particularly when it comes to asset management.
Asset management is critical to a robust cyber security program. Gaps in inventory, for both on-premises assets and cloud resources, can leave you with exposed attack surfaces and slow down detection and response capabilities. The past two years of pandemic-driven remote work have led to decreased inter-departmental communication and, in many organizations, less oversight overall. So the likelihood that an organization has an incomplete asset inventory is greater than ever.
Good asset management is good governance and, as such, it needs to be built into broader cyber strategy and included in business decision-making. Organizations that fail to pay sufficient attention to asset management inherently expose themselves to cyber breaches that result in higher costs and more liability. In this quarter’s deep dive, we explore these challenges and offer best practices to help organizations proactively understand their environment so that they can protect it.
Bala Larson
Head of Client Experience
Prevention, detection, response, and recovery all begin with knowing your assets: you can’t protect what you don’t know about.
We’re talking here about two kinds of assets. Physical assets are the machines –workstations, servers, network equipment, etc. Virtual assets are what you deploy on these physical assets or use in the cloud –software, virtual machines, operating systems, databases, etc.
Organizations are generally used to inventorying physical hardware, but manufacturing/production operational technology or specialized healthcare devices can be harder to inventory, as these might not be handled by IT teams. Virtual assets can be even harder to track because they can so easily be created, moved, and destroyed.
These gaps in inventory are blind spots –not just because they can’t be seen, but also because they are potential attack vectors. Undocumented assets may inadvertently be left unprotected –no security agents installed, no security patching, and no hardening of their configuration. Detection and response capabilities are slowed down without monitoring, security controls, or endpoint protections in place.
Many organizations think they have good asset management capabilities, only to discover after an incident that this was not the case. Asset management tools can help you understand your system, leading to informed longer-term decisions.
There are many tools to help with asset discovery and management
Every organization’s asset management inventory system should include an asset discovery tool that continuously maps devices on your internal network, an up-to-date asset database, and an up-to-date configuration management database.
Don’t just rely on what you think you know based on previous inventories; keep doing continuous discovery on your network to find new or modified endpoints. When you discover a new asset, proactively investigate to understand why it's not in the inventory and take steps to ensure this doesn't happen again. It’s important to see what OS the server is running, and what software versions and tools are in use to help support the security team identifying vulnerable systems and applications.
Endpoint detection and response (EDR) solutions can also help organizations improve visibility into their infrastructure. Most will identify connected endpoints that are not running an EDR, helping to detect anomalous activities and reduce response time. Extended detection and response (XDR) solutions can go beyond on-premises devices to include cloud resources and identities.
From operational technology to the cloud, leave no asset unsecured
Operational technology (OT)--technology used to control manufacturing or production devices--can be hard to inventory and secure. Organizations that operate multiple network systems or use tools that can’t easily be deployed on OT infrastructure must ensure their scanning efforts don't undermine containment efforts, and that threat actors can't leverage tools that accesses multiple networks for malicious purposes.
In contrast, cloud inventory can be perceived as easy because things tend to be more automated. But as non-IT employees are being given the permission to create cloud-based assets, it can be hard to maintain control of your cloud inventory. Moreover, some on-premises asset inventories may not include cloud assets automatically. Both inventories are needed to account for potential blind spots.
The journey to the cloud can provide a clean start. Maximize the opportunity by creating clean and proper processes. Leverage native capabilities of cloud environments, followed by third-party tools. Some cloud providers make things so easy to get started, it can be tempting to underestimate your role in securing your assets, but you must pay close attention to your cloud resources as these are becoming the new toys for threat actors.
Don’t forget to install security patches and factor in end-of-life planning
End-of-life issues arise when assets are no longer supported. Vendors commit to sending regular updates to fix security flaws until the promised period ends – after that, organizations can continue using the version, but there will be no further fixes for vulnerabilities or performance issues. So when companies adopt servers or software, they must also factor in an eventual transition period.
Issues are also common after acquisitions and mergers, when hardware limitations may arise preventing the use of the latest software. There is a tendency in such situations to just leave what’s working as it is, even if the software is old and vulnerable. This should be a sign that new hardware needs to be purchased, or a migration is needed towards a different provider. When neither is possible, the recommendation is to at least have older versions isolated in a separate environment with security to reduce exposure, ensuring a threat actor can’t just jump to other systems.
An experienced risk management partner can help you stay one step ahead
Organizations frequently overestimate how prepared they are for a sophisticated attack. In times of crisis, Beazley is standing by to provide education about the latest threats, connect insureds with leading security experts, or offer our collective purchasing power to help insureds utilize aggressive discounts with industry-leading solution providers.
But perhaps our biggest value lies in the fact that over the years, we have seen it all.
We’ve seen issues with companies running different versions of Microsoft Exchange across a number of the organization’s servers. From errors in deploying some of the updates to installation errors for important security updates that don’t get caught, we’re able to advise insureds about how opportunistic threat actors could leverage these assets.
We’ve also seen cases where organizations migrated to O365, but forgot to decommission their on-premises Exchange server or restrict its access to the internet. Consequently, we advise insureds that when legacy assets are no longer in use, they should be decommissioned or at the very least, isolated.
As new incidents arise, we’re not only here to assist, we’re also gathering knowledge, ensuring insureds always benefit from our growing expertise.
“When SOCs (security operations centers) receive a suspicious activity alert, they investigate what should be running on that server. Without an inventory, finding the owner and determining whether the activity is malicious can represent precious time lost, especially when newer ransomware variants can encrypt hundreds of thousands of files within minutes.”
“You don’t want to have to do asset inventory during a crisis. As part of an incident response, forensics firms will do an inventory for containment purposes. From there, they’ll look backwards in time to understand IOCs, or indicators of compromise. It’s way better (and less expensive!) to have done the inventory in advance.”
“Asset management is one part of a set of controls; it supports other controls like deployment of security tools and monitoring capabilities, but this is just the first step. We recommend using an asset management tool, but there’s no reason to spend your whole security budget on the best one.”
“Occasionally, vendors will provide post-end-of-life security updates, as Microsoft did for Wannacry. These are rare but very urgent, and generally signal scenarios where millions of devices are at risk of major catastrophe. Never count on getting post-end-of -life security updates, but if you do receive one, take it very seriously.”
