Those responsible for the operation of corporate IT are under increasing pressure to provide a secure, efficient and appropriate overall IT service despite a growing variety of mobile devices as part of “bring your own device” strategies and outsourced or cloud-based services, and to take responsibility for IT governance and operational risk management. Systematic asset management is the key to using advanced methods to maintain your own information security. Device profiling and transparency in the network form the basis for this.
Corresponding security arrangements are usually based on a multi-layered architecture whose technical foundation is a sufficiently up-to-date and comprehensive inventory of physical and virtual IT assets.1 Such an inventory offers several advantages. Firstly, it allows efficient and plannable management of existing IT resources, e.g. in terms of maintenance, replacement and intended use. Secondly, an inventory mapped accordingly in a database architecture allows security-relevant queries and evaluations, from the detection of unknown devices or software installations and the targeted search for missing security-relevant patches to the evaluation of the current licensing situation, the correlation with other security-relevant data (network traffic, user activities, etc.) and the systematic search for operational risks. In addition, a sufficiently up-to-date inventory makes it possible to demonstrate compliance with the necessary and legally required duty of care in the monitoring and management of the IT infrastructure to the internal or external auditors.
The first step for the creation and evaluation of corresponding inventory data is the procurement of the necessary raw data, which must then be verified, summarized and further processed into evaluable information in subsequent steps. As a rule, procurement must be automated as far as possible due to the expected quantity structure. As a rule, both software agents installed locally on the end devices are used, which report the inventory and performance data available locally via operating system services to the central IT inventory, as well as network-based sensors, which evaluate the existence and behavior of identifiable end devices in the network and at the transitions to the Internet or other external networks and feed them into the inventory (e.g. detection of new devices, movement of devices between network segments, traffic volumes, communication ports used, etc.). These network-based sensors are also used when technical or regulatory restrictions make it impossible to install a sensor or agent software directly on an end device.
Even after this first step, important security-relevant evaluations are possible, e.g. on which devices patches classified as security-relevant are not installed, on which devices software classified as undesirable is installed, whether there is over- or under-licensing with regard to the approved software, but also which devices may have been contaminated by malware that is not detected locally, e.g. because they are trying to contact a botnet control console installed on the Internet.
If, in a second step, this data is supplemented by administrative data that unfortunately cannot be collected automatically, such as the procurement date, remaining warranty period from the manufacturer, procurement price and annual depreciation, as well as operating data such as the number of faults and “trouble tickets” caused by the device, physical installation location, etc., there are further possibilities for systematic or case-by-case evaluation according to operational risks and for the corresponding planning of replacement purchases, expansion requirements, etc.
If, in the third step, traffic edge data (communication to other devices in the network or to the outside world, data volumes, ports used, etc.) from the existing firewalls, intrusion detection/prevention systems, etc. are also included in the correlation, further evaluations can also be carried out with regard to operational stability and performance as well as for the rapid detection and rectification of security-related problems. However, this usually requires a software solution specifically suitable for advanced analytics to be licensed or purchased as amanaged service.
However, all of these advanced methods for maintaining your own information security in accordance with the ever-increasing legal and regulatory requirements for your own duty of care are based on the foundation of sufficiently up-to-date and comprehensive IT asset management and the most complete possible inventory in appropriately maintained data storage beyond the basic functionality of a classic, often manufacturer-specific CMDB (Configuration Management Database). The basis for this systematic asset management is again “device profiling” using locally installed agent software as well as the detection and evaluation of the device’s behavior in the network infrastructure in cooperation with other existing security solutions.
Finally, however, it must be pointed out that setting up and operating a corresponding solution in an already complex IT environment further increases its complexity. It must therefore be considered in good time whether such a solution needs to be operated in-house or whether at least partial outsourcing (operational monitoring by a Security Operations Center, procurement of correlation creation and evaluation as an externally managed service, etc.) is possible and sensible, also in order to avoid having to bear the risk of incorporating new end device types and versions in good time. Corresponding offers with a good range of functions and sufficient security and stability exist on the market and can also be attractive from a financial perspective in an overall calculation.
[1] Of course, in today’s agile IT landscape, it is hardly possible to maintain a 100% complete and correct IT asset inventory at all times, despite extensive automation. In this sense, IT asset inventories are subject to the IT counterpart of Heisenberg’s uncertainty principle.