This is the second in a three-part discussion about cyber asset inventories with Tom Kennedy, vice president of Axonius Federal Systems. In the previous interview, Kennedy spoke to MeriTalk about the role that cyber asset inventories play in establishing a zero trust approach to cybersecurity. Part two examines Federal government requirements for reliable asset inventories and their many benefits. Part three will address the emerging need for cyber asset attack surface management and how agencies can best meet that need.
MeriTalk: In early October, the Cybersecurity and Infrastructure Security Agency (CISA) issued a binding operational directive (BOD) that requires agencies to identify and inventory assets and vulnerabilities on Federal networks. Agencies are already required to create reliable asset inventories through participation in CISA’s Continuous Diagnostics and Mitigation (CDM) program. How does this directive go beyond the asset management capabilities offered by the CDM program?
Tom Kennedy: They’re building on each other. The president’s cybersecurity executive order set the vision, and the subsequent Office of Management and Budget memorandums provided other higher-level guidance. CISA’s directive is more operationally specific. It outlines time-bound, action-oriented goals with relatively short timeframes. For example, by April 2023 agencies must be prepared to perform automated asset discovery every seven days.
MeriTalk: Let’s talk about asset inventory capabilities based on your work with Federal agencies. What’s your assessment of where they are today in their ability to have a reliable asset inventory, and where are their gaps?
Kennedy: This continues to be a pretty big area of concern. It’s similar across most large enterprises and commercial entities. Agencies often have fragmented solutions that might solve a portion of the problem, but they’re missing that comprehensiveness. That’s the big gap: stitching it all together into a full, comprehensive inventory.
MeriTalk: What is the biggest asset inventory vulnerability that agencies are trying to get a handle on right now?
Kennedy: The vulnerabilities that come from shadow IT are probably the biggest concern right now. That’s why there’s so much urgency. The biggest vulnerability area is what you don’t know.
MeriTalk: How are agencies doing in terms of their ability to identify and report on vulnerabilities that they find on agency assets?
Kennedy: It’s a huge challenge. When they get a report that a known vulnerability has happened, they must quickly determine which users and assets that vulnerability is impacting. It should be an automated effort, but often, right now, it’s a manual effort. They have to tie the vulnerability back to a tool, and then audit within the tool. It’s a problem with silos as well. Different security tools can run across multiple groups within an organization.
This is an area where Axonius can help tremendously. Today, CISA notifies agencies of a vulnerability by putting out a KEV, a known exploited vulnerability announcement, with a recommended patch. We just released a new feature that pulls every KEV notice into the Axonius system, and then it automatically runs a query against an agency’s complete asset inventory to identify every asset and user that could potentially be impacted by that KEV. It gives you an automatic report of all the impacted assets, so you can quickly mediate that vulnerability. It goes from being a manual process that could take days or weeks to a query that could be mediated within minutes or hours. It’s really powerful from a vulnerability perspective.
MeriTalk: Tell us a little bit about using Axonius for asset and vulnerability identification. How does it differ from other industry offerings?
Kennedy: Axonius can pull and correlate asset data from across an organization, while other solutions only capture pieces of it. That’s the big difference. A further capability that Axonius offers is our Enforcement Center, which allows us not only to identify vulnerabilities, but also to push out action and policy through the tools that we’re connected with. If we identify 100 devices as at risk to a known vulnerability, we can push a publicly available patch out to the devices if requested. Or we can set a notification, and the organization can push that patch out of their own patch management software. The Enforcement Center gives the customer the ability to identify problems and the flexibility to fix them in the easiest way possible.
MeriTalk: Are there any other payoffs from having an accurate asset inventory?
Kennedy: A byproduct of an accurate and comprehensive cyber asset inventory is better spend management. Software license management, for example, is very difficult if you can’t identify a portion of your devices. You can’t do an accurate software count and determine whether you’re underpaying or overpaying for software.
I have a quote from a Federal customer that’s another example of the payoff. “Axonius saved the day again. This weekend when an automated Nessus agent deployment caused a bunch of SSL issues, we were able to use Axonius to remove the new agent that broke everything, clean up the mess on the workstations, and redeploy the old agent. We got back up and running in about six hours with 99 percent of the heavy lifting being done by Axonius.”
In this case, they were having some IT issues with one of their security tools and needed to understand the blast radius. They were able to isolate the devices and users that were impacted and install the actual effective software through the Enforcement Center. They identified and remediated the issue within Axonius in a very short period of time.
It demonstrates why a comprehensive cyber asset inventory matters. The vulnerabilities that come from shadow IT and unmanaged assets represent one of the biggest challenges that all agencies face today. The other big challenge is being able to identify and remediate those vulnerabilities in a quick and efficient way. This asset management approach solves those challenges directly.