Cybersecurity and Asset Management: The What, Why, and How for Public Sector

MeriTalk recently spoke with Bobby McLernon, Vice President of Federal Sales, Axonius, on the importance of cybersecurity asset management, current asset visibility challenges, and lessons learned from public-private sector collaboration.

MeriTalk: What does cybersecurity asset management involve?

McLernon: To address security issues, Federal agencies must identify gaps, and to do that they need a comprehensive and reliable inventory of assets. Therefore, cybersecurity asset management involves obtaining and continually updating an accurate inventory of all IT assets, discovering security gaps related to the asset’s presence or configuration, and enforcing security requirements to rapidly address the identified gaps.

MeriTalk: What are some potential repercussions of poor asset management?

McLernon: There are two categories of repercussions: increased risk and increased operational burden.

Poor asset management threatens the entire agency – insufficient practices increase the risk of stolen sensitive data and disruption of business operations. Cyber-attacks often occur through overlooked assets. With proper asset management, these risks can be efficiently and consistently mitigated.

In terms of operational burden, Federal agencies must produce inventories related to asset management due to legislative and compliance requirements, but they’re currently struggling to find an accurate and automated method to do so. Thus, poor asset management can lead to wasted effort, dollars, and time, while producing an inaccurate inventory.

MeriTalk: Why don’t some agencies have asset management solutions in place already?

McLernon: When it comes to cybersecurity, we’re often attracted to exciting-sounding disciplines and technologies such as threat hunting, red-teaming, or machine learning for anomaly detection. It’s difficult for agencies to take a step back and build the foundation for their security programs, even though asset management solutions will strengthen efforts for spotting intrusions and fighting malware.

Another challenge is the lack of effective tooling. Asset management was not a recognized vertical in the IT world until just a couple years ago. Keeping track of IT resources is often a manual, error-prone process that consumes much time and yields few benefits. For asset management to deliver its full potential, it needs to be automated and easy to implement within a reasonable budget. As the IT world has expanded with operational technology and the Internet of Things (IoT), the need has really come to the table for agencies to prioritize ramping their IT infrastructure and tools.

MeriTalk: Why should agencies prioritize asset management now?

McLernon: The onset of COVID-19 has highlighted the need to solve some of the most fundamental challenges that relate to cybersecurity: understanding what assets are in our environments, where the gaps exist, and how to quickly address those gaps. With the rapid shift to telework, a lot of people aren’t able to access their key assets because many assets had to stay on-premise. These employees need to procure assets on their own, but they also need the appropriate software to work in a remote environment – they may not have the proper security on those assets or they may be missing the ability to engage in specific or classified networks.

It’s more important than ever for the government to arm their people with the assets they need, to enable the Federal workforce. The key word is “management;” agencies need to be able to manage their assets, even in a remote setting. This will become especially necessary with reclaiming assets once people can return to the workplace. The return to in-person work will bring a fleet of devices with questionable security status, neglected updates, and known vulnerabilities, to agency networks. Knowing everything you’ve got in your environment is critical for enabling secure assets and managing inventory – to reclaim assets that were bought with private dollars and to get new government-issued assets back in the hands of the user.

MeriTalk: How would you recommend an agency approach cybersecurity asset management if they haven’t already done so?

McLernon: The good news is that most agencies already have many IT and security systems that know a portion of the organization’s assets. These include: identity and systems management tools, vulnerability scanning tools, passive and active network monitoring solutions, and cloud orchestration technologies.

The challenge of asset management is that these systems typically exist as data silos, requiring cumbersome efforts to get a unified, actionable view on asset details across multiple systems. Agencies can advance their asset management program by extracting useful configuration and other state data out of these systems. The next step is to clean the data to find useful information across the multiple data sources. As you can imagine, achieving this involves a lot of automation and know-how.

MeriTalk: How would you define successful asset management?

McLernon: Successful asset management means a security professional can answer six essential questions about every asset. Is the asset “known” and managed? Where is it? What is it? Is the core software up to date? What additional software is installed? Does it adhere to my security policy?

To get there, we recommend the following: correlating and querying vast amounts of data from disparate sources, knowing which assets are unmanaged, knowing which managed assets are missing agents, discovering new devices automatically, quickly understanding context and detail, and developing consistency in communication and issue resolution.

MeriTalk: Given the rapid transformation of IT infrastructure, what are the recent asset visibility challenges and asset management trends impacting cybersecurity professionals?

McLernon: Axonius partnered with Enterprise Strategy Group to conduct a research survey of 200 IT and cybersecurity professionals from private and public-sector organizations in North America. We found that migration to the public cloud and an increase in the number of end-user devices and IoT projects, all contribute to a lack of visibility.

The study reveals 52 percent of virtual machines now reside in the cloud, running in multiple cloud environments, making it increasingly more challenging for organizations to manage them effectively. A typical employee uses more than four devices each week to conduct work. This creates a device visibility gap, with 73 percent of organizations citing lack of inventory and activity visibility. Lastly, 81 percent of respondents feel that IoT devices will outnumber all other devices within 3 years, but less than half are confident in their IoT visibility strategy.

To regain the visibility needed to combat these challenges, security and IT teams are returning to a focus on the fundamentals like investing in a credible inventory and automating asset management. Comprehensive IT asset inventories take over two weeks of effort, requiring 89 person-hours of labor. On average, they happen 19 times per year, demanding the involvement of multiple teams and people. Thus, 85 percent of organizations plan to increase investment in asset management to help overcome these issues – especially given that roughly 90 percent expect the time freed up from asset-related tasks to improve threat hunting and incident investigation.

MeriTalk: Agencies are constantly looking to future-proof their strategies. What do you see as the future of cybersecurity? What will be the biggest cybersecurity asset management challenge in the next five years?

McLernon: Data center consolidation is well underway – one key focus for most agencies and businesses today is moving their applications and tools to the cloud. There are two main challenges that come along with the rapid rate of Federal cloud migration: first, creating cloud compliance that parallels security compliance and second, finding the right people to do so.

The cloud is still a bit immature in terms of public sector migration, and the cloud engineering industry itself is also fairly immature. With government asset counts between three to five per person, there’s a large constituency and total asset inventory. From an asset management perspective, it’s going to be very beneficial for agencies to have tools reside in the cloud as a virtual appliance that will be light, agentless, and larger-scaled. In order to meet DoD requirements, we need to look for resiliency and scalability for cloud-based solutions.

MeriTalk: What are the security implications of BYOD policies and the rise of IoT devices?

McLernon: While bring-your-own-device (BYOD) trends began more than 15 years ago, private and public sector organizations alike are still grappling with evolving BYOD policies, especially with a typical employee now using more than four devices each week. As a result, organizations believe they are blind to about 40 percent of end-user-devices.

And these numbers are from pre-pandemic days. We often say that it’s no longer BYOD, but instead bring-your-office-home, since employees are now forced to use whatever devices they have to get their work done. IoT continues to play an increasing role in the workplace, with more than half of organizations reporting active IoT projects. Yet, 77 percent report an IoT visibility gap. With a wide array of IoT device types, gaining the visibility and control needed is challenging, and 58 percent report that the diversity in device types is among their biggest management challenges.

MeriTalk: What lessons can the private sector share with the public sector?

McLernon: There are massive architectures within the government, so the private sector could most certainly benefit by learning from the scale of Federal IT infrastructure. On the other hand, the public sector can learn how to develop better efficiency. The private industry is for profit – companies use fewer tools to achieve the same compliance and meet the same security measures because they hope to create a profit margin, or a plateau of profitability. If the public sector can make this shift to fewer tools for the same compliance, operations and budgets can be streamlined for improved results.

MeriTalk: What didn’t we ask that you would like to discuss?

McLernon: Zero trust is a very critical aspect of security. The best cybersecurity approach is to examine everything. By establishing the state of current infrastructure, and understanding the gaps and how to fix them, we can ease the struggle of security compliance. For asset management to be fully understood and made effective across organizations, zero trust models are key.

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.