With Cloud, Infrastructure as Code, Containers, and BYOD to name a few of the rapidly adopting technologies, the struggles with securing enterprise environments only become more of a risk and challenge. Attacks on all types of infrastructure, applications, and enterprises as a whole continue to accelerate.
Common questions we hear that people want answers to are:
- How can I manage my cloud assets that continue to become more fluid?
- How do I know where all of my assets are?
- How do I know who is using my assets?
- What security risks do my assets have?
- What assets are deployed without cybersecurity protection?
- Who is accessing those assets, from where, and when?
- Are all of my assets still being used?
The number of people we speak with on a daily basis who need answers to these questions is a little unsettling.
Horseshoes and Hand Grenades?
These questions are scary when you think about how many organizations operate under the horseshoe and hand grenade approach of cybersecurity asset management. “Close enough is good enough. Right?”
Organizations need to realize that close enough is one incident away from being on the News for all the wrong reasons.
Discovering, identifying, and classifying all your assets is just the starting point.
New vulnerabilities and cyberattacks are continually bombarding companies that are left with, in many cases, hardware, operating systems, and software that is not well maintained and patched.
In my career, I’ve come from the Data Center and Cloud business. You learn really fast how important hardware replacements are and how vital they are to keeping the literal Internet online.
How long do you think a simple piece of hardware that we all use is good for?
As you’re reading this think about the hard drive/storage you are using on your phone, tablet, laptop, etc.
How many years can you get out of it before failures are going to happen? 1 year, 3 years, 5 years? More?
We all generally take the approach of “if it isn’t broken don’t fix it.” But is that right?
A fantastic study was done by BackBlaze (Cloud backup provider) that provided incredible insight on this exact question.
Yep, that’s right, 5% of all drives fail in the first year, then by year 3 more than 11% are going to die. The data only gets more scary past year 4.
That is just the storage aspect of your assets.
Most assets have many parts to make them run, from hardware, to firmware, to operating systems, to applications. That doesn’t even tap the fact of the workforce and customers interacting with them.
Are all of those layers KNOWN and safe?
These End-of-Service components can significantly increase security risks that drive notable financial implications if ignored. Identifying and updating them will reduce the attack surface.
Comparing Asset Lifecycles and Product Management
End-of-Service is like End-of-Life (EOL), which is followed by End-of-Support (EOS). EOL is when vendor publishers stop delivering updates to software, except for security fixes. EOL typically ends or reduces support engagement as well, which is a vital milestone in software development.
It frees resources to no longer care and feed code unless a security requirement forces it. In many cases, I have even seen some software vendors use security vulnerabilities as catalysts to drive software upgrades to new versions and force deprovisioning of legacy software.
This phase of the hardware lifecycle has similar implications. However, vendors want to drive new hardware and software adoption.
Sometimes this isn’t possible for enterprises to make a change, or the time and money associated with doing so makes it prohibitive which, in turn, drives longer and bigger cyber asset surface risk.
One thing to keep in mind is regulatory requirements may also force your hand to upgrade, or in some cases, as I have seen in Governments, if the latest version hasn’t been through the testing and validation yet, you are forced to stay a version behind until validation is completed, which introduces risk as well.
The End of the Line
End-of-Service (EOS) is the last destination for assets and product lifecycle management. As assets reach this stage in the cycle it triggers some major risks and concerns. Generally, I look at this as the yard sale cycle, “as-is” and “no returns.”
No Support, No Security Patching, No Service.
Now we all know with enough pull and money you can get vendors to provide “Extended Support” if you’re willing to pay extortion prices to get it; however, many vendors are refusing to do that because the juice isn’t worth the squeeze.
Of course, this doesn’t mean assets aren’t working, powered off, being accessed, or increasing your security risk.
That is very real and part of the main driver to get to know:
- What assets you have
- Where they are
- Who is using them
- What security risks are associated with them
Both EOS and EOL stages have increasingly more risk. Similar to the rapid failure rate of the hard drives discussed, early firmware, OS, and applications are even more temperamental with age than hardware.
Vendors, developers, and companies are quick to wash their hands of support and long-tail pains of maintaining their solutions because there is little to no money in the aging; all the money is in new shiny objects.
The “what have you done for me lately“ mentality is very real in product and asset lifecycles. Today’s new shiny is tomorrow’s old news.
A Losing Battle?
To only compound the long-tail challenge, some manufacturers don’t publish any information or they are inconsistent about what and when things are published. So when an asset moves to EOL or EOS what happens to that asset?
More importantly, what is the cyber attack surface of it knowing its health, access level, and user interaction with it when in this state?
The challenges here become opportunities by automating the assessment, workflows, people ownership, and risk mitigation for cyber security attack surface prevention and ultimately reducing the need for remediation.
How you might ask? Cyber Asset Attack Surface Management (CAASM) platforms are purpose-built to address these challenges and turn them into victories instead of pain and risk.