Bob: One of our systems got compromised. We are seeing Command and Control traffic going out.

Laura: I have a few questions:

What do we know about the system?

What is the business criticality of this system, and what application is it running?

What type of data is stored, and who are the owners and business units responsible for the system?

Bob: It is still early in our investigation. We are looking into it. We don’t have too many details about the asset at this time; we don't even have access, we know it is hosted in the Public Cloud Infrastructure. The team is working on getting the details.

Heard that conversation before? You are not the only one. Asset management is one of those foundational capabilities that often comes up as THE capability to build and get right. Effective asset management is a prerequisite for capacity planning, operational planning and support, operational security, cost management, and the list goes on. However, most organizations have difficulty building an effective and sustainable Asset Management capability. Often asset management deteriorates over time, leaving organizations scrambling to get information when they are in the middle of an incident or a planning exercise. This is a consistent story across many organizations.

The reason for failure is often that capability tries to deliver too much. Asset Management initiatives will have roadmap items that would build complex relationships between assets and entities, create dependency trees between them, establish discovery methods for identifying assets that generate too much data, introduce new processes for registering and deleting assets; all this looks great on the project plan. However, this adds considerable overhead, and these new processes are often easy to bypass for folks who just want to get their work done. Over time, all this becomes a burden on engineering and operations teams. The problem in some cases, is made worse with the introduction of the on-demand provisioning infrastructure like a public or private cloud. It is not uncommon for organizations to restart Asset management initiatives every few years to rebuild the Asset Management capability repeating the same mistakes from previous initiatives.

Asset management is not just a core Information Technology capability, but pretty much all Cybersecurity initiatives and capabilities rely on Asset Management. Cybersecurity organization often asks the question: how can we build effective Cybersecurity capabilities if the underlying foundational capability is subpar? Of course, Asset Management is not the shiniest or sexiest of the Cybersecurity capabilities; however, this approach intends to change that. The concept below not only builds out an effective Asset Management capability but also makes asset management a force multiplier for the rest of the Cybersecurity capabilities.

Just Enough Asset Management(JEAM) has been in the works for a few years. The core concept of JEAM is reducing asset information collection to the minimum required, a minimum set that could drive most of the Cybersecurity and IT processes. Selection of attributes is critical as these must be collected consistently and reliably through near real-time automated processes. JEAM does not introduce human-driven processes but is driven entirely through automation.

The next blog post will provide an overview and a reference architecture of JEAM and how JEAM can be used for vulnerability management, Incident Detection and Response, Footprint assessment, Risk Management, and other capabilities. The post will also discuss how such a system can be the core of an organization’s Cybersecurity capabilities.