The Context of Asset Inventory

 

Now more than ever, the context of asset inventory matters; and its importance will continue to grow over time. As security practitioners, we have accepted that we’re not going to be able to protect everything…and we’re not going to be able to prevent every attack that our environments are faced with.  Accepting that, we are left making decisions on where we focus our resources: technology, process, and the most valuable of them all – time.

If you listen to security podcasts or read security-related content, a common theme that has long lived just below the line for how security teams are allocating resources (aka ‘no budget’) is asset inventory.

In reality, calling it ‘asset inventory’ is a bit of a misnomer, and likely has been one of the reasons that little attention has been paid to solving this important problem. If you played a word association game, most security-focused professionals would respond ‘CMDB’ when presented with the phrase ‘asset inventory’.

Context Matters

If we dig deeper into what is really wanted, it’s less about an ‘asset inventory’…and it’s more about an inventory of context that is accurately mapped to a complete inventory of computer resources. It sounds a bit complicated, but we need to understand the contextual attributes of the resources that we’ve been charged with protecting. In order to make good decisions, we need to decide the importance of how, when, and to what degree we’re applying our available resources. This is just as important as finding the assets themselves.

  • Context can tell us if an exploit of a vulnerability could impact a business function that is not only deemed critical but could also cause long term financial impact.
  • Context can tell us if redundancies within a business application exist.
  • Context can tell us who the stakeholders are for a given device, or more importantly, the business services that are being enabled by computer resources.

Good Information = Good Decisions

We need good information to make good decisions; and we need to accept that it’s up to us to deliver that information to our teams, leaders, and tooling.  It’s not an inventory of assets that we need, it’s an inventory of context.

 

See also: Pain in the Asset: Your Asset Universe At Your Fingertips