If you don’t know it’s there, you can’t patch it!

Understanding the problem:

If there is one reoccurring theme that I see at least on a weekly basis is ownership. When working in Vulnerability Management, what team owns and is responsible for remediation of security vulnerabilities becomes very important. If, like me, you work in a large corporate environment with thousands upon thousands of devices, it can be very difficult to identify ownership for networked devices and to maintain that ownership as teams shift.

Asset management & ownership solutions:

Many companies turn to using CMDB’s (Configuration Management Database) such as ServiceNow to maintain a list of devices and then use ServiceNow for ticketing and change management. This is an excellent option in maintaining an inventory of your assets, be that physical or logical, and even has the ability to assign ownership to them. I would highly encourage using something like this to maintain an inventory of assets as well as ownership.

An evolving threat landscape:

Throughout 2020 and even 2021, we have all seen the impact that cyber attacks have caused. From the recent Colonial Pipeline attack to the even more recent attack on one of the largest meat producers. Since WannaCry, I have felt that the visibility of these cyber attacks, and impact, have been more on the forefront of news. Everyday citizens are more cognizant of these attacks and how they might impact their lives.

So, why is asset management and ownership important? Simply put, we can’t get owning teams to fix their security vulnerabilities if they don’t know they exist. If you’re using a vulnerability reporting tool such as Palantir, Brinqa, or others then you likely understand that ownership is important. Without that ownership, vulnerabilities are not being fixed. This is not good for the overall security posture of a company.

Recommendations & final thoughts:

What would I recommend? I would suggest medium to large companies to use a CMDB and ensure all assets are added into it with correct ownership. Create policies and procedures that fit your company needs to ensure that asset identification, ownership, and vulnerability remediation expectations are clearly defined. Strive for no unknown ownership for security vulnerabilities. If you already have a Vulnerability Management program, then this will really help that program succeed.

What do you think? What suggestions do you have? Feel free to leave a comment and let me know! I’d love to hear how others are tackling this issue.

Referenced attacks:

Colonial Pipeline Ransomware attack:
https://www.theguardian.com/technology/2021/may/19/colonial-pipeline-cyber-attack-ransom

Ransomware on JBS meat processor:
https://www.nytimes.com/2021/06/01/business/meat-plant-cyberattack-jbs.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.