Reading between the Purdue Lines in Computing UK’s new research report

New research report uncovers significant gaps in asset security programs.

Recent survey responses from 149 decision makers in the UK raise some important questions about the adequacy of asset security programs in place in a range of industries. 

Computing UK ran the survey and summarized them in the Armis-sponsored Out of sight, out of control: How to overcome your IT and OT asset monitoring challenges research report.  

The survey respondents are involved in using, testing, evaluating, or procuring IT/OT infrastructure management products. They represent  a range of industries, including  education, manufacturing, government, banking, and oil and gas.  The company sizes range from 1,000  to  10,000 employees. The answers to these questions raise even more questions about the adequacy of cyber security programs in place in, and out, of critical infrastructure providers.

Let’s start with asset visibility findings

“Only 34 percent [of survey respondents] have an accurate and up-to-date Asset Management Database of all the assets in their network including IT, IoT, OT, IIoT, and mobile devices.”

We can restate the implication of this finding by saying only 34 percent have a risk assessment that is based on legal principles of good governance and due diligence requirements. Risk management frameworks (RMFs), are a core tenant of responsible governance. The NIST RMF  stipulates the need to demonstrate adequacy in risk assessment based on “an accurate and up-to-date Asset Management Database” with an understanding of the criticality of each asset in that database. 

GIven the relatively small number of organizations with up-to-date asset data, it’s worth pondering another question: 

• Do the boards of directors of the other 66 percent of organizations know that, following a cyber security breach, if asked to explain why their risk assessment wasn’t based on well understood and accepted principles they will be on thin ice? 
• More pointedly, is choosing to ignore RMF guidance negligent?

Secondly, how accurate and up-to-date is accurate and up-to-date?

“Only 40 percent of survey respondents had identified all devices (including any OT/ICS devices) on their organization’s network.” 

It might seem more promising that 40 percent of organizations believe they have identified all devices on their network. Yet, six percent fall away when asked if those devices identified are accurate and or up to date. Another seven percent fall away when asked if they actually do anything with an accurate and up to date asset management database. because only 27 percent keep a real-time risk register of all assets connected to the network. 

Evidently, in most organizations, changes to asset states or new assets are not accurately reflected in risk exposure calculations.

And if all of that wasn’t alarming enough…

So, the number of organizations that have an accurate and up-to-date asset management database and actually use it to perform adequate risk assessment in real time is just over a quarter. But that’s not the final finding of the survey. How many of these organizations apply this best practice across all their various business lines?

“One fifth of respondents (21 percent) have implemented unified visibility and control of all managed and unmanaged IT, OT, IoT, and IIoT devices within their infrastructure.” 

That begs the question,  do 80 percent of organizations believe a lack of appropriate and proportionate standardized risk management processes, as specified in RMFs, is defensible in the face of the cyber-attack-related risks?

What about your organization?

The Out of sight, out of control report findings, related questions, and accelerating investments in connected assets should drive every organization to consider one simple question:

Can you defend your organization against a sophisticated cyber attack?

If you didn’t confidently answer “yes,” it would be well worthwhile exploring or revisiting the security controls best practices of the Center for Internet Security (CIS). The CIS provides best practices across 18 functional areas, each of which includes three implementation groups (IGs), the third of which focuses on “defending against sophisticated attackers.” The very first CIS control focuses on Inventory and Control of Enterprise Assets..And the IG3 requirement for asset inventory discovery stipulates that organizations should, “Utilize a passive discovery tool to identify devices connected to the organization’s network and automatically update the organization’s hardware asset inventory.” The Computing UK survey reveals that probably only one fifth of organizations would achieve an IG3 rating for this control and be able to abate a sophisticated attack.

Put a solid RMF foundation in place

Armis is Step1. The Armis Platform provides comprehensive support for an RMF.  Your organization can rely on it for strategic oversight, ensuring you can monitor and meet governance and control requirements  from the board down. The Armis Platform also supports the robust tactical implementation of security requirements; you can use it to ensure everyone from practitioners up uses it to meet  granularity and maturity requirements in prescribed supportive controls from organizations like the CIS.

Download Computing Armis Research Paper