Asset management is one of the core components of many successful security programs. I am an advisor to Panaseer, a startup in the continuous compliance management space. I recently co-authored a blog post on my favorite security metric that is related to asset management:
How many assets are in the environment?
A simple number. A number that tells a complex story though if collected over time. A metric also that has a vast number of derivatives that are important to understand and one that has its challenges to be collected correctly. Just think about how you’d know how many assets there are at every moment in time? How do you collect that information in real-time?
The metric is also great to start with to then break it down along additional dimensions. For example:
- How many assets are managed versus unmanaged (e.g., IOT devices)
- Who are the owners of the assets and how many assets can we assign an owner for?
- What does the metric look like broken down by operating system, by business unit, by department, by assets that have control violations, etc.
- Where is the asset located?
- Who is using the asset?
And then, as with any metric, we can look at the metrics not just as a single instance in time, but we can put them into context and learn more about our asset landscape:
- How does the number behave over time? Any trends or seasonalities?
- Can we learn the uncertainty associated with the metric itself? Or in other terms, what’s the error range?
- Can we predict the asset landscape into the future?
- Are there certain behavioral patterns around when we see the assets on the network?
I am just scratching the surface of this metric. Read the full blog post to learn more and explore how continuous compliance monitoring can help you get your IT environment under control.