Businesses are taking two weeks to discover who owns an asset in their environment.

Speaking at the Qualys Security Conference in San Diego, president and CEO Sumadh Thakar said businesses typically get an alert that there “is a malicious actor on a particular asset” but it can take a fortnight to determine if the alert “is material or not because the asset manager system does not have attribution.”

He said: “Imagine starting a program and you fail at the first step immediately. You just don't know how many assets you have in your environment, are we able to talk in terms of all the risk factors that we have? Not just your volatility, but how many risk factors impact your digital systems?”

Identifying the CVE on a particular application - that is running in production - “becomes super important for you” he said, as “every single dollar you have invested in building those dashboards is worth nothing if you don't actually remediate the issue that the attacker is going to leverage.”

Different Methods to Detect

Speaking to SC UK, Thakar said users continue to struggle with knowing their list of assets and “there is no one single way to detect that” and that is why “customers need a way to use multiple different methods to detect different assets and bring them in one place and correlate them.”

He said: “So that's why asset inventory becomes foundational for any cybersecurity company because without that, you don't know your asset and you cannot be protected.

“Once you know something you can scan it and say, I want to protect this, but that's why it's a little bit easier that way, but if you don't know stuff,  this is a hard problem to solve in cybersecurity.”

In his keynote, Thakar said there is a need to take all of the data that we have, stop with the ‘whack-a-mole’ method of dealing with ‘celebrity vulnerabilities’ and deal with what is critical to your business operation.

Distilling Down

Asked if this method of distilling down the vulnerabilities could help spot another Eternal Blue or a zero-day, Thaker said the assessment of what is important to you is fairly unique to every organization, and two components are relevant here: threat intelligence to determine if malware is using the vulnerability, and the second is even if it's been used by malicious actors, is this on an asset that is critical to me.

“That's very subjective to you, I might have tons and tons of machines but now these are somewhere where it's not a big deal, it doesn't really impact you if the machine goes down so that context of your business is important,” he said. “You never have enough resources to fix everything, which means by default, we are in a continuous prioritization mode.”

He went on to say that in a continuous prioritization mode, you are always looking at what should be fixed first - and it should be the one that is going to cause the most amount of monetary damage.

“That's where that prioritisation becomes important and it's difficult to do because you have to bring so many factors in. And that's your Enterprise TruRisk Management really is going to help because it's collecting all the findings and triaging them, narrowing them down to a small subset and then working through them to work out what is important to the business, and then actually helping them orchestrate getting it fixed.”

Asked if he feels that the constant addition of more and more tools is adding more of these alerts and therefore, more work on the business, Thakar agreed, saying there is no single platform that covers every single thing out there.

“So while customers do consolidate into fewer platforms, you still are aware your core scanning tool is different to your applications, and your infrastructure scanning tool is different to your cloud scanning tool.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.