Continuous Security Asset Management vs. ITAM / CMDB

IT Asset Management and Configuration Management Databases are 40+ year-old technologies.   In a recent Gartner Analyst conversation, we were advised to not even call ourselves an Asset Management company because they thought both technology segments were ‘dead’.    

As founding members of ‘next generation’ endpoint companies, Cylance and CarbonBlack, this is very similar feedback we received when we disrupted and modernized the endpoint security markets between 2010 and 2018.    We are doing the same to modernize fundamental IT operations and security activities today with Sevco Security.

We respect and appreciate those organizations that specialize in ITAM and CMDB, as their leg work has ensured that interest and attention to a proper IT and Security operation are in place.   However, whether you started this process years ago or even just recently, those technologies have not advanced off their traditional foundations.  This makes them even more inaccurate and difficult to rely upon for data decisions today.

The fact that they cannot rebuild their product from older coding/frameworks into a new product is a symptom of the legacy of ‘tech debt. The world has advanced faster than they can keep up with this legacy technology.   It’s incredible to think that an iPad was only commercially available to the consumer in April 2010…- and not even used in business yet. Now we find that iPads, iPhones, tablets, printers, cameras, and much more are connected to the internet, and hence the corporate/organization network – whether explicitly permitted or not.   ‘Shadow IT’ is a nice name that the media came up with for this, but in reality what it really means is  ‘I have no idea what’s on my network’.     

Additionally, there is more data flowing around an organization than ever before. There are more ‘solutions’ installed than ever before.  The diversity of devices, users and applications being used by the business is more complex than ever before.   All these ‘ever before’s’ have changed the world, and the technologies to get our ‘arms around this’ have to be modern and dynamically capable to adjust to this environment- without a massive architectural overhaul or Herculean effort by our very limited IT staff and financial resources.

HOWEVER – without this foundational understanding and accurate data – all the effort and expense put on top from inventory to policy to security posture is also inaccurate…..the problem compounds.   

Here are the top 10 weaknesses:

  1. The data structures are on older relational databases and cannot ingest data with accurate fidelity or speed to ensure they have a ‘clean’ set of data themselves.
  2. Data they ingest inconsistently misses simple elements, like IP addresses, MAC information,etc. 
  3. Data they house is not sufficient, current or accurate enough for cybersecurity teams, since this was originally designed 40 years ago for IT and Financial departments to control the IT lifecycle. 
  4. ITSM purpose: the focus is primarily on IT assets from a financial or lifecycle perspective. It gathers available information on most software and hardware assets tied to the business, including ownership, cost, contracts, warranty, etc. 
  5. CMDB purpose: it looks at IT assets from an operational or support perspective. CMDBs help organizations understand their critical assets (not all assets), track configurations, and map dependencies relative to operational use.
  6. Most vendors, like ServiceNow, Atlassian and Ivanti are more interested in providing the value of workflow management now because collecting, parsing, and associating the data is very hard, very expensive and tedious on a continuous basis.
  7. Data structures change and evolve over time, making it difficult and expensive to constantly update CMDBs and ITAM tools to collect the right data. The initial setup is labor-intensive and time-consuming, making the time to value suffer greatly.
  8. CMDB and ITAM tools often lack direct integrations to all the tools you use, requiring in-house resources to build custom integrations. There’s no easy way to aggregate, correlate, and compare asset data with other valuable asset data sources, leaving you forced to make decisions based on incomplete, outdated, and inaccurate data.
  9. Architectures of these legacy systems are their real holdback for a modern IT / Security Asset Management system
    • They are agent dependent, which means it only ‘sees’ where the agent is resident, meaning it: can’t know about anything off premise; can’t know about anything on or off premise that doesn’t have a resident agent; can’t easily deploy to new devices or those that are BYOD; and can’t get other ‘attribute’ data off the endpoint relative to cybersecurity.  
    • They are scanner dependent, which means it also only ‘sees’ what the scanner sees. Limitations here include: 
      • Scanners are time bound.  A device that pops up or is offline during the scan is not properly recorded and may or may not be seen the next time a scan happens
      • Scanners are restricted in how often they can scan 
      • Scanners are intrusive to the network, requiring constant configuration and maintenance to be accurate of the changing environment
      • Scanners can’t see anything off premise, remote workers or hidden or protected segments
  10. They are difficult to install, configure and maintain, which increases the TCO and overall skill needed to handle the ‘basics’ when we, as an industry, have more important things to do. Unfortunately, those important things rely on the data exported from these foundations.

Sevco set out to modernize ITAM and CMDB.    

Today we are the foundational support to these existing technologies.  Since they are so limited and restricted in their accuracy of data, Sevco serves to exchange information with them to enrich what they have with more accurate, expanded attributes and real-time associations than they collect today. How do we do that?   

  • Sevco finds assets that can’t be found from another source: For example, some mobile devices may never be scanned or have an agent. Some network elements may have been added to the network with and without human knowledge and could be missing from the ‘asset repository’. Devices without IP addresses can show up. Relying on just one source will lead to incomplete asset inventories.
  • Sevco identifies gaps by comparing two or more data sources:  As an example, to find a device missing antivirus, we compare a source that knows about devices with a source that knows about all antivirus deployments.  To find other gaps, the magic is converging numerous data sources. While CMDB and ITAM platforms sometimes have other data inputs, they often lack sufficient data to answer even the simplest of questions.
  • More data sources leads to stronger data integrity: The more data sources overlap, the stronger correlation can occur to give you a single source of truth into any one asset.  Sevco serves to be the single source of truth.
  • Architecturally, Sevco is non-intrusive and completely cloud native.  We specifically designed the solution to be installed/configured in less than 1 hour, producing immediate data discovery and inventory value within that time.  The ongoing API updates and maintenance is minimal as it is all cloud based, highly secure and automated.

ITAM and CMDB were groundbreaking technologies when they were developed. For nearly half a century, they’ve been valuable tools for enterprises trying to make sense of increasing complexity across their networks. But the simple fact is that they are no longer up to the task. We’ve hit an inflection point, and it’s past time for the next iteration. We are confident that Sevco will be the standard bearer for this next generation of solutions, helping organizations understand and mitigate the gaps that ITAM and CMDB have created and serving as the foundation for more effective enterprise security programs.